OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects

OpenClaw's fetchWithSsrFGuard... followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist Authorization, Proxy-Authorization, Cookie, Cookie2. This allowed custom authorization headers such as X-Api-Key, Private-Token, and similar sensitive...

GHSA-6MGF-V5J7-45CR OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects

OpenClaw's fetchWithSsrFGuard... followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist Authorization, Proxy-Authorization, Cookie, Cookie2. This allowed custom authorization headers such as X-Api-Key, Private-Token, and similar sensitive...

CVE-2024-29834 Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints

This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. A...

CVE-2023-48309

NextAuth.js provides authentication for Next.js. next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth...

CVE-2023-48309 next-auth vulnerable to possible user mocking that bypasses basic authentication

NextAuth.js provides authentication for Next.js. next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth...

GHSA-V2WF-C3J6-WPVW Session fixation

Impact The use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability. Workarounds Call...

Authentication Bypass

JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for JBoss Enterprise Application Platform 6.0.1, and includes bug fixes and enhancements. Refer to the 6.1.0 Release Notes for information on the...

JBoss: custom authorization module implementations shared between applications

Red Hat JBoss Enterprise Application Platform EAP before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control...

JBoss: custom authorization module implementations shared between applications

Red Hat JBoss Enterprise Application Platform EAP before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control...

JBoss: custom authorization module implementations shared between applications

Red Hat JBoss Enterprise Application Platform EAP before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control...

Important: Red Hat Security Advisory: JBoss Enterprise Application Platform 6.1.0 update

Updated JBoss Enterprise Application Platform 6.1.0 packages that fix three security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability...

FreeBSD : jenkins -- multiple vulnerabilities (622e14b1-b40c-11e2-8441-00e0814cab4e)

Jenkins Security Advisory reports : This advisory announces multiple security vulnerabilities that were found in Jenkins core. - SECURITY-63 / CVE-2013-2034 This creates a cross-site request forgery CSRF vulnerability on Jenkins master, where an anonymous attacker can trick an administrator to...