10 matches found
CVE-2026-23990
CVE-2026-23990 affects the Flux Operator Web UI in Flux CD/ControlPlane prior to 0.40.0. The issue is a privilege-escalation through an impersonation bypass when OIDC tokens provide empty/invalid claims that CEL expressions can evaluate to empty; then Kubernetes client-go fails to add impersonati...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via improper validation of OIDC token claims after processing through CEL expressions. An attacker can gain unauthorized operator-level read access and perform actions such as suspend, resume, or reconcile by...
Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. After OIDC token claims are processed through CEL expressions, there...
GHSA-39HR-239P-FHQC OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
Summary If the "claimsparametersupported" parameter is activated, it is possible through the "oidc-claims-extension.groovy" script, to inject the value of choice into a claim contained in the idtoken or in the userinfo. Authorization function requests do not prevent a claims parameter containing ...
CVE-2025-64099
Open Access Management OpenAM is an access management solution. In versions prior to 16.0.0, if the "claimsparametersupported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the idtoken or ...
CVE-2025-62513 OpenBao leaks HTTPRawBody in Audit Logs
OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted HMAC'd. This impacts those using the ACME functionality of PKI, resulting in...
EUVD-2021-2361
Malware in sbrugna...
CVE-2021-41230
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make...
OIDC claims not updated from Identity Provider in Pomerium
Impact Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make incorrect authorization decisions. Patches v0.15.6 Workarounds - Clear...
Authorization
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make...