Lucene search
K

22 matches found

Vulnrichment
Vulnrichment
added 2026/05/29 4:43 p.m.11 views

CVE-2026-45660 Statamic: Server-Side Request Forgery via Glide

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP...

5.4CVSS5.8AI score0.00151EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.17 views

PT-2026-41695

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.22 Statamic versions prior to 6.18.1 Description The Glide image proxy contains a flaw where URL validation can be bypassed using an IP representation that is not normalized before the public-IP check. This allo...

5.4CVSS5.8AI score0.00151EPSS
Exploits0References8
NVD
NVD
added 2026/05/08 4:16 a.m.20 views

CVE-2026-42274

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw non-normalized request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy ca...

7.8CVSS0.00368EPSS
Exploits0References4
OSV
OSV
added 2025/12/02 1:21 a.m.6 views

GHSA-VJR8-56P3-FMQQ Keycloak unable to restrict access to the admin console

A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to...

3.7CVSS5.8AI score0.00386EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2025/12/02 1:21 a.m.8 views

Keycloak unable to restrict access to the admin console

A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to...

3.7CVSS6.2AI score0.00386EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2025/10/28 6:31 a.m.4 views

GHSA-C6CM-5GC7-C3F4 Duplicate Advisory: Keycloak allows access to admin path through flaw

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-j4vq-q93m-4683. This link is maintained to preserve external references. Original Description A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the...

3.7CVSS5.7AI score0.00386EPSS
Exploits0References8
OSV
OSV
added 2025/10/28 4:16 a.m.4 views

CVE-2025-10939

A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to...

3.7CVSS5.7AI score0.00386EPSS
Exploits0References6
Snyk
Snyk
added 2025/10/28 3:46 a.m.4 views

Uncontrolled Search Path Element

Overview Affected versions of this package are vulnerable to Uncontrolled Search Path Element via the /admin application path relative to /realms when accessed through a proxy that does not properly restrict or normalize URLs. An attacker can gain unauthorized access to sensitive administrative...

6.3CVSS6.7AI score0.00386EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/10/28 3:8 a.m.5 views

CVE-2025-10939 Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console

A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to...

3.7CVSS6.1AI score0.00386EPSS
Exploits0References6
CVE
CVE
added 2025/10/28 3:8 a.m.29 views

CVE-2025-10939

Keycloak is affected by a path traversal vulnerability (CVE-2025-10939) that can expose the admin console path via relative or non-normalized URLs (e.g., /realms/../admin/), potentially bypassing proxy restrictions intended to block /admin. Multiple sources (including GHSA entry and Nessus plugin...

3.7CVSS6.2AI score0.00386EPSS
Exploits0References6
CNNVD
CNNVD
added 2025/10/28 12:0 a.m.5 views

Red Hat build of Keycloak 代码问题漏洞

Red Hat build of Keycloak is a web application for single sign-on from Red Hat USA. A code issue vulnerability exists in the Red Hat build of Keycloak, which stems from a proxy misconfiguration that could result in accessing the /admin path via a non-normalized path...

3.7CVSS6.6AI score0.00386EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/10/28 12:0 a.m.8 views

PT-2025-44084

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak where the /admin path can be accessed via a proxy, such as ha-proxy, by using relative or non-normalized paths. Keycloak documentation advises against exposing the...

3.7CVSS6.5AI score0.00386EPSS
Exploits0References16
OSV
OSV
added 2025/06/23 10:41 p.m.5 views

GHSA-H7CP-R72F-JXH6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos

Summary This affects both: 1. Unsupported algos e.g. sha3-256 / sha3-512 / sha512-256 2. Supported but non-normalized algos e.g. Sha256 / Sha512 / SHA1 / sha-1 / sha-256 / sha-512 All of those work correctly in Node.js, but this polyfill silently returns highly predictable ouput Under Node.js onl...

9.1CVSS6.3AI score0.00359EPSS
Exploits0References5
Snyk
Snyk
added 2025/06/23 10:41 p.m.3 views

Generation of Predictable Numbers or Identifiers

Overview Affected versions of this package are vulnerable to Generation of Predictable Numbers or Identifiers via the pbkdf2Sync method. An attacker can obtain predictable or uninitialized memory as a cryptographic key when key derivation is used with unsupported or non-normalized algorithm names...

9.1CVSS6.8AI score0.00359EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2023/07/26 12:0 a.m.5 views

VulnCheck KEV: CVE-2023-34478

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or...

9.8CVSS7.1AI score0.01533EPSS
Exploits0References1
OSV
OSV
added 2023/07/24 7:15 p.m.2 views

DEBIAN-CVE-2023-34478

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha...

9.8CVSS7.6AI score0.01533EPSS
Exploits0References1
OSV
OSV
added 2023/07/24 7:15 p.m.2 views

UBUNTU-CVE-2023-34478

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha...

9.8CVSS7.1AI score0.01533EPSS
Exploits0References6
OSV
OSV
added 2022/05/13 1:34 a.m.4 views

GHSA-3QH2-MCCC-Q5M6 Keycloak Open Redirect

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack...

6.1CVSS5.8AI score0.01097EPSS
Exploits0References5
OSV
OSV
added 2020/09/14 1:15 p.m.1 views

DEBIAN-CVE-2020-24660

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package...

9.8CVSS8.5AI score0.02342EPSS
Exploits1References1
Prion
Prion
added 2020/09/14 1:15 p.m.17 views

Improper access control

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package...

7.5CVSS9.2AI score0.02342EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder