Apache Tomcat - Digest authenticator will authenticate any unknown user

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: When DIGEST authentication was configured, any user not known to the configured Realm would be authenticated if...

GHSA-H6FC-48RJ-7QQH Apache Tomcat - Digest authenticator will authenticate any unknown user

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: When DIGEST authentication was configured, any user not known to the configured Realm would be authenticated if...

CVE-2026-41571

CVE-2026-41571 affects Note Mark (v0.19.2) where IsPasswordMatch falls back to a hard-coded bcrypt("null") placeholder for users with no stored password. OIDC-registered users are created with an empty password, so submitting password: "null" to the internal login endpoint grants a valid session—...

Note Mark: OIDC-registered users authenticated by submitting password "null"

Summary IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for...

UBUNTU-CVE-2024-29509

Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword e.g., for runpdf has a \000 byte in the middle...

SUSE CVE-2012-1502

Double free vulnerability in the PyPAMconv in PAMmodule.c in PyPam 0.5.0 and earlier allows remote attackers to cause a denial of service application crash or possibly execute arbitrary code via a NULL byte in a password string...

SUSE CVE-2019-5021

Versions of the Official Alpine Linux Docker images since v3.3 contain a NULL password for the root user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux...

Tiki Authentication Bypass Vulnerability

Tiki is a suite of open source content management and portal applications from the Tiki community that can be used to create web applications, portals, corporate intranets, extranets, and more. An authentication bypass vulnerability exists in versions prior to Tiki 21.2, which stems from Tiki...