​
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-gxjq-vrjj-q4mq

Published

Last updated

https://images.chainguard.dev/security/CGA-gxjq-vrjj-q4mq
Package

cloudwatch-exporter

Latest Update
Fixed
Fixed Version

0.15.4-r3

Aliases
  • CVE-2023-41900
  • GHSA-pwh8-58vv-vw48

Severity

3.5

Low

CVSS V3

Summary

Jetty's OpenId Revoked authentication allows one request

Description

If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated.

So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the LoginService.

Impact

This impacts usages of the jetty-openid which have configured a nested LoginService and where that LoginService will is capable of rejecting previously authenticated users.

Original Report

Patched Versions

Fixed in Jetty Versions:

Workaround

Upgrade your version of Jetty.

References

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images