Lucene search
K

109 matches found

Github Security Blog
Github Security Blog
added 2025/08/01 6:15 p.m.8 views

OpenSearch unauthorized data access on fields protected by field level security if field is a member of an object

Impact OpenSearch versions 2.19.2 and earlier improperly apply Field Level Security FLS rules on fields which are not at the top level of the source document tree i.e., which are members of a JSON object. If an FLS exclusion rule like object is applied to an object valued attribute in a source...

7AI score
Exploits0References2Affected Software1
Veracode
Veracode
added 2025/07/14 9:29 a.m.9 views

Denial Of Service (DoS)

com.nimbusds:nimbus-jose-jwt is vulnerable to Denial Of Service DoS. The vulnerability is due to uncontrolled recursion due to lack of validation on JSON object nesting depth in JWT claim sets, allowing remote attackers to exhaust system resources with deeply nested structures...

5.8CVSS6.1AI score0.00806EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/07/11 3:30 a.m.14 views

Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the...

5.8CVSS6.4AI score0.00806EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2025/07/11 3:16 a.m.37 views

CVE-2025-53864

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2i...

5.8CVSS0.00806EPSS
Exploits0References5
Cvelist
Cvelist
added 2025/07/11 12:0 a.m.13 views

CVE-2025-53864

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2i...

5.8CVSS0.00806EPSS
Exploits0References5
OSV
OSV
added 2025/07/11 12:0 a.m.10 views

CVE-2025-53864

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2i...

5.8CVSS7AI score0.00806EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2025/07/11 12:0 a.m.3 views

PT-2025-29195

Name of the Vulnerable Software and Affected Versions: Connect2id Nimbus JOSE + JWT versions prior to 10.0.2 Description: The software is susceptible to a denial-of-service condition triggered by a deeply nested JSON object within a JWT claim set. This occurs due to uncontrolled recursion during...

5.8CVSS7.3AI score0.00806EPSS
Exploits0References16
Vulnrichment
Vulnrichment
added 2025/07/11 12:0 a.m.6 views

CVE-2025-53864

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2i...

5.8CVSS6.9AI score0.00806EPSS
Exploits0References5
CNNVD
CNNVD
added 2025/07/01 12:0 a.m.5 views

tiny-secp256k1 安全漏洞

tiny-secp256k1 is a wrapper for bitcoinjs open source. A security vulnerability exists in tiny-secp256k1 versions prior to 1.1.7, which stems from the potential disclosure of a private key when signing a malicious JSON stringable object, potentially leading to private key extraction...

9.1CVSS6.3AI score0.00317EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2025/04/22 4:53 p.m.33 views

Wazuh server vulnerable to remote code execution

Summary An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. The vulnerability can be triggered by anybody with API access compromised dashboard or Wazuh servers in the cluster or, in certain configurations, even by a compromised agent. Details DistributedAPI...

9.9CVSS8.2AI score0.92579EPSS
Exploits10References4Affected Software1
RedhatCVE
RedhatCVE
added 2025/02/05 10:42 p.m.17 views

CVE-2022-36429

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability...

7.2CVSS7AI score0.01987EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/02/05 2:8 p.m.9 views

CVE-2020-28593

A unauthenticated backdoor exists in the configuration server functionality of Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to code execution. An attacker can send a malicious packet to trigger this vulnerability...

8.1CVSS7.2AI score0.01875EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/02/05 2:5 p.m.8 views

CVE-2020-28592

A heap-based buffer overflow vulnerability exists in the configuration server functionality of the Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability...

9.8CVSS7.9AI score0.02545EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/02/05 9:53 a.m.8 views

CVE-2024-3283

A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...

7.2CVSS6.9AI score0.0095EPSS
Exploits1References1
CVE
CVE
added 2024/11/13 12:0 a.m.54 views

CVE-2024-45875

The CVE concerns baltic-it TOPqw Webportal 1.35.287.1, with a fix in 1.35.291. The vulnerability exists in the create user function at /Apps/TOPqw/BenutzerManagement.aspx/SaveNewUser, where the JSON object username enables SQL query manipulation. This is a SQL injection in the user-creation path,...

5.4CVSS7.8AI score0.00315EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2024/11/12 9:19 a.m.34 views

Moderate: Red Hat Security Advisory: python-jwcrypto security update

An update for python-jwcrypto is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

5.3CVSS6.3AI score0.00884EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2024/09/05 2:13 p.m.3 views

python-django: Potential SQL injection in QuerySet.values() and values_list()

A flaw was found in Django. The QuerySet.values and QuerySet.valueslist methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed arg...

9.8CVSS7.1AI score0.01227EPSS
Exploits0References5
AlpineLinux
AlpineLinux
added 2024/08/07 12:0 a.m.17 views

CVE-2024-42005

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values and valueslist methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed arg...

9.8CVSS7.8AI score0.01227EPSS
Exploits0
OSV
OSV
added 2024/08/06 4:21 p.m.5 views

USN-6946-1 python-django vulnerabilities

It was discovered that Django incorrectly handled certain strings in floatformat function. An attacker could possibly use this issue to cause a memory exhaustion. CVE-2024-41989 It was discovered that Django incorrectly handled very large inputs. An attacker could possibly use this issue to cause...

9.8CVSS6.8AI score0.01258EPSS
Exploits0References5
Fedora
Fedora
added 2024/07/16 4:32 a.m.10 views

[SECURITY] Fedora 40 Update: erlang-jose-1.11.10-1.fc40

JSON Object Signing and Encryption JOSE for Erlang and Elixir...

5.3CVSS7.4AI score0.00887EPSS
Exploits0
Rows per page
Query Builder