Lucene search
K

143 matches found

Github Security Blog
Github Security Blog
added 2024/08/09 8:41 p.m.25 views

s2n-tls's mTLS API ordering may skip client authentication

Impact An API ordering issue in s2n-tls can cause client authentication to unexpectedly not be enabled on the server when it otherwise appears to be. Server applications are impacted if client authentication is enabled by calling s2nconnectionsetconfig before calling s2nconnectionsetclientauthtyp...

7AI score
Exploits0References3Affected Software1
OSV
OSV
added 2024/07/05 7:42 p.m.12 views

GHSA-RRQR-7W59-637V Pomerium exposed OAuth2 access and ID tokens in user info endpoint response

Impact The Pomerium user info page at /.pomerium unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of an XSS vulnerability in an upstream...

6.9CVSS5.3AI score0.00416EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2024/07/05 7:42 p.m.48 views

Pomerium exposed OAuth2 access and ID tokens in user info endpoint response

Impact The Pomerium user info page at /.pomerium unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of an XSS vulnerability in an upstream...

6.5CVSS5.8AI score0.00416EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2024/07/03 6:15 a.m.19 views

CVE-2024-37082

When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS authentication to Cloud Foundry applications. You are affected if you have route-services enabled in routing-release and have...

9.1CVSS0.00545EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2024/07/03 6:8 a.m.25 views

CVE-2024-37082

When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS authentication to Cloud Foundry applications. You are affected if you have route-services enabled in routing-release and have...

9.1CVSS6.7AI score0.00545EPSS
Exploits0References1
Cvelist
Cvelist
added 2024/07/03 6:8 a.m.22 views

CVE-2024-37082

When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS authentication to Cloud Foundry applications. You are affected if you have route-services enabled in routing-release and have...

9.1CVSS0.00545EPSS
Exploits0References1
CVE
CVE
added 2024/07/03 6:8 a.m.98 views

CVE-2024-37082

CVE-2024-37082 affects Cloud Foundry when deployed with the haproxy-boshrelease and non-default configuration, allowing HTTP requests to bypass mTLS against CF applications if route-services are enabled and ha_proxy.forwarded_client_cert is set to forward_only_if_route_service. Affected setup: Ro...

9.1CVSS9.2AI score0.00545EPSS
Exploits0References1
NVD
NVD
added 2024/07/02 8:15 p.m.25 views

CVE-2024-39315

Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page at /.pomerium unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be...

6.5CVSS0.00416EPSS
Exploits0References2
OSV
OSV
added 2024/07/02 8:2 p.m.16 views

CVE-2024-39315 Pomerium exposed OAuth2 access and ID tokens in user info endpoint response

Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page at /.pomerium unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be...

5.7CVSS5.9AI score0.00416EPSS
Exploits0References4
Cloud Foundry
Cloud Foundry
added 2024/06/24 12:0 a.m.19 views

CVE-2024-37082 - mTLS bypass | Cloud Foundry

Severity CRITICAL Vendor CloudFoundry Foundation Versions Affected Routing Release 10.6.0 Description When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS authentication to Cloud...

9.1CVSS9.3AI score0.00545EPSS
Exploits0
NVD
NVD
added 2023/10/04 11:15 a.m.38 views

CVE-2023-2422

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to...

7.1CVSS6AI score0.00522EPSS
Exploits0References7
Prion
Prion
added 2023/10/04 11:15 a.m.19 views

Authentication flaw

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to...

5.5CVSS7.1AI score0.00522EPSS
Exploits0References7Affected Software2
Cvelist
Cvelist
added 2023/10/04 10:59 a.m.46 views

CVE-2023-2422 Keycloak: oauth client impersonation

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to...

5.5CVSS7.2AI score0.00522EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2023/10/04 10:59 a.m.19 views

CVE-2023-2422 Keycloak: oauth client impersonation

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to...

5.5CVSS6.7AI score0.00522EPSS
Exploits0References7
CVE
CVE
added 2023/10/04 10:59 a.m.179 views

CVE-2023-2422

CVE-2023-2422 describes an authentication flaw in Keycloak-based deployments where mTLS client certificate chain verification is insufficient. The vulnerability allows a client with a valid certificate to impersonate another client and access data belonging to that client. The issue is documented...

7.1CVSS6.5AI score0.00522EPSS
Exploits0References7Affected Software3
Wallarm Lab
Wallarm Lab
added 2023/09/29 9:19 a.m.30 views

What Is mTLS? The Essential Guide You Can’t Afford to Miss

Intro: mTLS — The Unsung Hero of Cybersecurity Picture this: You're a secret agent on a high-stakes mission. You have a briefcase full of confidential information that you need to hand over securely. Sure, you could pass it to another agent, but how do you know you can trust them? Here's where mT...

7.1AI score
Exploits0
RedhatCVE
RedhatCVE
added 2023/08/30 9:12 p.m.44 views

CVE-2023-40217

Python ssl.SSLSocket is vulnerable to a bypass of the TLS handshake in certain instances for HTTPS servers and other server-side protocols that use TLS client authentication such as mTLS. This issue may result in a breach of integrity as its possible to modify or delete resources that are...

8.6CVSS5.9AI score0.0079EPSS
Exploits0References6
OSV
OSV
added 2023/07/12 12:31 p.m.21 views

GHSA-G9CV-V3V4-3H8R Apache Pulsar Incorrect Authorization vulnerability

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar...

9.6CVSS9.2AI score0.00733EPSS
Exploits0References3
OSV
OSV
added 2023/07/12 10:15 a.m.19 views

CVE-2023-30429

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar...

8.8CVSS7.4AI score
Exploits0References1
Prion
Prion
added 2023/07/12 10:15 a.m.24 views

Authorization

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar...

6.5CVSS8.8AI score0.00733EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder