Monthly
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Certificate-validation bypass in Eclipse Cyclone DDS before 0.10.5 lets unauthenticated network attackers defeat the DDS Security authentication plugin's certificate checks, and per the advisory execute commands with System privileges. The flaw stems from improper verification of certificate time/expiration (CWE-298), meaning expired or otherwise time-invalid certificates can be accepted as valid, enabling impersonation of trusted DDS participants. The EPSS score is low (0.30%, 22nd percentile) and there is no CISA KEV listing, so despite the maximal 10.0 CVSS there is no confirmed active exploitation at time of analysis.
Improper validation of permissions/ticket revocation in eProsima Fast-DDS 3.3.0 allows revoked or no-longer-valid security credentials to be accepted, permitting unauthorized participants to join a secured DDS domain and exchange data over connections that should have been refused. The flaw sits in the DDS Security access-control layer (Permissions handling) and undermines the confidentiality and integrity guarantees of an otherwise authenticated domain. Rated CVSS 10.0 with a scope change, but EPSS is low (0.30%, 22th percentile) and there is no public exploit identified at time of analysis, so real-world risk is narrower than the base score implies.
Infrahub offers a central hub to manage data, templates, and playbooks. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet become valid. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Certificate-validation bypass in Eclipse Cyclone DDS before 0.10.5 lets unauthenticated network attackers defeat the DDS Security authentication plugin's certificate checks, and per the advisory execute commands with System privileges. The flaw stems from improper verification of certificate time/expiration (CWE-298), meaning expired or otherwise time-invalid certificates can be accepted as valid, enabling impersonation of trusted DDS participants. The EPSS score is low (0.30%, 22nd percentile) and there is no CISA KEV listing, so despite the maximal 10.0 CVSS there is no confirmed active exploitation at time of analysis.
Improper validation of permissions/ticket revocation in eProsima Fast-DDS 3.3.0 allows revoked or no-longer-valid security credentials to be accepted, permitting unauthorized participants to join a secured DDS domain and exchange data over connections that should have been refused. The flaw sits in the DDS Security access-control layer (Permissions handling) and undermines the confidentiality and integrity guarantees of an otherwise authenticated domain. Rated CVSS 10.0 with a scope change, but EPSS is low (0.30%, 22th percentile) and there is no public exploit identified at time of analysis, so real-world risk is narrower than the base score implies.
Infrahub offers a central hub to manage data, templates, and playbooks. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet become valid. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.