GHSA-9CR8-Q42Q-G8M7

npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation

Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass

CVE-2024-27198 was a critical (CVSS 9.8) authentication bypass in JetBrains TeamCity On-Premises disclosed by Rapid7 on March 4, 2024, that let an unauthenticated remote attacker gain full administrative control of the CI/CD server. The bypass abused the request handling: an attacker requested a non-existent path that returns a 404, then supplied an HTTP query parameter jsp=/app/rest/server pointing at a protected REST endpoint and appended a path parameter ;.jsp to satisfy the .jsp extension check, so the request was treated as a permitted static resource and the auth filter was skipped while the framework rewrote the view to the authenticated endpoint, reaching admin REST APIs to create a new administrator user or generate an admin access token and upload malicious plugins for code execution. A second flaw disclosed alongside it, CVE-2024-27199 (CVSS 7.3), was a path traversal in unauthenticated paths such as /res/ and /.well-known/acme-challenge/ that exposed limited admin functionality. CVE-2024-27198 was added to the CISA KEV catalog on March 7, 2024 and was mass-exploited within days, with more than 1,400 servers compromised and attackers creating rogue admin accounts to deploy BianLian and Jasmin ransomware, the Spark RAT, and the XMRig cryptominer.

Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints

PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle

PHP JWT Framework: JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks