CWE-290
AllowedAuthentication Bypass by Spoofing
Abstraction: Base · Status: Incomplete
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
927 vulnerabilities reference this CWE, most recent first.
GHSA-7RH7-C77V-6434
Vulnerability from github – Published: 2025-07-30 19:41 – Updated: 2025-07-31 11:21Impact
This vulnerability affects oauth2-proxy deployments using the skip_auth_routes configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources.
The issue stems from skip_auth_routes matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints.
Example Attack:
- Configuration:
skip_auth_routes = [ "^/foo/.*/bar$" ] - Intended behavior: Allow
/foo/something/bar - Actual vulnerability: Also allows
/foo/critical_endpoint?param=/bar
Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk, especially when backend services ignore unknown query parameters.
Patches
A patch has been released with version v7.11.0.
Workarounds
Immediate mitigations:
- Review regex patterns: Audit all
skip_auth_routesconfigurations for overly permissive patterns - Use precise patterns: Replace wildcard patterns with exact path matches where possible
- Anchor patterns: Ensure regex patterns are properly anchored (start with
^and end with$) - Path-only matching: Consider implementing custom validation that strips query parameters before regex matching
Example secure configuration:
```toml
Instead of: "^/public/.*"
Use specific paths: "^/public/assets$", "^/public/health$"
skip_auth_routes = ["^/public/assets$", "^/public/health$", "^/api/status$"] ```
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.10.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/oauth2-proxy/oauth2-proxy/v7"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54576"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-30T19:41:07Z",
"nvd_published_at": "2025-07-30T20:15:37Z",
"severity": "CRITICAL"
},
"details": "### Impact\nThis vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources.\n\nThe issue stems from `skip_auth_routes` matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints.\n\nExample Attack:\n\n* Configuration: `skip_auth_routes = [ \"^/foo/.*/bar$\" ]`\n* Intended behavior: Allow `/foo/something/bar`\n* Actual vulnerability: Also allows `/foo/critical_endpoint?param=/bar`\n\nDeployments using `skip_auth_routes` with regex patterns containing wildcards or broad matching patterns are most at risk, especially when backend services ignore unknown query parameters.\n\n\n### Patches\nA patch has been released with version [v7.11.0](https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.11.0).\n\n### Workarounds\n\nImmediate mitigations:\n\n1. Review regex patterns: Audit all `skip_auth_routes` configurations for overly permissive patterns\n2. Use precise patterns: Replace wildcard patterns with exact path matches where possible\n3. Anchor patterns: Ensure regex patterns are properly anchored (start with `^` and end with `$`)\n4. Path-only matching: Consider implementing custom validation that strips query parameters before regex matching\n\nExample secure configuration:\n\n```toml\n# Instead of: \"^/public/.*\"\n# Use specific paths: \"^/public/assets$\", \"^/public/health$\"\nskip_auth_routes = [\"^/public/assets$\", \"^/public/health$\", \"^/api/status$\"]\n ```",
"id": "GHSA-7rh7-c77v-6434",
"modified": "2025-07-31T11:21:19Z",
"published": "2025-07-30T19:41:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7rh7-c77v-6434"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54576"
},
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/commit/9ffafad4b2d2f9f7668e5504565f356a7c047b77"
},
{
"type": "PACKAGE",
"url": "https://github.com/oauth2-proxy/oauth2-proxy"
},
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/blob/f4b33b64bd66ad28e9b0d63bea51837b83c00ca1/oauthproxy.go#L582-L584"
},
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/blob/f4b33b64bd66ad28e9b0d63bea51837b83c00ca1/pkg/requests/util/util.go#L37-L44"
},
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.11.0"
},
{
"type": "WEB",
"url": "https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview/#proxy-options"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion"
}
GHSA-7WWR-H8CM-9JF7
Vulnerability from github – Published: 2025-02-10 21:31 – Updated: 2025-03-03 20:08Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-4rcc-7pg7-f57f. This link is maintained to preserve external references.
Original Description
Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "OPCFoundation.NetStandard.Opc.Ua"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.374.158"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-10T22:57:35Z",
"nvd_published_at": "2025-02-10T19:15:38Z",
"severity": "MODERATE"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-4rcc-7pg7-f57f. This link is maintained to preserve external references.\n\n## Original Description\nVulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.",
"id": "GHSA-7wwr-h8cm-9jf7",
"modified": "2025-03-03T20:08:30Z",
"published": "2025-02-10T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42513"
},
{
"type": "WEB",
"url": "https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2024-42513.pdf"
},
{
"type": "PACKAGE",
"url": "https://github.com/OPCFoundation/UA-.NETStandard"
},
{
"type": "WEB",
"url": "https://github.com/OPCFoundation/UA-.NETStandard/tree/1.5.374.158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Authentication Bypass by Spoofing in OPC UA .NET Standard Stack",
"withdrawn": "2025-03-03T20:08:30Z"
}
GHSA-7X63-XV5R-3P2X
Vulnerability from github – Published: 2026-04-15 19:21 – Updated: 2026-04-24 21:11Impact
A configuration-dependent authentication bypass exists in OAuth2 Proxy.
Deployments are affected when all of the following are true:
- OAuth2 Proxy is configured with
--reverse-proxy - and at least one rule is defined with
--skip_auth_routesor the legacy--skip-auth-regex
OAuth2 Proxy may trust a client-supplied X-Forwarded-Uri header when --reverse-proxy is enabled and --skip-auth-route or --skip-auth-regex is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application.
This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session.
Patches
This issue is addressed as part of the newly introduced --trusted-proxy-ip flag in v7.15.2. If you leave it unset, OAuth2 Proxy will continue to trust ALL source IPs (0.0.0.0/0) for backwards compatibility, which means a client may still be able to spoof forwarded headers. Therefore after upgrading we urge you to use the new --trusted-proxy-ip flag to set the IPs or CIDR ranges of the reverse proxies that are allowed to send X-Forwarded-* headers and furthermore implement the mitigation steps outlined below to properly configure your load balancer infrastructure.
Mitigation
- Strip any client-provided
X-Forwarded-Uriheader at the reverse proxy or load balancer level - Explicitly overwrite
X-Forwarded-Uriwith the actual request URI before forwarding requests to OAuth2 Proxy
Example nginx mitigation for the auth subrequest: ``` location /internal-auth/ { internal; # Ensure external users can't access this path
# Make sure the OAuth2 Proxy knows where the original request came from.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# set the value to the actual $request_uri and therefore strip any user provided X-Forwarded-Uri
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_pass http://oauth2-proxy:4180/;
}
``
- Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy
- Remove or narrow--skip-auth-route/--skip-auth-regex` rules where possible
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/oauth2-proxy/oauth2-proxy/v7"
},
"ranges": [
{
"events": [
{
"introduced": "7.5.0"
},
{
"fixed": "7.15.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40575"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-15T19:21:06Z",
"nvd_published_at": "2026-04-22T00:16:27Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nA configuration-dependent authentication bypass exists in OAuth2 Proxy.\n\nDeployments are affected when all of the following are true:\n\n* OAuth2 Proxy is configured with `--reverse-proxy`\n* and at least one rule is defined with `--skip_auth_routes` or the legacy `--skip-auth-regex`\n\nOAuth2 Proxy may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-route` or `--skip-auth-regex` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application.\n\nThis can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session.\n\n\n### Patches\nThis issue is addressed as part of the newly introduced `--trusted-proxy-ip` flag in `v7.15.2`. If you leave it unset, OAuth2 Proxy will **continue to trust ALL** source IPs (0.0.0.0/0) for backwards compatibility, which means a client may still be able to spoof forwarded headers. Therefore after upgrading we urge you to use the new `--trusted-proxy-ip` flag to set the IPs or CIDR ranges of the reverse proxies that are allowed to send `X-Forwarded-*` headers and furthermore implement the mitigation steps outlined below to properly configure your load balancer infrastructure.\n\n### Mitigation\n\n- Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level\n- Explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy\n\n Example nginx mitigation for the auth subrequest:\n ```\n location /internal-auth/ {\n internal; # Ensure external users can\u0027t access this path\n \n # Make sure the OAuth2 Proxy knows where the original request came from.\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n # set the value to the actual $request_uri and therefore strip any user provided X-Forwarded-Uri\n proxy_set_header X-Forwarded-Uri $request_uri;\n \n proxy_pass http://oauth2-proxy:4180/;\n }\n ```\n- Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy\n- Remove or narrow `--skip-auth-route` / `--skip-auth-regex` rules where possible",
"id": "GHSA-7x63-xv5r-3p2x",
"modified": "2026-04-24T21:11:06Z",
"published": "2026-04-15T19:21:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40575"
},
{
"type": "PACKAGE",
"url": "https://github.com/oauth2-proxy/oauth2-proxy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing"
}
GHSA-7XF9-6RPX-2C4R
Vulnerability from github – Published: 2025-02-12 00:32 – Updated: 2025-02-12 15:31The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts.
{
"affected": [],
"aliases": [
"CVE-2022-3180"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T22:15:24Z",
"severity": "CRITICAL"
},
"details": "The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts.",
"id": "GHSA-7xf9-6rpx-2c4r",
"modified": "2025-02-12T15:31:56Z",
"published": "2025-02-12T00:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3180"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpgateway/wpgateway-35-unauthenticated-privilege-escalation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-83GR-GJXH-XVRX
Vulnerability from github – Published: 2026-04-29 21:31 – Updated: 2026-04-29 21:31Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.
