5 matches found
GHSA-Q4W7-56HR-83RM Nginx-UI Settings API Exposes Protected Secrets
Summary The GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes via ProtectedFill in SaveSettings and is...
GO-2023-1914 Brute-force of token secrets in github.com/superfly/tokenizer
Brute-force of token secrets in github.com/superfly/tokenizer...
CVE-2023-37266 Weak json web token (JWT) secrets in CasaOS
CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit 705bf1f...
Brute Force Token Secrets
superfly/tokenizer is vulnerable to brute-force of token secrets vulnerability. The vulnerability is due to not restricting formatting in fmt parameter to simple formatting and allowing fmt/dst parameters to be specified at request time leading to attacker brute forcing secret values using...
GHSA-F28G-86HC-823Q Tokenizer vulnerable to client brute-force of token secrets
Impact Authorized clients, having an injectprocessor secret, could brute-force the secret token value by abusing the fmt parameter to the Proxy-Tokenizer header. Patches This was fixed in https://github.com/superfly/tokenizer/pull/8 and further mitigated in...