Common Weakness Enumeration

CWE-298

Allowed

Improper Validation of Certificate Expiration

Abstraction: Variant · Status: Draft

A certificate expiration is not validated or is incorrectly validated.

14 vulnerabilities reference this CWE, most recent first.

GHSA-8RQX-XM8R-Q2RM

Vulnerability from github – Published: 2025-12-23 18:30 – Updated: 2025-12-23 18:30
VLAI
Details

Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-298"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-23T16:16:23Z",
    "severity": "CRITICAL"
  },
  "details": "Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges.",
  "id": "GHSA-8rqx-xm8r-q2rm",
  "modified": "2025-12-23T18:30:27Z",
  "published": "2025-12-23T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67109"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/lkloliver/669e15bc7e6194133e4ee1026ce157e6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/ddsrt/src/time/posix/time.c#L28"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/security/builtin_plugins/authentication/src/auth_utils.c#L84"
    },
    {
      "type": "WEB",
      "url": "http://eclipse.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C9WW-FM69-95FG

Vulnerability from github – Published: 2026-07-04 21:30 – Updated: 2026-07-04 21:30
VLAI
Details

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user.

Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-298"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-04T21:17:13Z",
    "severity": "MODERATE"
  },
  "details": "The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user.\n\nExploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker\u0027s knowledge of a local user\u0027s username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.",
  "id": "GHSA-c9ww-fm69-95fg",
  "modified": "2026-07-04T21:30:25Z",
  "published": "2026-07-04T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1248"
    },
    {
      "type": "WEB",
      "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3179"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWRJ-9HMP-GPXH

Vulnerability from github – Published: 2022-07-15 18:10 – Updated: 2023-02-09 20:22
VLAI
Summary
FlyteAdmin Insufficient AccessToken Expiration Check
Details

Impact

Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.

Patches

1.1.30

Workarounds

Rotating signing keys immediately will: * Invalidate all open sessions, * Force all users to attempt to obtain new tokens.

Continue to rotate keys until flyteadmin has been upgraded,

Hide flyteadmin deployment ingress url from the internet.

References

https://github.com/flyteorg/flyteadmin/pull/455

For more information

If you have any questions or comments about this advisory: * Open an issue in flyte repo * Email us at flyte

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/flyteorg/flyteadmin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-298",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-15T18:10:48Z",
    "nvd_published_at": "2022-07-13T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAuthenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire.\nUsing flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.\n\n### Patches\n1.1.30\n\n### Workarounds\nRotating signing keys immediately will:\n* Invalidate all open sessions,\n* Force all users to attempt to obtain new tokens.\n\nContinue to rotate keys until flyteadmin has been upgraded,\n\nHide flyteadmin deployment ingress url from the internet.\n\n### References\nhttps://github.com/flyteorg/flyteadmin/pull/455\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [flyte repo](https://github.com/flyteorg/flyte/issues)\n* Email us at [flyte](mailto:admin@flyte.org)\n",
  "id": "GHSA-qwrj-9hmp-gpxh",
  "modified": "2023-02-09T20:22:10Z",
  "published": "2022-07-15T18:10:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/pull/455"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flyteorg/flyteadmin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/releases/tag/v1.1.31"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0519"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FlyteAdmin Insufficient AccessToken Expiration Check"
}

GHSA-V2P7-4PV4-3WWH

Vulnerability from github – Published: 2025-09-10 20:47 – Updated: 2025-09-10 20:47
VLAI
Summary
Infrahub: Deleted and expired API tokens can still authenticate
Details

Impact

A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully.

Patches

This issue is fixed in versions 1.3.9 and 1.4.5

Workarounds

Users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "infrahub-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "infrahub-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-298"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-10T20:47:07Z",
    "nvd_published_at": "2025-09-09T22:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully.\n\n### Patches\nThis issue is fixed in versions `1.3.9` and `1.4.5`\n\n### Workarounds\nUsers can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.",
  "id": "GHSA-v2p7-4pv4-3wwh",
  "modified": "2025-09-10T20:47:07Z",
  "published": "2025-09-10T20:47:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opsmill/infrahub/commit/215185f217e2f754f7c0a0aa4b77e11079a063a1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opsmill/infrahub/commit/61b49a4a9e988f10c3a44f0e86ef97f344a1e228"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opsmill/infrahub"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opsmill/infrahub/releases/tag/infrahub-v1.3.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opsmill/infrahub/releases/tag/infrahub-v1.4.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Infrahub: Deleted and expired API tokens can still authenticate"
}

Mitigation
Architecture and Design

Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

Mitigation
Implementation

If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.

No CAPEC attack patterns related to this CWE.