12 matches found
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
EUVD-2021-8687
Malicious code in bioql PyPI...
golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws
A flaw was found in the golang.org/x/oauth2/jws package in the token parsing component. This vulnerability is made possible because of the use of strings.Splittoken, "." to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large...
go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
A flaw was found in GO-JOSE. In affected versions, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code uses strings.Splittoken, "." to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large numb...
CVE-2025-22868 Unexpected memory consumption during token parsing in golang.org/x/oauth2
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing...
AZL-57207 CVE-2025-27144 affecting package buildah 1.18.0-29
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE...
Zero strike call options can be systemically used to steal premium from the taker
Lines of code Vulnerability details Some non-malicious ERC20 do not allow for zero amount transfers and order.baseAsset can be such an asset. Zero strike calls are valid and common enough derivative type. However, the zero strike calls with such baseAsset will not be able to be exercised, allowin...
Kubernetes: Bypass validation parts in AWS IAM Authenticator for Kubernetes
Multiple bypasses were discovered in AWS IAM Authenticator for Kubernetes. An attacker could craft a token without a signed cluster ID header and use it for replay attacks, manipulate the extracted AccessKeyID to gain higher permissions in the cluster, and send a request to other action values...
Turbo Safe's can be created with malicious tokens
Lines of code Vulnerability details Impact In TurboMaster.sol the createSafe function is called when the user calls a function with the same name in the TurboRouter.sol file. It then creates a new Turbo Safe with an arbitrary token supplied by the user. Since there is no whitelist of acceptable...
Information disclosure
Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contains an Information Exposure vulnerability. The log file contents store sensitive data including executed commands to generate authentication tokens which may prove useful to an attacker for crafting malicious authentication token...
CVE-2005-4514
The encapsulation script mechanism in Webwasher CSM Appliance Suite 5.x uses case-sensitive detection of malicious tokens, which allows attackers to bypass script detection by using tokens that can be upper or lower case. NOTE: the vendor has stated that this problem could not be reproduced, and...
PT-2005-5196 ยท Webwasher ยท Webwasher Csm Appliance Suite
Name of the Vulnerable Software and Affected Versions: Webwasher CSM Appliance Suite version 5.x Description: The encapsulation script mechanism in the affected software uses case-sensitive detection of malicious tokens. This allows attackers to bypass script detection by using tokens that can be...