Argo CD will blindly trust JWT claims if anonymous access is enabled

### Impact A critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specific ...

Continue Reading
CVE-2022-29217

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT ...

Continue Reading
CVE-2022-29165

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2 ...

Continue Reading
GitHub Security Lab: [Java]: CWE-321 – Query to detect hardcoded JWT secret keys

This bug was reported directly to GitHub Security Lab.Read More ...

Continue Reading
Uncontrolled Resource Consumption

# Description The Organizr application allows large characters to insert in the input field "Username" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. # Proof ...

Continue Reading
CVE-2022-29266

In APache APISIX before 3.13.1, an attacker can obtain a plugin-configured secret via an error message response by sending an incorrect JSON Web Token to a route protected by the jwt-auth plugin. The ...

Continue Reading
CVE-2022-24860

Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate l ...

Continue Reading
Key confusion through non-blocklisted public key formats

### Impact _What kind of vulnerability is it? Who is impacted?_ Disclosed by Aapo Oksman (Senior Security Specialist, Nixu Corporation). > PyJWT supports multiple different JWT signing algorithms. ...

Continue Reading

Back to Main

Subscribe for the latest news: