Lucene search
+L

6 matches found

Github Security Blog
Github Security Blog
added 2026/07/01 8:28 p.m.20 views

Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass

Summary Centrifugo's dynamic JWKS endpoint feature can verify a JWT for one allowed issuer using a public key cached from another allowed issuer. The JWKS cache and singleflight lookup are keyed only by the JWT header kid, not by the resolved JWKS endpoint, issuer, audience, or other trust-domain...

8.2CVSS5.9AI score0.00266EPSS
Exploits0References2Affected Software5
RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.13 views

CVE-2026-40942

The Data Sharing Framework DSF implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison isBefore instead of isAfter, causing the cache to never return cached values. Every...

6.3CVSS5.5AI score0.00291EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/21 9:9 p.m.3 views

CVE-2026-40942

The Data Sharing Framework DSF implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison isBefore instead of isAfter, causing the cache to never return cached values. Every...

6.3CVSS5.8AI score0.00291EPSS
Exploits0References4Affected Software3
Snyk
Snyk
added 2026/04/15 7:19 p.m.13 views

Always-Incorrect Control Flow Implementation

Overview Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to an inverted time comparison in the OIDC JWKS and token cache processes. An attacker can cause expired tokens to be reused or force repeated network requests to the OIDC provider by...

6.3CVSS5.8AI score0.00291EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2023/05/18 12:39 a.m.6 views

golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache...

5.3CVSS6.6AI score0.05623EPSS
Exploits0References9
RedHat Linux
RedHat Linux
added 2023/03/15 7:58 p.m.7 views

golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache...

5.3CVSS6.6AI score0.05623EPSS
Exploits0References9
Rows per page
Query Builder