CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5967 vulnerabilities reference this CWE, most recent first.
GHSA-R642-GV9P-2WJJ
Vulnerability from github – Published: 2022-05-24 20:47 – Updated: 2022-05-24 20:47Impact
A critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate as any Argo CD user or role, including the admin user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled.
In a default Argo CD installation, anonymous access is disabled. To find out if anonymous access is enabled in your instance, please see the Workarounds section of this advisory below.
The vulnerability can be exploited to impersonate as any user or role, including the built-in admin account regardless of whether that account is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this.
If anonymous access to the instance is enabled, an attacker can:
-
Escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster.
-
Exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API
We strongly recommend that all users of Argo CD update to a version containing this patch as soon as possible, regardless of whether or not anonymous access is enabled in your instance.
Please see below for a list of versions containing a fix for this vulnerability and any possible workarounds existing for this issue.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
- v2.3.4
- v2.2.9
- v2.1.15
Workarounds
Disable anonymous access
If you are not able to upgrade to a patched version quickly, we highly suggest disabling anonymous access if it is enabled.
To find out whether anonymous access is enabled for your Argo CD instance, you can query the argocd-cm ConfigMap in the Argo CD's installation namespace. The below example assumes you have installed Argo CD to the argocd namespace:
$ kubectl get -n argocd cm argocd-cm -o jsonpath='{.data.users\.anonymous\.enabled}'
If the result of this command is either empty or "false", anonymous access to that instance is not enabled. If the result is "true", your instance is vulnerable.
To disable anonymous access, patch the argocd-cm ConfigMap to either remove the users.anonymous.enabled field or set this field to "false".
To set the field to "false":
$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"add", "path":"/data/users.anonymous.enabled", "value":"false"}]'
Or you can remove the field completely, thus disabling anonymous access because the default is false:
$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"remove", "path":"/data/users.anonymous.enabled"}]'
Credits
The Argo CD team would like to thank Mark Pim and Andrzej Hajto, who discovered this vulnerability and reported it in a responsible way to us.
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.8.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29165"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-287",
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-24T20:47:34Z",
"nvd_published_at": "2022-05-20T15:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nA critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, [anonymous access](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#anonymous-access) to the Argo CD instance must have been enabled. \n\nIn a default Argo CD installation, anonymous access is disabled. To find out if anonymous access is enabled in your instance, please see the *Workarounds* section of this advisory below.\n\nThe vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether that account is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this.\n\nIf anonymous access to the instance is enabled, an attacker can:\n\n* Escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster.\n\n* Exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API\n\nWe **strongly recommend** that all users of Argo CD update to a version containing this patch as soon as possible, regardless of whether or not anonymous access is enabled in your instance.\n\nPlease see below for a list of versions containing a fix for this vulnerability and any possible workarounds existing for this issue.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.3.4\n* v2.2.9\n* v2.1.15\n\n### Workarounds\n\n#### Disable anonymous access\n\nIf you are not able to upgrade to a patched version quickly, we highly suggest disabling anonymous access if it is enabled. \n\nTo find out whether anonymous access is enabled for your Argo CD instance, you can query the `argocd-cm` ConfigMap in the Argo CD\u0027s installation namespace. The below example assumes you have installed Argo CD to the `argocd` namespace:\n\n```shell\n$ kubectl get -n argocd cm argocd-cm -o jsonpath=\u0027{.data.users\\.anonymous\\.enabled}\u0027\n```\n\nIf the result of this command is either empty or `\"false\"`, anonymous access to that instance is not enabled. If the result is `\"true\"`, your instance is vulnerable.\n\nTo disable anonymous access, patch the `argocd-cm` ConfigMap to either remove the `users.anonymous.enabled` field or set this field to `\"false\"`. \n\nTo set the field to `\"false\"`:\n\n```shell\n$ kubectl patch -n argocd cm argocd-cm --type=json -p=\u0027[{\"op\":\"add\", \"path\":\"/data/users.anonymous.enabled\", \"value\":\"false\"}]\u0027\n```\nOr you can remove the field completely, thus disabling anonymous access because the default is `false`:\n\n```shell\n$ kubectl patch -n argocd cm argocd-cm --type=json -p=\u0027[{\"op\":\"remove\", \"path\":\"/data/users.anonymous.enabled\"}]\u0027\n```\n\n### Credits\n\nThe Argo CD team would like to thank Mark Pim and Andrzej Hajto, who discovered this vulnerability and reported it in a responsible way to us.\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd",
"id": "GHSA-r642-gv9p-2wjj",
"modified": "2022-05-24T20:47:34Z",
"published": "2022-05-24T20:47:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
},
{
"type": "PACKAGE",
"url": "github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Argo CD will blindly trust JWT claims if anonymous access is enabled"
}
GHSA-R657-33VP-GP22
Vulnerability from github – Published: 2022-09-21 20:43 – Updated: 2022-09-21 20:43Impact
Validation of the authentication adapter app ID for Facebook and Spotify may be circumvented.
This fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify and where the server-side authentication adapter configuration appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]). The vulnerability makes it possible to authenticate requests which are coming from a Facebook or Spotify app with a different app ID than the one specified in the appIds configuration.
Both adapters still validate the access token with the respective authentication provider. An app ID is automatically assigned by the authentication provider. For this vulnerability to be exploited, an attacker would have to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID.
The documentation did not explicitly specify that the parameter appIds must be set as an array of strings and setting a string also worked. Therefore, there is a possibility that there are deployments where appIds is set as a string, making them vulnerable.
Patches
The fix makes Parse Server check the type of the value set for appIds and throws an error if the value is not an array.
Workarounds
No known workarounds.
References
- GitHub advisory GHSA-r657-33vp-gp22
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.10.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.2.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39231"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-21T20:43:57Z",
"nvd_published_at": "2022-09-23T08:15:00Z",
"severity": "LOW"
},
"details": "### Impact\n\nValidation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented.\n\nThis fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for _Facebook_ or _Spotify_ and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `[\"abc\"]`). The vulnerability makes it possible to authenticate requests which are coming from a _Facebook_ or _Spotify_ app with a different app ID than the one specified in the `appIds` configuration.\n\nBoth adapters still validate the access token with the respective authentication provider. An app ID is automatically assigned by the authentication provider. For this vulnerability to be exploited, an attacker would have to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID.\n\nThe documentation did not explicitly specify that the parameter `appIds` must be set as an array of strings and setting a string also worked. Therefore, there is a possibility that there are deployments where `appIds` is set as a string, making them vulnerable.\n\n### Patches\n\nThe fix makes Parse Server check the type of the value set for `appIds` and throws an error if the value is not an array.\n\n### Workarounds\n\nNo known workarounds.\n\n### References\n\n- GitHub advisory [GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22)",
"id": "GHSA-r657-33vp-gp22",
"modified": "2022-09-21T20:43:57Z",
"published": "2022-09-21T20:43:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39231"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/8c8ec715739e0f851338cfed794409ebac66c51b"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/4.10.16"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/5.2.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "parse-server auth adapter app ID validation can be circumvented"
}
GHSA-R67H-M869-3M3Q
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-07-11 00:00Incorrect Access Control in Emerson Smart Wireless Gateway 1420 4.6.59 allows remote attackers to obtain sensitive device information from the administrator console without authentication.
{
"affected": [],
"aliases": [
"CVE-2020-19419"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-10T18:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect Access Control in Emerson Smart Wireless Gateway 1420 4.6.59 allows remote attackers to obtain sensitive device information from the administrator console without authentication.",
"id": "GHSA-r67h-m869-3m3q",
"modified": "2022-07-11T00:00:22Z",
"published": "2022-05-24T17:44:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19419"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/306.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/161701/Emerson-Smart-Wireless-Gateway-1420-4.6.59-Missing-Authentication.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6H4-5939-8VQ9
Vulnerability from github – Published: 2025-03-11 12:30 – Updated: 2025-03-11 12:30A vulnerability has been identified in SINAMICS S200 (All versions with serial number beginning with SZVS8, SZVS9, SZVS0 or SZVSN and the FS number is 02). The affected device contains an unlocked bootloader. This security oversight enables attackers to inject malicious code, or install untrusted firmware. The intrinsic security features designed to protect against data manipulation and unauthorized access are compromised when the bootloader is not secured.
