Lucene search
K

49 matches found

Veracode
Veracode
added 2026/06/17 11:35 a.m.10 views

Authentication Bypass

Spring Web Services is vulnerable to Authentication Bypass. The vulnerability is due to X509AuthenticationProvider issuing a fully authenticated X509AuthenticationToken based solely on certificate-to-user mapping, without enforcing standard account status checks such as disabled, locked, expired,...

5.4CVSS5.3AI score0.00148EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/05/11 10:16 a.m.14 views

CVE-2025-10908

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow...

7.3CVSS0.0023EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.7 views

WSO2 Identity Server 安全漏洞

WSO2 Identity Server is an identity authentication server developed by the American company WSO2. WSO2 Identity Server has a security vulnerability that stems from the lack of verification of user account status. This vulnerability may allow locked accounts to be successfully authenticated throug...

7.3CVSS5.8AI score0.0023EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/22 6:30 a.m.6 views

Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.1AI score0.00215EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/22 5:2 a.m.19 views

CVE-2026-22746

The CVE concerns Spring Security vulnerability CVE-2026-22746 where the timing-attack defense in DaoAuthenticationProvider can be bypassed when an application uses the UserDetails attributes isEnabled, isAccountNonExpired, or isAccountNonLocked to manage user status. Affected versions include Spr...

3.7CVSS5.7AI score0.00215EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/22 5:2 a.m.12 views

CVE-2026-22746 User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.7AI score0.00215EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/16 10:25 a.m.3 views

CVE-2025-12624

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...

6CVSS5.8AI score0.00177EPSS
Exploits0References2Affected Software1
Packet Storm
Packet Storm
added 2026/04/15 12:0 a.m.118 views

📄 Kiuwan SAST 2.8.2412.0 Improper Enforcement

It was found out that a user is still able to login at the Kiuwan WebUI via SSO, even if the Kiuwan mapped account has been disabled in the user settings by an admin. This issue has been addressed in version 2.8.2509.4. SEC Consult Vulnerability Lab Security Advisory...

5.4CVSS5.7AI score0.00189EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/03/25 9:10 p.m.5 views

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Summary When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue...

8.1CVSS5.9AI score0.00453EPSS
Exploits1References8Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/25 12:0 a.m.6 views

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing th...

8.1CVSS5.8AI score0.00453EPSS
Exploits1References9Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2017-18328

Malware in sbrugna...

9.8CVSS9.5AI score0.01684EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2025/09/04 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2022-22967

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously...

8.8CVSS8.1AI score0.01878EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2023/02/15 3:28 a.m.4 views

SUSE CVE-2022-22967

An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an...

7.5CVSS9.4AI score0.01878EPSS
Exploits0References20
OSV
OSV
added 2022/06/25 7:21 a.m.43 views

GHSA-FPXM-FPRW-6HXJ Salt's PAM auth fails to reject locked accounts

An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an...

7.7CVSS8.4AI score0.01878EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2022/06/25 7:21 a.m.44 views

Salt's PAM auth fails to reject locked accounts

An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an...

8.8CVSS4.4AI score0.01878EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2022/06/24 9:48 a.m.25 views

Authorization Bypass

salt is vulnerable to authorization bypass. The vulnerability exists in myconv function in pam.py because PAM auth doesn't reject locked accounts which allows an attacker to perform unauthorized actions when the accounts are locked...

8.8CVSS8.2AI score0.01878EPSS
Exploits0References7Affected Software1
Tenable Nessus
Tenable Nessus
added 2022/06/24 12:0 a.m.53 views

SUSE SLES15 Security Update : salt (SUSE-SU-2022:2159-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2022:2159-1 advisory. - An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allow...

8.8CVSS8.2AI score0.01878EPSS
Exploits0References4
PyPA
PyPA
added 2022/06/23 5:15 p.m.14 views

PYSEC-2022-210

An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an...

8.8CVSS6.9AI score0.01878EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2022/06/23 5:15 p.m.5 views

UBUNTU-CVE-2022-22967

An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an...

8.8CVSS7.3AI score0.01878EPSS
Exploits0References3
Prion
Prion
added 2022/06/23 5:15 p.m.21 views

Design/Logic Flaw

An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an...

6.5CVSS8.3AI score0.01878EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder