26 matches found
GHSA-GXHX-2686-5H9G vulnerabilities
Vulnerabilities for packages: kubernetes-event-exporter, peerdb-flow, atlantis-fips, argo-cd-fips, kyverno-policy-reporter-fips, argo-events-fips, kubernetes-event-exporter-fips, kubewatch, ory-kratos, atlantis, argo-rollouts-fips, bento-fips, bento, goreleaser, argo-rollouts,...
CVE-2026-41889 vulnerabilities
Vulnerabilities for packages: ldap2pg, gitaly-fips, falcosidekick-fips, pgtimetable, jitsucom-bulker, certificate-transparency, gitlab-cng, teleport, rke2-cloud-provider-fips, openbao-fips, wal-g, kuma, kine, spire-server-fips, grafana-fips, sftpgo-plugin-eventsearch, spicedb, argo-workflows-fips...
SUSE CVE-2026-33503
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configur...
CVE-2026-33503
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configur...
CVE-2026-33503 Ory Kratos has a SQL injection via forged pagination tokens
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configur...
CVE-2026-33503
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configur...
CVE-2026-33503
Ory Kratos (identity system) contains a SQL injection vulnerability in the ListCourierMessages Admin API prior to version 26.2.0 due to flaws in pagination. Pagination tokens are encrypted with the secret configured in secrets.pagination; an attacker who knows this secret can craft tokens that tr...
CVE-2026-33503 Ory Kratos has a SQL injection via forged pagination tokens
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configur...
Ory Kratos SQL注入漏洞
Ory Kratos is an open-source system developed by Ory, designed with developers in mind, featuring strong security measures and proven reliability. Prior to version 26.2.0, Ory Kratos had a SQL injection vulnerability. This vulnerability stemmed from defects in the pagination implementation, which...
GO-2026-4801 Ory Kratos has a SQL injection via forged pagination tokens in github.com/ory/kratos
Ory Kratos has a SQL injection via forged pagination tokens in github.com/ory/kratos...
Ory Kratos has a SQL injection via forged pagination tokens
Description The ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including...
GHSA-HGX2-28F8-6G2R Ory Kratos has a SQL injection via forged pagination tokens
Description The ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including...
EUVD-2024-2888
Malicious code in bioql PyPI...
CVE-2024-45042
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the highestavailable setting will incorrectly assume that the identity’s highest available AAL is aal1 even though it really is aal2. This means that t...
Improper Authentication
github.com/ory/kratos is vulnerable to an Improper Authentication. The vulnerability is due to an incorrect assumption of the highest available Authentication Assurance Level AAL as aal1 instead of aal2, allowing users to access endpoints without the required aal2 session under certain...
GO-2024-3160 Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos
Ory Kratos's setting requiredaal highestavailable does not properly respect code + mfa credentials in github.com/ory/kratos...
CVE-2024-45042
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the highestavailable setting will incorrectly assume that the identity’s highest available AAL is aal1 even though it really is aal2. This means that t...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication due to the improper handling of the requiredaal setting in the authentication process. An attacker can bypass multi-factor authentication requirements by exploiting the incorrect storage of availableaal values in...
GHSA-WC43-73W7-X2F5 Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials
Preconditions - The code login method is enabled with the passwordlessenabled flag set to true . - A 2FA method such as totp is enabled. - requiredaal of the whomai check or the settings flow is set to highestavailable. AAL stands for Authenticator Assurance Levels and can range from 0 no factor ...
Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials
Preconditions - The code login method is enabled with the passwordlessenabled flag set to true . - A 2FA method such as totp is enabled. - requiredaal of the whomai check or the settings flow is set to highestavailable. AAL stands for Authenticator Assurance Levels and can range from 0 no factor ...