CWE-298
AllowedImproper Validation of Certificate Expiration
Abstraction: Variant · Status: Draft
A certificate expiration is not validated or is incorrectly validated.
14 vulnerabilities reference this CWE, most recent first.
GHSA-8RQX-XM8R-Q2RM
Vulnerability from github – Published: 2025-12-23 18:30 – Updated: 2025-12-23 18:30Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.
{
"affected": [],
"aliases": [
"CVE-2025-67109"
],
"database_specific": {
"cwe_ids": [
"CWE-298"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-23T16:16:23Z",
"severity": "CRITICAL"
},
"details": "Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.",
"id": "GHSA-8rqx-xm8r-q2rm",
"modified": "2025-12-23T18:30:27Z",
"published": "2025-12-23T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67109"
},
{
"type": "WEB",
"url": "https://gist.github.com/lkloliver/669e15bc7e6194133e4ee1026ce157e6"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/ddsrt/src/time/posix/time.c#L28"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/security/builtin_plugins/authentication/src/auth_utils.c#L84"
},
{
"type": "WEB",
"url": "http://eclipse.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C9WW-FM69-95FG
Vulnerability from github – Published: 2026-07-04 21:30 – Updated: 2026-07-04 21:30The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user.
Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.
{
"affected": [],
"aliases": [
"CVE-2024-1248"
],
"database_specific": {
"cwe_ids": [
"CWE-298"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-04T21:17:13Z",
"severity": "MODERATE"
},
"details": "The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user.\n\nExploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker\u0027s knowledge of a local user\u0027s username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.",
"id": "GHSA-c9ww-fm69-95fg",
"modified": "2026-07-04T21:30:25Z",
"published": "2026-07-04T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1248"
},
{
"type": "WEB",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3179"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QWRJ-9HMP-GPXH
Vulnerability from github – Published: 2022-07-15 18:10 – Updated: 2023-02-09 20:22Impact
Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.
Patches
1.1.30
Workarounds
Rotating signing keys immediately will: * Invalidate all open sessions, * Force all users to attempt to obtain new tokens.
Continue to rotate keys until flyteadmin has been upgraded,
Hide flyteadmin deployment ingress url from the internet.
References
https://github.com/flyteorg/flyteadmin/pull/455
For more information
If you have any questions or comments about this advisory: * Open an issue in flyte repo * Email us at flyte
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/flyteorg/flyteadmin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31145"
],
"database_specific": {
"cwe_ids": [
"CWE-298",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-15T18:10:48Z",
"nvd_published_at": "2022-07-13T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nAuthenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire.\nUsing flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.\n\n### Patches\n1.1.30\n\n### Workarounds\nRotating signing keys immediately will:\n* Invalidate all open sessions,\n* Force all users to attempt to obtain new tokens.\n\nContinue to rotate keys until flyteadmin has been upgraded,\n\nHide flyteadmin deployment ingress url from the internet.\n\n### References\nhttps://github.com/flyteorg/flyteadmin/pull/455\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [flyte repo](https://github.com/flyteorg/flyte/issues)\n* Email us at [flyte](mailto:admin@flyte.org)\n",
"id": "GHSA-qwrj-9hmp-gpxh",
"modified": "2023-02-09T20:22:10Z",
"published": "2022-07-15T18:10:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31145"
},
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/pull/455"
},
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a"
},
{
"type": "PACKAGE",
"url": "https://github.com/flyteorg/flyteadmin"
},
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/releases/tag/v1.1.31"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0519"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "FlyteAdmin Insufficient AccessToken Expiration Check"
}
GHSA-V2P7-4PV4-3WWH
Vulnerability from github – Published: 2025-09-10 20:47 – Updated: 2025-09-10 20:47Impact
A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully.
Patches
This issue is fixed in versions 1.3.9 and 1.4.5
Workarounds
Users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "infrahub-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "infrahub-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59036"
],
"database_specific": {
"cwe_ids": [
"CWE-298"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-10T20:47:07Z",
"nvd_published_at": "2025-09-09T22:15:34Z",
"severity": "MODERATE"
},
"details": "### Impact\nA bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully.\n\n### Patches\nThis issue is fixed in versions `1.3.9` and `1.4.5`\n\n### Workarounds\nUsers can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.",
"id": "GHSA-v2p7-4pv4-3wwh",
"modified": "2025-09-10T20:47:07Z",
"published": "2025-09-10T20:47:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59036"
},
{
"type": "WEB",
"url": "https://github.com/opsmill/infrahub/commit/215185f217e2f754f7c0a0aa4b77e11079a063a1"
},
{
"type": "WEB",
"url": "https://github.com/opsmill/infrahub/commit/61b49a4a9e988f10c3a44f0e86ef97f344a1e228"
},
{
"type": "PACKAGE",
"url": "https://github.com/opsmill/infrahub"
},
{
"type": "WEB",
"url": "https://github.com/opsmill/infrahub/releases/tag/infrahub-v1.3.9"
},
{
"type": "WEB",
"url": "https://github.com/opsmill/infrahub/releases/tag/infrahub-v1.4.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Infrahub: Deleted and expired API tokens can still authenticate"
}
Mitigation
Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
Mitigation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.
No CAPEC attack patterns related to this CWE.