Lucene search
K

10 matches found

CVE
CVE
added 2026/01/21 10:25 p.m.15 views

CVE-2026-23990

CVE-2026-23990 affects the Flux Operator Web UI in Flux CD/ControlPlane prior to 0.40.0. The issue is a privilege-escalation through an impersonation bypass when OIDC tokens provide empty/invalid claims that CEL expressions can evaluate to empty; then Kubernetes client-go fails to add impersonati...

5.3CVSS5.8AI score0.00303EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/01/21 10:23 p.m.2 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via improper validation of OIDC token claims after processing through CEL expressions. An attacker can gain unauthorized operator-level read access and perform actions such as suspend, resume, or reconcile by...

6CVSS5.7AI score0.00303EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/01/21 10:23 p.m.9 views

Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims

A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. After OIDC token claims are processed through CEL expressions, there...

5.3CVSS5.9AI score0.00303EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2025/11/12 9:27 p.m.6 views

GHSA-39HR-239P-FHQC OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed

Summary If the "claimsparametersupported" parameter is activated, it is possible through the "oidc-claims-extension.groovy" script, to inject the value of choice into a claim contained in the idtoken or in the userinfo. Authorization function requests do not prevent a claims parameter containing ...

9.3CVSS6.8AI score0.00294EPSS
Exploits0References5
NVD
NVD
added 2025/11/12 7:15 p.m.10 views

CVE-2025-64099

Open Access Management OpenAM is an access management solution. In versions prior to 16.0.0, if the "claimsparametersupported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the idtoken or ...

9.3CVSS0.00294EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/10/22 7:18 p.m.8 views

CVE-2025-62513 OpenBao leaks HTTPRawBody in Audit Logs

OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted HMAC'd. This impacts those using the ACME functionality of PKI, resulting in...

5.7CVSS0.00286EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.9 views

EUVD-2021-2361

Malware in sbrugna...

8.8CVSS8.6AI score0.00832EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2025/05/22 6:46 p.m.11 views

CVE-2021-41230

Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make...

8.8CVSS6.7AI score0.00832EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2021/11/10 4:52 p.m.27 views

OIDC claims not updated from Identity Provider in Pomerium

Impact Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make incorrect authorization decisions. Patches v0.15.6 Workarounds - Clear...

8.8CVSS0.4AI score0.00832EPSS
Exploits0References6Affected Software1
Prion
Prion
added 2021/11/05 11:15 p.m.21 views

Authorization

Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowedidpclaims as part of policy. If using allowedidpclaims and a user's claims are changed, Pomerium can make...

6.5CVSS8.6AI score0.00832EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder