Lucene search
K

19 matches found

ATTACKERKB
ATTACKERKB
added 2026/07/02 10:30 a.m.6 views

CVE-2026-54431

In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...

5.1CVSS5.8AI score0.00128EPSS
Exploits0References4
OSV
OSV
added 2026/04/21 3:21 p.m.5 views

GHSA-XQ8M-7C5P-C2R6 Auth0 Next.js SDK has Improper Proxy Cache Lookup

Description In affected versions of the Next.js SDK, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Which Projects are Affected? Users are affected if they meet all of the following preconditions: -...

5.4CVSS5.8AI score0.00214EPSS
Exploits0References5
NVD
NVD
added 2026/04/17 9:16 p.m.6 views

CVE-2026-40155

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if...

5.4CVSS0.00214EPSS
Exploits0References3
CVE
CVE
added 2026/04/17 8:54 p.m.17 views

CVE-2026-40155

The CVE concerns the Auth0 Next.js SDK. Affected versions: 4.12.0–4.17.1. Issue: when multiple simultaneous requests trigger a nonce retry, the proxy cache fetcher may perform improper lookups for token request results. Impact: affects projects using both the vulnerable SDK versions and the proxy...

5.4CVSS5.7AI score0.00214EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/17 8:54 p.m.2 views

CVE-2026-40155 Auth0 Next.js SDK has Improper Proxy Cache Lookup

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if...

5.4CVSS5.7AI score0.00214EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/17 12:0 a.m.14 views

PT-2026-33516

Name of the Vulnerable Software and Affected Versions Auth0 Next.js SDK versions 4.12.0 through 4.17.1 Description Simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for token request results. This occurs when projects use the proxy...

5.4CVSS5.7AI score0.00214EPSS
Exploits0References8
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-3141

Malicious code in bioql PyPI...

3.1CVSS6.3AI score0.0032EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/05/23 8:25 a.m.19 views

CVE-2024-49755

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...

3.1CVSS6.8AI score0.0032EPSS
Exploits0References1
Veracode
Veracode
added 2024/11/11 4:24 a.m.7 views

Leaked Token Reuse Attack

Duende IdentityServer is vulnerable to Leaked Token Reuse Attack. The vulnerability is due to insufficient validation of the cnf claim in DPoP access tokens by the LocalApiAuthenticationHandler. It allows attackers to misuse leaked tokens without requiring the private key needed for signing proof...

3.1CVSS6.7AI score0.0032EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2024/10/28 8:15 p.m.26 views

CVE-2024-49755

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...

3.1CVSS0.0032EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/10/28 7:44 p.m.15 views

CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...

3.1CVSS7.1AI score0.0032EPSS
Exploits0References2
OSV
OSV
added 2024/10/28 7:44 p.m.11 views

CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...

3.1CVSS6.6AI score0.0032EPSS
Exploits0References4
Cvelist
Cvelist
added 2024/10/28 7:44 p.m.28 views

CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...

3.1CVSS0.0032EPSS
Exploits0References2
CVE
CVE
added 2024/10/28 7:44 p.m.91 views

CVE-2024-49755

Duende IdentityServer (ASP.NET Core) Local API authentication handler improperly validates the cnf claim in DPoP access tokens. This lets an attacker use leaked DPoP tokens at local API endpoints without the private key, affecting only endpoints explicitly using LocalApiAuthenticationHandler for ...

3.1CVSS3.7AI score0.0032EPSS
Exploits0References2
OSV
OSV
added 2024/10/28 7:44 p.m.14 views

GHSA-V9XQ-2MVM-X8XC Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

Impact IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only...

3.1CVSS3.9AI score0.0032EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2024/10/28 7:44 p.m.20 views

Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

Impact IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only...

3.1CVSS7.2AI score0.0032EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2021/03/15 7:23 a.m.12 views

Insecure Token Verification

@solid/identity-token-verifier has an insecure token verification. The vulnerability exists due to a flaw in the implementation of the identity token verifier library which allows an attacker to spoof another user's DPoP...

3.5AI score
Exploits0
OSV
OSV
added 2021/03/12 10:39 p.m.11 views

GHSA-XMH9-RG6F-J3MR Verification flaw in Solid identity-token-verifier

Impact Severity Any Pod on a Solid server using a vulnerable version of the identity-token-verifier library is at risk of a spoofed Demonstration of Proof-of-Possession DPoP token binding. This vulnerability could give total and complete access to a targeted Pod. Summary A verification flaw in th...

6.8AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2021/03/12 10:39 p.m.51 views

Verification flaw in Solid identity-token-verifier

Impact Severity Any Pod on a Solid server using a vulnerable version of the identity-token-verifier library is at risk of a spoofed Demonstration of Proof-of-Possession DPoP token binding. This vulnerability could give total and complete access to a targeted Pod. Summary A verification flaw in th...

1AI score
Exploits0References5Affected Software1
Rows per page
Query Builder