28 matches found
CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
EUVD-2025-208958
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
UBUNTU-CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998
CVE-2025-64998 affects Checkmk versions prior to 2.4.0p23, 2.3.0p45, and 2.2.0. The issue is the exposure of the session signing secret in distributed Checkmk deployments with config sync enabled, enabling an administrator on a remote site to forge session cookies and hijack sessions on the centr...
CVE-2025-64998 Session hijacking via exposed session signing secret in distributed Checkmk setups
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
CVE-2025-64998
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
Checkmk 安全漏洞
Checkmk is an IT monitoring platform developed by Checkmk Corporation. Versions of Checkmk prior to 2.4.0p23, 2.3.0p45, and 2.2.0 contain security vulnerabilities. These vulnerabilities stem from the exposure of session signing keys, which could allow remote site administrators to forge session...
PT-2026-27382
Exposure of session signing secret in Checkmk 2.4.0p23, 2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies...
USN-7534-1: Flask vulnerability
It was discovered that Flask incorrectly handled key rotation. An attacker could possibly use this issue to sign sessions with stale keys...
USN-7534-1 flask vulnerability
It was discovered that Flask incorrectly handled key rotation. An attacker could possibly use this issue to sign sessions with stale keys...
Ubuntu 25.04 : Flask vulnerability (USN-7534-1)
The remote Ubuntu 25.04 host has a package installed that is affected by a vulnerability as referenced in the USN-7534-1 advisory. It was discovered that Flask incorrectly handled key rotation. An attacker could possibly use this issue to sign sessions with stale keys. Tenable has extracted the...
SUSE CVE-2025-47278
Flask is a web server gateway interface WSGI web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the itsdangerous library. A list of keys can...
CVE-2025-47278
A flaw was found in Flask. This vulnerability allows sessions to be signed with stale keys via incorrect fallback key configuration...
Function Call With Incorrect Order of Arguments
Overview Affected versions of this package are vulnerable to Function Call With Incorrect Order of Arguments due to the incorrect handling of the SECRETKEYFALLBACKS configuration. An attacker can exploit this to sign sessions with stale keys, potentially impeding the transition to fresher keys...
GHSA-4GRG-W6V8-C28G Flask uses fallback key instead of current signing key
In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the itsdangerous library. A list of keys can be passed, and it expects the last top key in the list to be the most...
AZL-77831 CVE-2025-47278 affecting package python-flask 1.1.1-4
Flask is a web server gateway interface WSGI web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the itsdangerous library. A list of keys can...
Flask 安全漏洞
Flask is a Python microframework for building web applications open-sourced by Pallets. A security vulnerability exists in Flask version 3.1.0 that stems from mishandling of the key fallback configuration, which could result in session signing with an expired key...
Default credentials
DataHub is an open-source metadata platform. The HMAC signature for DataHub Frontend sessions was being signed using a SHA-1 HMAC with the frontend secret key. SHA1 with a 10 byte key can be brute forced using sufficient resources i.e. state level actors with large computational capabilities...