Total
109 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-17523 | 1 Apache | 1 Shiro | 2024-08-04 | 9.8 Critical |
| Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. | ||||
| CVE-2020-15787 | 1 Siemens | 2 Simatic Hmi United Comfort Panels, Simatic Hmi United Comfort Panels Firmware | 2024-08-04 | 9.8 Critical |
| A vulnerability has been identified in SIMATIC HMI Unified Comfort Panels (All versions <= V16). Affected devices insufficiently validate authentication attempts as the information given can be truncated to match only a set number of characters versus the whole provided string. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack. | ||||
| CVE-2020-15077 | 1 Openvpn | 1 Openvpn Access Server | 2024-08-04 | 5.3 Medium |
| OpenVPN Access Server 2.8.7 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. | ||||
| CVE-2020-15115 | 2 Fedoraproject, Redhat | 3 Fedora, Etcd, Openstack | 2024-08-04 | 5.8 Medium |
| etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort. | ||||
| CVE-2020-15078 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2024-08-04 | 7.5 High |
| OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. | ||||
| CVE-2020-14359 | 1 Redhat | 1 Louketo Proxy | 2024-08-04 | 7.3 High |
| A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a Gatekeeper in front of a Jetty server and use lowercase headers. | ||||
| CVE-2020-11989 | 2 Apache, Redhat | 2 Shiro, Jboss Fuse | 2024-08-04 | 9.8 Critical |
| Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | ||||
| CVE-2020-11012 | 1 Minio | 1 Minio | 2024-08-04 | 9.3 Critical |
| MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z. | ||||
| CVE-2020-10923 | 1 Netgear | 2 R6700, R6700 Firmware | 2024-08-04 | 8.8 High |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000. A crafted UPnP message can be used to bypass authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-9642. | ||||
| CVE-2020-9770 | 1 Apple | 2 Ipados, Iphone Os | 2024-08-04 | 6.5 Medium |
| A logic issue was addressed with improved state management. This issue is fixed in iOS 13.4 and iPadOS 13.4. An attacker in a privileged network position may be able to intercept Bluetooth traffic. | ||||
| CVE-2020-2099 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-08-04 | 8.6 High |
| Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents. | ||||
| CVE-2021-43175 | 1 Goautodial | 2 Goautodial, Goautodial Api | 2024-08-04 | 7.5 High |
| The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C | ||||
| CVE-2021-21403 | 1 Kongchuanhujiao Project | 1 Kongchuanhujiao | 2024-08-03 | 7.5 High |
| In github.com/kongchuanhujiao/server before version 1.3.21 there is an authentication Bypass by Primary Weakness vulnerability. All users are impacted. This is fixed in version 1.3.21. | ||||
| CVE-2021-3850 | 2 Adodb Project, Debian | 2 Adodb, Debian Linux | 2024-08-03 | 9.1 Critical |
| Authentication Bypass by Primary Weakness in GitHub repository adodb/adodb prior to 5.20.21. | ||||
| CVE-2021-3586 | 1 Redhat | 3 Openshift Service Mesh, Service Mesh, Servicemesh-operator | 2024-08-03 | 9.8 Critical |
| A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||||
| CVE-2021-3547 | 1 Openvpn | 1 Openvpn | 2024-08-03 | 7.4 High |
| OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration. | ||||
| CVE-2022-46146 | 2 Prometheus, Redhat | 2 Exporter Toolkit, Openshift | 2024-08-03 | 6.2 Medium |
| Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality. | ||||
| CVE-2022-44020 | 3 Fedoraproject, Opendev, Redhat | 4 Fedora, Sushy-tools, Virtualbmc and 1 more | 2024-08-03 | 5.5 Medium |
| An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an "unsupported, production-like configuration." | ||||
| CVE-2022-40723 | 1 Pingidentity | 3 Pingfederate, Pingid Integration Kit, Radius Pcv | 2024-08-03 | 6.5 Medium |
| The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations. | ||||
| CVE-2022-39245 | 1 Makedeb | 1 Mist | 2024-08-03 | 8.4 High |
| Mist is the command-line interface for the makedeb Package Repository. Prior to version 0.9.5, a user-provided `sudo` binary via the `PATH` variable can allow a local user to run arbitrary commands on the user's system with root permissions. Versions 0.9.5 and later contain a patch. No known workarounds exist. | ||||