The following section details notes that might impact your use of API Gateway.| docs.aws.amazon.com
At Amazon Web Services (AWS), our APIs and service functionality are a promise to our customers, so we very rarely make breaking changes or remove functionality from production services. Customers use the AWS Cloud to build solutions for their customers, and when disruptive changes are made or functionality is removed, the downstream impacts can be […]| Amazon Web Services
Writeup for the potential security issue that the HAAPI authorization flow sends a valid, signed JWT token to the front end. Since these HAAPI JWT tokens are exposed in the browser, a misconfigured API, which improperly accepts Curity tokens by only validating the signature of the JWT, enables an attacker to use the leaked JWTs to gain unauthorized access to the API.| Omegapoint Security Blog
A vulnerability in Authentik’s OAuth 2.0 implementation (CVE-2024-52289) allowed attackers to bypass redirect URI validation due to the insecure use of regular expressions. By exploiting this flaw, an attacker could redirect authentication responses to a malicious server, enabling account takeover. Authentik has addressed the issue in patched versions (2024.10.3 and 2024.8.5) by enforcing strict string matching for URI validation.| securityblog.omegapoint.se
CVE-2024-45031 in the IAM solution Apache Syncope allows a low-privileged attacker to inject an XSS payload in a self-registration/self-service portal. The payload executes in a high-privilege context of an administrative portal, enabling privilege escalation through session riding against system administrators.| Omegapoint Security Blog
This blog covers several potential security issues that were identified in TruffleHog v3; an open source secret scanner. The issues were reported to Truffle Security, the team behind TruffleHog in December 2023.| securityblog.omegapoint.se
CVE-2023-6927 Keycloak vulnerability allows bypassing redirect URI validation which can be used as a vector for stealing authorization codes, access tokens and be used to redirect victims to arbitrary hosts.| securityblog.omegapoint.se