{
"affected": [],
"aliases": [
"CVE-2024-56336"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T10:15:16Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in SINAMICS S200 (All versions with serial number beginning with SZVS8, SZVS9, SZVS0 or SZVSN and the FS number is 02). The affected device contains an unlocked bootloader. This security oversight enables attackers to inject malicious code, or install untrusted firmware. The intrinsic security features designed to protect against data manipulation and unauthorized access are compromised when the bootloader is not secured.",
"id": "GHSA-r6h4-5939-8vq9",
"modified": "2025-03-11T12:30:59Z",
"published": "2025-03-11T12:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56336"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-787280.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R6PV-MQWG-XQ5G
Vulnerability from github – Published: 2022-05-17 05:16 – Updated: 2026-06-03 15:30Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 do not properly perform authentication for Ethernet firmware updates, which allows remote attackers to execute arbitrary code via a Trojan horse update image.
{
"affected": [],
"aliases": [
"CVE-2012-6437"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-01-24T21:55:00Z",
"severity": "HIGH"
},
"details": "Rockwell Automation EtherNet/IP products; 1756-ENBT, 1756-EWEB, 1768-ENBT, and 1768-EWEB communication modules; CompactLogix L32E and L35E controllers; 1788-ENBT FLEXLogix adapter; 1794-AENTR FLEX I/O EtherNet/IP adapter; ControlLogix 18 and earlier; CompactLogix 18 and earlier; GuardLogix 18 and earlier; SoftLogix 18 and earlier; CompactLogix controllers 19 and earlier; SoftLogix controllers 19 and earlier; ControlLogix controllers 20 and earlier; GuardLogix controllers 20 and earlier; and MicroLogix 1100 and 1400 do not properly perform authentication for Ethernet firmware updates, which allows remote attackers to execute arbitrary code via a Trojan horse update image.",
"id": "GHSA-r6pv-mqwg-xq5g",
"modified": "2026-06-03T15:30:31Z",
"published": "2022-05-17T05:16:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6437"
},
{
"type": "WEB",
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/470154"
},
{
"type": "WEB",
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470155"
},
{
"type": "WEB",
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/aid/470156"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-03"
},
{
"type": "WEB",
"url": "http://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-03.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R6RH-C775-H225
Vulnerability from github – Published: 2025-05-12 21:31 – Updated: 2025-05-12 21:31Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families:
-
Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022
-
Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020
-
Digi One IAP – prior to and including 82000770 Z, build date 10/19/2020
A specially crafted POST request to the device’s web interface may allow an unauthenticated attacker to modify configuration settings.
{
"affected": [],
"aliases": [
"CVE-2025-3659"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-12T21:15:46Z",
"severity": "CRITICAL"
},
"details": "Improper authentication handling was identified in a set of HTTP POST requests affecting the following product families: \n\n * Digi PortServer TS - prior to and including 82000747_AA, build date 06/17/2022\n\n\n * Digi One SP/Digi One SP IA/Digi One IA - prior to and including 82000774_Z, build date 10/19/2020\n\n\n * Digi One IAP \u2013 prior to and including 82000770 Z, build date 10/19/2020\n\n\n\n\nA specially crafted POST request to the device\u2019s web interface may allow an unauthenticated attacker to modify configuration settings.",
"id": "GHSA-r6rh-c775-h225",
"modified": "2025-05-12T21:31:10Z",
"published": "2025-05-12T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3659"
},
{
"type": "WEB",
"url": "https://hub.digi.com/support/products/infrastructure-management/digi-one-iap-haz"
},
{
"type": "WEB",
"url": "https://hub.digi.com/support/products/infrastructure-management/digi-one-sp-ia"
},
{
"type": "WEB",
"url": "https://hub.digi.com/support/products/infrastructure-management/digi-portserver-ts"
},
{
"type": "WEB",
"url": "https://www.digi.com/getattachment/Resources/Security/Alerts/Improper-authentication-handling-for-Digi-PortServ/improper-authentication-handling.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R6V9-P59M-GJ2P
Vulnerability from github – Published: 2022-09-02 21:55 – Updated: 2024-11-18 16:26Impact
The pool-upgrade request handler in Indy-Node <=1.12.4 allows an improperly authenticated attacker to remotely execute code on nodes within the network.
Network operators are strongly encouraged to upgrade to the latest Indy-Node release >=1.12.5 as soon as possible.
