Pac4J
Monthly
LDAP injection in PAC4J authentication library allows authenticated remote attackers to manipulate directory queries and execute unauthorized LDAP operations across versions 4.0-6.4.0. Low attack complexity and network accessibility elevate risk despite low-privilege requirement. CERT-PL identified the flaw, which vendor patched in versions 4.5.10, 5.7.10, and 6.4.1. EPSS data not available, but SSVC framework rates technical impact as 'total' with exploitation status 'none' and non-automatable attack chain, suggesting targeted exploitation scenario. No public exploit identified at time of analysis.
CSRF token bypass in PAC4J authentication library (versions 5.0-5.7.9 and 6.0-6.4.0) allows remote attackers to perform unauthorized state-changing operations via hash collision exploitation. Attackers craft tokens that collide with victims' legitimate CSRF tokens by exploiting Java's deterministic String.hashCode() function, reducing effective security from cryptographic strength to 32 bits. This enables account takeover through forced profile updates, password changes, and account linking when victims visit malicious websites (EPSS exploitation probability and KEV status not provided in analysis data). CERT-PL disclosed vulnerability; vendor patches released in versions 5.7.10 and 6.4.1.
LDAP injection in PAC4J authentication library allows authenticated remote attackers to manipulate directory queries and execute unauthorized LDAP operations across versions 4.0-6.4.0. Low attack complexity and network accessibility elevate risk despite low-privilege requirement. CERT-PL identified the flaw, which vendor patched in versions 4.5.10, 5.7.10, and 6.4.1. EPSS data not available, but SSVC framework rates technical impact as 'total' with exploitation status 'none' and non-automatable attack chain, suggesting targeted exploitation scenario. No public exploit identified at time of analysis.
CSRF token bypass in PAC4J authentication library (versions 5.0-5.7.9 and 6.0-6.4.0) allows remote attackers to perform unauthorized state-changing operations via hash collision exploitation. Attackers craft tokens that collide with victims' legitimate CSRF tokens by exploiting Java's deterministic String.hashCode() function, reducing effective security from cryptographic strength to 32 bits. This enables account takeover through forced profile updates, password changes, and account linking when victims visit malicious websites (EPSS exploitation probability and KEV status not provided in analysis data). CERT-PL disclosed vulnerability; vendor patches released in versions 5.7.10 and 6.4.1.