{
"affected": [],
"aliases": [
"CVE-2018-25317"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-29T20:16:27Z",
"severity": "CRITICAL"
},
"details": "Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.",
"id": "GHSA-83gr-gjxh-xvrx",
"modified": "2026-04-29T21:31:30Z",
"published": "2026-04-29T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25317"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44380"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/tenda-w3002r-a302-w309r-64-en-cookie-session-weakness-dns-change"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-844J-XRRQ-WGH4
Vulnerability from github – Published: 2026-03-26 21:42 – Updated: 2026-04-10 19:43Summary
When gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected: < 2026.3.22
- Fixed: >= 2026.3.22
- Latest released tag checked:
v2026.3.23-2(630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked:
2026.3.23-2
Fix Commit(s)
fc2d29ea926f47c428c556e92ec981441228d2a4
Release Status
The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.
Code-Level Confirmation
- src/gateway/net.ts now ignores loopback forwarded hops before trusted-proxy client resolution.
- That shipped origin fix is the one consumed by canvas auth and gateway auth-rate-limit paths that rely on resolved client identity.
OpenClaw thanks @lintsinghua for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35656"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T21:42:30Z",
"nvd_published_at": "2026-04-10T17:17:06Z",
"severity": "MODERATE"
},
"details": "## Summary\nWhen gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: \u003c 2026.3.22\n- Fixed: \u003e= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `fc2d29ea926f47c428c556e92ec981441228d2a4`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/gateway/net.ts now ignores loopback forwarded hops before trusted-proxy client resolution.\n- That shipped origin fix is the one consumed by canvas auth and gateway auth-rate-limit paths that rely on resolved client identity.\n\nOpenClaw thanks @lintsinghua for reporting.",
"id": "GHSA-844j-xrrq-wgh4",
"modified": "2026-04-10T19:43:21Z",
"published": "2026-03-26T21:42:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-844j-xrrq-wgh4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35656"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-xff-loopback-spoofing-bypass-in-canvas-authentication-and-rate-limiter"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection"
}
GHSA-84WQ-7X6V-V62W
Vulnerability from github – Published: 2023-06-16 15:30 – Updated: 2024-04-04 04:54There is a traffic hijacking vulnerability in Huawei routers. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers.
{
"affected": [],
"aliases": [
"CVE-2022-48469"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-16T13:15:09Z",
"severity": "MODERATE"
},
"details": "There is a traffic hijacking vulnerability in Huawei routers. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers.\u00a0",
"id": "GHSA-84wq-7x6v-v62w",
"modified": "2024-04-04T04:54:56Z",
"published": "2023-06-16T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48469"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-thvihr-7015cbae-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-86WC-GR98-6P59
Vulnerability from github – Published: 2024-09-17 21:30 – Updated: 2024-09-23 18:30Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2024-8908"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T21:15:13Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)",
"id": "GHSA-86wc-gr98-6p59",
"modified": "2024-09-23T18:30:33Z",
"published": "2024-09-17T21:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8908"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/337222641"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-87WP-C9X7-PPQ5
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-25 00:00Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is vulnerable to Authentication Bypass by spoofing. Tesla Model 3's Phone Key authentication is vulnerable to Man-in-the-middle attacks in the BLE channel. It allows attackers to open a door and drive the car away by leveraging access to a legitimate Phone Key.
{
"affected": [],
"aliases": [
"CVE-2022-37709"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T22:15:00Z",
"severity": "MODERATE"
},
"details": "Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is vulnerable to Authentication Bypass by spoofing. Tesla Model 3\u0027s Phone Key authentication is vulnerable to Man-in-the-middle attacks in the BLE channel. It allows attackers to open a door and drive the car away by leveraging access to a legitimate Phone Key.",
"id": "GHSA-87wp-c9x7-ppq5",
"modified": "2022-09-25T00:00:27Z",
"published": "2022-09-17T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37709"
},
{
"type": "WEB",
"url": "https://fmsh-seclab.github.io"
},
{
"type": "WEB",
"url": "https://github.com/fmsh-seclab/TesMla"
},
{
"type": "WEB",
"url": "https://youtu.be/cPhYW5FzA9A"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-89MG-WJHC-7PJP
Vulnerability from github – Published: 2024-04-02 09:30 – Updated: 2024-04-02 09:30in OpenHarmony v3.2.4 and prior versions allow a remote attacker bypass permission verification to install apps, although these require user action.
{
"affected": [],
"aliases": [
"CVE-2024-22092"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T07:15:41Z",
"severity": "HIGH"
},
"details": "in OpenHarmony v3.2.4 and prior versions allow a remote attacker bypass permission verification to install apps, although these require user action.",
"id": "GHSA-89mg-wjhc-7pjp",
"modified": "2024-04-02T09:30:40Z",
"published": "2024-04-02T09:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22092"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-04.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.
CAPEC-473: Signature Spoof
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
CAPEC-476: Signature Spoofing by Misrepresentation
An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-667: Bluetooth Impersonation AttackS (BIAS)
An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.