Patches
The pool-upgrade request handler in Indy-Node >=1.12.5 has been updated to properly authenticate pool-upgrade transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution.
Mitigations
Network operators are strongly encouraged to upgrade to the latest Indy-Node release >=1.12.5 as soon as possible.
Acknowledgements
Thank you to @shakreiner at CyberArk Labs for finding and responsibly disclosing this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "indy-node"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.5rc1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31020"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-02T21:55:20Z",
"nvd_published_at": "2022-09-06T17:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe `pool-upgrade` request handler in Indy-Node `\u003c=1.12.4` allows an improperly authenticated attacker to remotely execute code on nodes within the network.\n\nNetwork operators are strongly encouraged to upgrade to the latest Indy-Node release `\u003e=1.12.5` as soon as possible.\n\n### Patches\n\nThe `pool-upgrade` request handler in Indy-Node `\u003e=1.12.5` has been updated to properly authenticate `pool-upgrade` transactions before any processing is performed by the request handler. The transactions are further sanitized to prevent remote code execution.\n\n### Mitigations\n\nNetwork operators are strongly encouraged to upgrade to the latest Indy-Node release `\u003e=1.12.5` as soon as possible.\n\n### Acknowledgements\nThank you to @shakreiner at CyberArk Labs for finding and responsibly disclosing this issue.",
"id": "GHSA-r6v9-p59m-gj2p",
"modified": "2024-11-18T16:26:27Z",
"published": "2022-09-02T21:55:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-r6v9-p59m-gj2p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31020"
},
{
"type": "WEB",
"url": "https://github.com/hyperledger/indy-node/commit/fe507474f77084faef4539101e2bbb4d508a97f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/hyperledger/indy-node"
},
{
"type": "WEB",
"url": "https://github.com/hyperledger/indy-node/releases/tag/v1.12.5"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/indy-node/PYSEC-2022-265.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Indy\u0027s NODE_UPGRADE transaction vulnerable to remote code execution"
}
GHSA-R6VX-C8R8-FM3X
Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR v1.03B01 devices allow authentication bypass via an AUTHORIZED_GROUP=1 value, as demonstrated by a request for getcfg.php.
{
"affected": [],
"aliases": [
"CVE-2018-7034"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-14T16:29:00Z",
"severity": "HIGH"
},
"details": "TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR v1.03B01 devices allow authentication bypass via an AUTHORIZED_GROUP=1 value, as demonstrated by a request for getcfg.php.",
"id": "GHSA-r6vx-c8r8-fm3x",
"modified": "2022-05-13T01:20:31Z",
"published": "2022-05-13T01:20:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7034"
},
{
"type": "WEB",
"url": "https://blogs.securiteam.com/index.php/archives/3627"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6WP-29QW-VXR5
Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2026-04-02 21:32A logic issue was addressed with improved state management. This issue is fixed in visionOS 2.4, macOS Ventura 13.7.5, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sonoma 14.7.5. A malicious app may be able to attempt passcode entries on a locked device and thereby cause escalating time delays after 4 failures.
{
"affected": [],
"aliases": [
"CVE-2025-30432"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T23:15:25Z",
"severity": "MODERATE"
},
"details": "A logic issue was addressed with improved state management. This issue is fixed in visionOS 2.4, macOS Ventura 13.7.5, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sonoma 14.7.5. A malicious app may be able to attempt passcode entries on a locked device and thereby cause escalating time delays after 4 failures.",
"id": "GHSA-r6wp-29qw-vxr5",
"modified": "2026-04-02T21:32:17Z",
"published": "2025-04-01T00:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30432"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122371"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122372"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122374"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122375"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122376"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122377"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122378"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/10"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/13"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/4"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/5"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-R6X2-CPWM-CR43
Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2022-05-14 00:56The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.
{
"affected": [],
"aliases": [
"CVE-2013-4966"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-03-09T13:16:00Z",
"severity": "MODERATE"
},
"details": "The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.",
"id": "GHSA-r6x2-cpwm-cr43",
"modified": "2022-05-14T00:56:50Z",
"published": "2022-05-14T00:56:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4966"
},
{
"type": "WEB",
"url": "http://puppetlabs.com/security/cve/cve-2013-4966"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1029873"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.