Lucene search
K

116 matches found

AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.2 views

Astra Linux – Vulnerability in the 389-DS-base

A flaw was discovered in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then any password will successfully match during authentication, instead of being inactive. This flaw allows an attacker to successfully authenticate as a user whose password h...

6.5CVSS6.6AI score0.01349EPSS
Exploits0References2
Veracode
Veracode
added 2026/06/17 11:35 a.m.8 views

Authentication Bypass

Spring Web Services is vulnerable to Authentication Bypass. The vulnerability is due to X509AuthenticationProvider issuing a fully authenticated X509AuthenticationToken based solely on certificate-to-user mapping, without enforcing standard account status checks such as disabled, locked, expired,...

5.4CVSS5.3AI score0.00148EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/10 12:0 a.m.4 views

Incorrect Implementation of Authentication Algorithm

Overview Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm via the X509AuthenticationProvider class in X509AuthenticationProvider.java. The provider issues a fully authenticated X509AuthenticationToken whenever a presented certificate maps to...

5.4CVSS5.5AI score0.00148EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/09 8:59 p.m.10 views

CVE-2026-46657

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...

7.1CVSS5.5AI score0.00271EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:46 p.m.11 views

CVE-2026-24069

Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise KOP was affected before 2.8.2509.4...

5.4CVSS5.5AI score0.00189EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.9 views

CVE-2026-33031

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an...

8.6CVSS5.4AI score0.00274EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/22 6:30 a.m.6 views

Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.1AI score0.00215EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/22 5:2 a.m.11 views

CVE-2026-22746 User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.7AI score0.00215EPSS
Exploits0References1
CVE
CVE
added 2026/04/22 5:2 a.m.17 views

CVE-2026-22746

The CVE concerns Spring Security vulnerability CVE-2026-22746 where the timing-attack defense in DaoAuthenticationProvider can be bypassed when an application uses the UserDetails attributes isEnabled, isAccountNonExpired, or isAccountNonLocked to manage user status. Affected versions include Spr...

3.7CVSS5.7AI score0.00215EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/04/21 3:0 p.m.7 views

EUVD-2026-23965

Nginx-UI: Disabled users retain full API access through previously issued bearer tokens...

8.6CVSS5.8AI score0.00274EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/21 3:0 p.m.9 views

Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

Summary A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected...

8.6CVSS5.8AI score0.00274EPSS
Exploits1References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/21 12:0 a.m.9 views

Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources...

8.6CVSS5.7AI score0.00274EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/20 8:12 p.m.4 views

CVE-2026-33031

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an...

8.6CVSS5.7AI score0.00274EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/20 8:12 p.m.5 views

CVE-2026-33031 Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an...

8.6CVSS5.7AI score0.00274EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/20 12:0 a.m.9 views

Nginx UI 安全漏洞

Nginx UI is a web interface for Nginx developed by Jacky. Versions of Nginx UI prior to 2.3.4 contained security vulnerabilities. These vulnerabilities allowed users who were disabled to still access previously issued API tokens, potentially enabling attackers to continue accessing protected...

8.6CVSS5.8AI score0.00274EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/20 12:0 a.m.6 views

PT-2026-33844

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4 Description A user disabled by an administrator can continue using previously issued API tokens until the token lifetime expires. This occurs because token-based authentication fails to verify the user.Status...

8.6CVSS5.2AI score0.00274EPSS
Exploits1References9
EUVD
EUVD
added 2026/04/14 3:30 p.m.4 views

EUVD-2026-22278

Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled...

5.7CVSS5.8AI score0.00586EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/14 12:31 p.m.6 views

EUVD-2026-22245

Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise KOP was affected before 2.8.2509.4...

5.4CVSS5.8AI score0.00189EPSS
Exploits1References2
NVD
NVD
added 2026/04/14 12:16 p.m.3 views

CVE-2026-24069

Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise KOP was affected before 2.8.2509.4...

5.4CVSS0.00189EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/14 11:26 a.m.3 views

CVE-2026-24069

Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise KOP was affected before 2.8.2509.4...

5.8AI score0.00189EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder