Security Bulletin: Denial of service vulnerability affecting Aspera Connect 3.7 or 3.8

Summary A vulnerability, if exploited, could disable or impair the use of certain versions of Aspera Connect. UPDATE 12/9/2019: The certificate for local.connectme.us has been revoked, as a result, Aspera Connect 3.7 and 3.8 no longer function on Firefox and Safari. The web application integrated...

jsrsasign

This is an open-source JavaScript library called jsrsasign, which provides cryptographic functions for RSA/RSAPSS/ECDSA/DSA signing and validation, ASN.1, PKCS1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, and CAdES. The library is available on Node.js and...

Insecure Error Handling

github.com/ory/fosite does not securely handle errors from the server. The TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid and may lead to unexpected behaviors in the server...

CVE-2020-15223 Ignored storage errors on token revokation in ORY Fosite

In ORY Fosite the security first OAuth2 & OpenID Connect framework for Go before version 0.34.0, the TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can...

PT-2020-14290 · Ory · Ory Fosite

Name of the Vulnerable Software and Affected Versions: ORY Fosite versions prior to 0.34.0 Description: The issue arises from improper error handling in the TokenRevocationHandler, which ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful...

PT-2020-13448 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions prior to 13.1.10 GitLab versions prior to 13.2.8 GitLab versions prior to 13.3.4 Description: A security issue was found in GitLab where it failed to revoke current user sessions when two-factor authentication was activated,...

UBUNTU-CVE-2020-13302

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password...

CVE-2020-13302

Removed by vendor...

CVE-2020-13299

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session...

CVE-2020-13299

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session...

CVE-2020-13299

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session...

Design/Logic Flaw

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session...

CVE-2020-13299

Summary: CVE-2020-13299 affects GitLab versions before 13.1.10, 13.2.8, and 13.3.4. The revocation feature did not revoke all session tokens, allowing reuse to obtain a valid session. What is affected: GitLab deployments running any of the affected version ranges. Root cause (as described): Incom...

CVE-2020-13299

Removed by vendor...

PT-2020-13440 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions prior to 13.1.10 GitLab versions prior to 13.2.8 GitLab versions prior to 13.3.4 Description: A vulnerability was discovered where the revocation feature was not revoking all session tokens, allowing them to be re-used to obta...

PT-2020-13443 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions prior to 13.1.10 GitLab versions prior to 13.2.8 GitLab versions prior to 13.3.4 Description: A vulnerability was discovered that allows a malicious user to access a user account with an old password under certain conditions,...

CVE-2020-25276

An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate...

CVE-2020-25276

An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate...

Authentication flaw

An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate...

CVE-2020-25276

PrimeKey EJBCA 6.x and 7.x prior to 7.4.1 is affected. When enrolling via EST using a client certificate, revocation checks are not performed on that certificate, only impacting systems with EST configured and where the revoked certificate is in a role authorized to enroll new end entities. Remed...