Data & Insight

Attestd Now Covers Authentication Infrastructure and Language Runtimes

RobertUpdated May 14, 20266 min read
Dark terminal-style feature image. White text reads: The interpreter. The auth layer. Neither in your dependency scan. Below it: riskState: critical in teal monospace. Attestd branding bottom left.

Attestd Now Covers Authentication Infrastructure and Language Runtimes#

Two new product categories are live on Attestd. Fourteen new products across authentication infrastructure and language runtimes.

Authentication and Identity: Keycloak, OpenLDAP, FreeIPA, Linux-PAM, Samba, MIT Kerberos

Language Runtimes: Python, Ruby, PHP, Go, OpenJDK, Rust, Perl, Erlang/OTP

Authentication and Identity#

Authentication infrastructure is the credential layer for everything else in the stack. A compromised identity provider does not just expose one service. It exposes every service that trusts it. The six products in this batch sit directly on that critical path.

Keycloak#

Red Hat's open-source identity and access management platform. The dominant self-hosted IdP for OAuth2, OIDC, and SAML-based SSO. Attestd tracks the full CVE history for Keycloak including two account-level vulnerabilities that are worth checking on any deployment.

CVE-2023-6787 is an authentication bypass via improper redirect validation. CVE-2024-1132 is a redirect URI path traversal that can be chained to achieve account takeover on affected versions.

bash
curl "https://api.attestd.io/v1/check?product=keycloak&version=22.0.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

OpenLDAP#

The reference LDAP implementation, backing most enterprise directory services. CVE-2023-2953 is a null pointer dereference triggered via a malformed LDAP request, causing a denial of service on the slapd daemon.

FreeIPA#

Red Hat's integrated Linux identity solution combining LDAP, Kerberos, DNS, and certificate management in a single deployment. Used heavily in RHEL and CentOS environments. CVE-2024-2698 is the headline CVE in the current data.

Linux-PAM#

Pluggable Authentication Modules, the authentication layer for login, sudo, and SSH on virtually every Linux system. CVE-2024-22365 and CVE-2024-10041 are tracked in the current data. Linux-PAM sits so deep in the authentication stack that vulnerabilities here affect every PAM-linked service simultaneously.

Samba#

Open-source Windows file sharing and Active Directory compatibility. Used wherever Linux infrastructure needs to speak to Windows environments. Two CVEs of note.

CVE-2017-7494, known as EternalRed, is the Linux-side analogue of EternalBlue from the same era. CVSS 9.8, CISA KEV listed. Remote code execution via a writable share, no authentication required. It is from 2017 but remains actively exploited against unpatched Samba deployments.

CVE-2021-44142 is a heap out-of-bounds write in the VFS fruit module. CVSS 9.9.

bash
curl "https://api.attestd.io/v1/check?product=samba&version=4.13.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

MIT Kerberos#

MIT's reference Kerberos 5 implementation. The foundational library for enterprise SSO, GSSAPI, and the backend for FreeIPA. CVE-2023-36054 is a KDC denial of service via an invalid ASN.1 structure in a TGS request, exploitable without authentication.

Language Runtimes#

Language runtimes are the execution layer under every application. Unlike application dependencies they do not appear in a requirements.txt or a package.json. A vulnerable interpreter affects every application running on it at the same time. None of these products are reachable by pip audit or npm audit.

PHP#

The deepest CVE history of any product in this batch. PHP's attack surface spans CGI handling, extension APIs, type juggling, and string processing.

CVE-2024-4577 is the headline. CVSS 9.8, CISA KEV listed, exploited in the wild within hours of disclosure. An argument injection vulnerability in PHP's CGI mode on Windows allows an unauthenticated remote attacker to execute arbitrary code. Affects PHP 8.1 before 8.1.29, 8.2 before 8.2.20, and 8.3 before 8.3.8.

bash
curl "https://api.attestd.io/v1/check?product=php&version=8.1.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

Erlang/OTP#

The Erlang/OTP runtime. A natural companion to Attestd's existing RabbitMQ coverage -- the broker and its underlying runtime are now both tracked independently.

CVE-2025-32433 is a CVSS 10.0 unauthenticated remote code execution via the Erlang/OTP SSH daemon, disclosed in April 2025. Any Erlang/OTP node with SSH enabled is remotely exploitable before authentication on affected versions. This was one of the highest-profile vulnerabilities of the year at disclosure.

bash
curl "https://api.attestd.io/v1/check?product=erlang_otp&version=26.0.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

Python#

CPython interpreter. The deepest AI and ML runtime in this batch. CVE-2023-24329 is a URL parsing bypass where blank characters before the scheme cause urllib to skip validation, enabling server-side request forgery. CVE-2024-0450 is a zip-bomb denial of service in the zipfile module.

bash
curl "https://api.attestd.io/v1/check?product=python&version=3.11.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

Ruby#

MRI interpreter, powering Rails and the RubyGems toolchain. CVE-2023-28755 is a regular expression denial of service in the URI parser. CVE-2024-27280 is a buffer over-read in StringIO.

Go#

Google's compiler and standard library. The standard runtime for cloud-native services and Kubernetes controllers. CVE-2023-39325 is the HTTP/2 rapid reset attack, the same class of vulnerability that caused the internet-wide DDoS incident in late 2023. CVSS 7.5. CVE-2024-24790 is an IPv6 literal bypass in the net package that allows IP-based access controls to be circumvented.

OpenJDK#

The JVM covering Spring Boot, Tomcat, and enterprise Java deployments. CVE-2024-20952 and CVE-2024-20918 are Oracle CPU Q1 2024 sandbox escapes affecting OpenJDK across multiple version lines.

Rust#

The Rust compiler and standard library. Smaller CVE history than the other runtimes but growing as Rust enters safety-critical infrastructure. CVE-2024-24576 is a Windows argument injection vulnerability via Command::arg where certain character sequences bypass argument quoting, enabling command injection on Windows targets.

Perl#

The Perl 5 interpreter. One of the deepest legacy CVE histories in the set. Still embedded in operations tooling, system administration scripts, and bioinformatics pipelines. CVE-2023-47038 and CVE-2023-47039 are regex engine corruption vulnerabilities in the current data.

Checking your stack#

All fourteen products are available via the standard /v1/check endpoint. The slugs are keycloak, openldap, freeipa, linux_pam, samba, mit_kerberos, python, ruby, php, go, openjdk, rust, perl, and erlang_otp.

python
from attestd import Client
 
client = Client(api_key="YOUR_API_KEY")
 
runtime_stack = {
    "php": "8.1.0",
    "erlang_otp": "26.0.0",
    "python": "3.11.0",
    "keycloak": "22.0.0",
    "samba": "4.13.0",
}
 
for product, version in runtime_stack.items():
    result = client.check(product, version)
    if result.risk_state in ("critical", "high", "elevated"):
        print(f"{product} {version}: {result.risk_state}")
        if result.fixed_version:
            print(f"  Fix: {result.fixed_version}")

The gap pip audit and npm audit leave#

pip audit and npm audit scan your declared dependencies against the CVE database. They reach your packages. They do not reach the interpreter running them, the authentication layer controlling access to them, or the Kerberos infrastructure issuing tokens to them.

CVE-2024-4577 (PHP), CVE-2025-32433 (Erlang/OTP), and CVE-2017-7494 (Samba) are all CISA KEV listed. All three would return risk_state: "critical" or risk_state: "high" for affected versions. None of them are detectable via pip audit or npm audit.

Full product reference at attestd.io/docs/products.

Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.