PT-2021-21257 · Apache · Apache Ozone

Name of the Vulnerable Software and Affected Versions: Apache Ozone versions prior to 1.2.0 Description: The issue allows authenticated users with permission to the key to retrieve initially generated block tokens from the metadata database. These tokens can be used even after access has been...

CVE-2021-41312

Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors...

UPDATE: EU’s Green Pass Vaccination ID Private Key Leaked or Forge

As of Thursday morning Eastern time, Adolf Hitler and Mickey Mouse could still validate their digital Covid passes, SpongeBob Squarepants was out of luck, and the European Union was investigating a leak of the private key used to sign the EU’s Green Pass vaccine passports. Two days earlier, on...

F5 Networks BIG-IP : cURL vulnerability (K15402727)

The version of F5 Networks BIG-IP installed on the remote host is prior to 15.1.10 / 16.1.4 / 17.1.1. It is, therefore, affected by a vulnerability as referenced in the K15402727 advisory. curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient...

GitHub Revoked Insecure SSH Keys Generated by a Popular git Client

Code hosting platform GitHub has revoked weak SSH authentication keys that were generated via the GitKraken git GUI client due to a vulnerability in a third-party library that increased the likelihood of duplicated SSH keys. As an added precautionary measure, the Microsoft-owned company also said...

PT-2021-22383 · Atlassian · Jira

Name of the Vulnerable Software and Affected Versions: Atlassian Jira Server and Data Center versions prior to 8.19.0 Description: The issue is related to a Broken Access Control vulnerability in the issue notification feature, allowing users who have watched an issue to continue receiving update...

DEBIAN-CVE-2021-34434

In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked...

CVE-2021-34434

In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked...

Cockpit 信任管理问题漏洞

Cockpit is an interactive server management interface. A security vulnerability exists in Cockpit that allows client certificates to be successfully authenticated regardless of certificate revocation list CRL configuration or certificate status...

CVE-2021-40088

An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints by verifying that...

CVE-2021-40088

An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints by verifying that...

Code injection

An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints by verifying that...

CVE-2021-40088

PrimeKey EJBCA CMP RA Mode (versions prior to 7.6.0) can be configured to authenticate enrollments with a known client certificate, and the same certificate is used for revocation requests. The multi-tenancy access check applied during enrollment is not performed during revocation authentication,...

CVE-2021-40088

An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints by verifying that...

Primekey Solutions PrimeKey EJBCA 安全漏洞

Primekey Solutions PrimeKey EJBCA is a full-featured CA system software from PrimeKey Solutions Primekey Solutions, Sweden. The software is used for domain certificate management, enrollment and enrollment-to-certificate validation and other functions to achieve access security. A security...

Shopify: Senseitive data Related to Shopify Host -> https://shopify.zendesk.com/

Description : Github is truly awesome service but its unwise to put sensitive data in public repo as i was found a repo committed 1 houre ago contain Senseitive data Credentials && ZRTAPIKEY && JWTSECRET related to this Host - https://shopify.zendesk.com/ leaked publicly in github, and clearly th...

Amazon Linux 2 : curl (ALAS-2021-1693)

The version of curl installed on the remote host is prior to 7.76.1-4. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1693 advisory. A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl...

ARM Mbed TLS Trust Management Issues Vulnerability (CNVD-2021-59581)

ARM mbed TLS is a product from ARM UK that provides secure communication and encryption capabilities for mbed products. A security vulnerability exists in Arm Mbed TLS versions prior to 2.24.0 that stems from the program's incorrect use of the revocation date check when it decides whether to revo...

GO-2021-0109 Improper handling of token revocation in github.com/ory/fosite

Due to improper error handling, an error with the underlying token storage may cause a user to believe a token has been successfully revoked when it is in fact still valid. An attackers ability to exploit this relies on an ability to trigger errors in the underlying storage...

CVE-2020-36425

An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly uses a revocationDate check when deciding whether to honor certificate revocation via a CRL. In some situations, an attacker can exploit this by changing the local clock...