CWE-551
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Monthly
{orgId} REST endpoints they should not be able to access by appending a semicolon to the request path. With a scope-changing CVSS of 7.7 and confidentiality impact, a low-privileged tenant could read data belonging to other organizations managed by the same platform. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gain unauthorized access to victim-owned resources. The vulnerability (confirmed actively exploited - CISA KEV) enables attackers to inject arbitrary resource identifiers during policy creation, obtaining Requesting Party Tokens for resources they do not own. With CVSS 8.1 (High), network-accessible attack vector, and low complexity, this represents a significant access control bypass in enterprise identity management deployments. EPSS data and public exploit status not confirmed from available data.
User enumeration vulnerability in ZKTeco ZKBioSecurity 3.0 that allows unauthenticated attackers to discover valid usernames through partial character submissions to the authentication endpoint. A public proof-of-concept exploit is available, making this vulnerability actively exploitable, though it has a notably high CVSS score of 9.8 that appears inflated given the actual impact is limited to information disclosure.
Keycloak's Authorization header parser improperly tolerates non-RFC 6750 compliant formatting, including tabs and case variations in Bearer token authentication. This lax validation could enable attackers to bypass authentication mechanisms or manipulate token validation logic in applications relying on strict Bearer token parsing. No patch is currently available for this medium-severity vulnerability.
Dompdf is an HTML to PDF converter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
{orgId} REST endpoints they should not be able to access by appending a semicolon to the request path. With a scope-changing CVSS of 7.7 and confidentiality impact, a low-privileged tenant could read data belonging to other organizations managed by the same platform. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gain unauthorized access to victim-owned resources. The vulnerability (confirmed actively exploited - CISA KEV) enables attackers to inject arbitrary resource identifiers during policy creation, obtaining Requesting Party Tokens for resources they do not own. With CVSS 8.1 (High), network-accessible attack vector, and low complexity, this represents a significant access control bypass in enterprise identity management deployments. EPSS data and public exploit status not confirmed from available data.
User enumeration vulnerability in ZKTeco ZKBioSecurity 3.0 that allows unauthenticated attackers to discover valid usernames through partial character submissions to the authentication endpoint. A public proof-of-concept exploit is available, making this vulnerability actively exploitable, though it has a notably high CVSS score of 9.8 that appears inflated given the actual impact is limited to information disclosure.
Keycloak's Authorization header parser improperly tolerates non-RFC 6750 compliant formatting, including tabs and case variations in Bearer token authentication. This lax validation could enable attackers to bypass authentication mechanisms or manipulate token validation logic in applications relying on strict Bearer token parsing. No patch is currently available for this medium-severity vulnerability.
Dompdf is an HTML to PDF converter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.