MarbleRun unauthenticated recovery allows Coordinator impersonation

Impact During recovery, a Coordinator only verifies that a given recovery key decrypts the sealed state, not if this key was provided by a party with access to one of the recovery keys defined in the manifest. This allows an attacker to manually craft a sealed state using their own recovery keys,...

SUSE CVE-2019-14823

A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attack...

SUSE-SU-2023:0119-1 Security update for mozilla-nss

This update for mozilla-nss fixes the following issues: - CVE-2022-3479: Fixed a potential crash that could be triggered when a server requested a client authentication certificate, but the client had no certificates stored bsc1204272. - Updated to version 3.79.3 bsc1207038: - CVE-2022-23491:...

JSS: OCSP policy "Leaf and Chain" implicitly trusts the root certificate

A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle...

PT-2019-13851 · Jss +3 · Cryptomanager +3

Name of the Vulnerable Software and Affected Versions: JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0 Description: A flaw was found in the "Leaf and Chain" OCSP policy implementation where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may...