2077 matches found
rubygem-doorkeeper -- token revocation vulnerability
NVD reports: Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry...
Malicious Package in eslint-scope
Version 3.7.2 of eslint-scope was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to 2 remote servers. Recommendation The best course of action if you found this package installed in your...
Malicious Package
Overview Version 5.0.2 of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server. Recommendation The best course of action if you found this package...
Doorkeeper gem does not revoke token for public clients
Any OAuth application that uses public/non-confidential authentication when interacting with Doorkeeper is unable to revoke its tokens when calling the revocation endpoint. A bug in the token revocation API would cause it to attempt to authenticate the public OAuth client as if it was a...
CVE-2018-12461
Fixed issues with NetIQ eDirectory prior to 9.1.1 when checking certificate revocation...
CVE-2018-12461
Fixed issues with NetIQ eDirectory prior to 9.1.1 when checking certificate revocation...
Design/Logic Flaw
Fixed issues with NetIQ eDirectory prior to 9.1.1 when checking certificate revocation...
CVE-2018-12461 Certificate Revocation Check failure
Fixed issues with NetIQ eDirectory prior to 9.1.1 when checking certificate revocation...
CVE-2018-12461
CVE-2018-12461 affects NetIQ eDirectory prior to version 9.1.1 and concerns the certificate revocation check. The issue is described as a check failure in revocation processing; the fixed state implies upgrade to 9.1.1 or later as the mitigation. CVSS data present (v3 base score 7.5; HIGH) but th...
Security Bulletin: IBM SmartCloud Orchestartor - Trustee token revocation does not work with memcache backend (CVE-2014-2237)
Summary When a trustor issues a trust token with impersonation enabled, the token is only added to the trustor's token list and not to the trustee's token list. This scenario results in the trust token not being invalidated by the trustee's token revocation bulk revocation. It is most noticeable...
CVE-2017-17302
Huawei DP300 V500R002C00, RP200 V600R006C00, TE30 V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C10, V500R002C00, V600R006C00 have a memory leak vulnerability. An authenticated, local attacker may craft and load some specific...
CVE-2017-17302
Huawei DP300 V500R002C00, RP200 V600R006C00, TE30 V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C10, V500R002C00, V600R006C00 have a memory leak vulnerability. An authenticated, local attacker may craft and load some specific...
GitLab: Removing a user from a private group doesn't remove him from group's project, if his project's role was changed
Summary: a rogue user is added to a private group with dozen of projects b The role in some projects is changed for the rogue user c rogue is fired, and removed from the group: he still has access to projects where his role was changed Description: the b can happen for a lot of different reasons:...
Debian: Security Advisory (DLA-977-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Memory leak vulnerability in multiple Huawei products (CNVD-2018-02542)
Huawei DP300, RP200, TE series, etc. are all-in-one desktop SmartZen and all-in-one video conferencing terminal products of Huawei China Company. A memory leak vulnerability exists in several Huawei products due to a failure of the device to properly free allocated memory. A local attacker with...
IBM Curam Social Program Management Privilege Gain Vulnerability
IBM Curam Social Program Management SPM is a suite of social program management solutions from IBM USA. The solution supports the process of end-to-end social program delivery. A security vulnerability exists in IBM Curam SPM. An attacker could exploit the vulnerability to revoke applications...
DEBIAN-CVE-2014-3250
The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4...
UBUNTU-CVE-2014-3250
The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4...
Pivotal Cloud Foundry cf-release and UAA denial of service vulnerabilities
Pivotal Cloud Foundry CF is a suite of open source Platform-as-a-Service PaaS cloud computing platforms from Pivotal Software in the United States, which provides features such as container scheduling, continuous delivery, and automated service deployment. cf-release is a release of PCF. uaa is a...
Uber: The Microsoft Store Uber App Does Not Implement Server-side Token Revocation
Summary The Microsoft Store Uber App Windows Phone Architecture does not properly revoke or expire a rider's x-uber-token upon app signout. Security Impact When a user logs out/signs off of the app, the logout process is handled only locally on the application side, and without any type of...