Insecure Deserialization

typo3/cms is vulnerable to Insecure Deserialization. The vulnerability is due to improper handling of user-submitted payloads that are signed with an HMAC-SHA1 using the sensitive TYPO3 encryptionKey as the secret. If the encryptionKey is known to attackers, they can craft a malicious payload tha...

Rocky Linux 9 : booth (RLSA-2024:3661)

The remote Rocky Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2024:3661 advisory. booth: specially crafted hash can lead to invalid HMAC being accepted by Booth server CVE-2024-3049 Tenable has extracted the preceding description block directl...

Authentication Bypass

authlib is vulnerable to Authentication Bypass The vulnerability is due to allowing HMAC verification with any asymmetric public key in jwt.decode calls without specifying an algorithm, which attackers can exploit to bypass authentication checks...

SUSE CVE-2024-37568

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

AlmaLinux 9 : booth (ALSA-2024:3661)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2024:3661 advisory. booth: specially crafted hash can lead to invalid HMAC being accepted by Booth server CVE-2024-3049 Tenable has extracted the preceding description block directly...

AlmaLinux 8 : booth (ALSA-2024:3659)

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2024:3659 advisory. booth: specially crafted hash can lead to invalid HMAC being accepted by Booth server CVE-2024-3049 Tenable has extracted the preceding description block directly...

python-cryptography: NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override

A flaw was discovered in python-cryptography. A NULL pointer dereference can be triggered when a PKCS12 key and certificate do not match. Specifically, if the pkcs12.serializekeyandcertificates function is called with a non-matching certificate and private key and an encryption algorithm with...

Authlib has algorithm confusion with asymmetric public keys

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature which allow HMAC verification with ANY asymmetric public key. If the' algorithm' field is left unspecified, an attacker can manipulate the verification process by exploiting the flexibili...

CVE-2024-37568

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

CVE-2024-37568

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

UBUNTU-CVE-2024-37568

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

CVE-2024-37568

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

CVE-2024-37568

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

Authlib Security Vulnerability

Authlib is the ultimate Python library for building OAuth and OpenID Connect servers open-sourced by Authlib. A security vulnerability exists in Authlib versions prior to 1.3.1 that stems from allowing HMAC authentication using any asymmetric public key...

PT-2024-27665 · Unknown +2 · Lepture Authlib +2

Name of the Vulnerable Software and Affected Versions: lepture Authlib versions prior to 1.3.1 Description: The issue concerns algorithm confusion with asymmetric public keys in lepture Authlib. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetri...

CVE-2024-37568

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

CVE-2024-37568

Technical details for CVE-2024-37568 are not publicly available in the provided documents. Monitor for updates from upstream and security advisories.

GHSA-HH95-5XM5-V8V7 TYPO3 CMS Possible Insecure Deserialization in Extbase Request Handling

It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized. However, since sensiti...

SUSE CVE-2024-3049

A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcrymdgetalgodlen, it may allow an invalid HMAC to be accepted by the Booth server...