Common Weakness Enumeration

CWE-290

Allowed

Authentication Bypass by Spoofing

Abstraction: Base · Status: Incomplete

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

927 vulnerabilities reference this CWE, most recent first.

GHSA-7RH7-C77V-6434

Vulnerability from github – Published: 2025-07-30 19:41 – Updated: 2025-07-31 11:21
VLAI
Summary
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
Details

Impact

This vulnerability affects oauth2-proxy deployments using the skip_auth_routes configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources.

The issue stems from skip_auth_routes matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints.

Example Attack:

  • Configuration: skip_auth_routes = [ "^/foo/.*/bar$" ]
  • Intended behavior: Allow /foo/something/bar
  • Actual vulnerability: Also allows /foo/critical_endpoint?param=/bar

Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk, especially when backend services ignore unknown query parameters.

Patches

A patch has been released with version v7.11.0.

Workarounds

Immediate mitigations:

  1. Review regex patterns: Audit all skip_auth_routes configurations for overly permissive patterns
  2. Use precise patterns: Replace wildcard patterns with exact path matches where possible
  3. Anchor patterns: Ensure regex patterns are properly anchored (start with ^ and end with $)
  4. Path-only matching: Consider implementing custom validation that strips query parameters before regex matching

Example secure configuration:

```toml

Instead of: "^/public/.*"

Use specific paths: "^/public/assets$", "^/public/health$"

skip_auth_routes = ["^/public/assets$", "^/public/health$", "^/api/status$"] ```

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.10.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/oauth2-proxy/oauth2-proxy/v7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-30T19:41:07Z",
    "nvd_published_at": "2025-07-30T20:15:37Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThis vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources.\n\nThe issue stems from `skip_auth_routes` matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints.\n\nExample Attack:\n\n* Configuration: `skip_auth_routes = [ \"^/foo/.*/bar$\" ]`\n* Intended behavior: Allow `/foo/something/bar`\n* Actual vulnerability: Also allows `/foo/critical_endpoint?param=/bar`\n\nDeployments using `skip_auth_routes` with regex patterns containing wildcards or broad matching patterns are most at risk, especially when backend services ignore unknown query parameters.\n\n\n### Patches\nA patch has been released with version [v7.11.0](https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.11.0).\n\n### Workarounds\n\nImmediate mitigations:\n\n1. Review regex patterns: Audit all `skip_auth_routes` configurations for overly permissive patterns\n2. Use precise patterns: Replace wildcard patterns with exact path matches where possible\n3. Anchor patterns: Ensure regex patterns are properly anchored (start with `^` and end with `$`)\n4. Path-only matching: Consider implementing custom validation that strips query parameters before regex matching\n\nExample secure configuration:\n\n```toml\n# Instead of: \"^/public/.*\"\n# Use specific paths: \"^/public/assets$\", \"^/public/health$\"\nskip_auth_routes = [\"^/public/assets$\", \"^/public/health$\", \"^/api/status$\"]\n ```",
  "id": "GHSA-7rh7-c77v-6434",
  "modified": "2025-07-31T11:21:19Z",
  "published": "2025-07-30T19:41:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7rh7-c77v-6434"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54576"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/commit/9ffafad4b2d2f9f7668e5504565f356a7c047b77"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/blob/f4b33b64bd66ad28e9b0d63bea51837b83c00ca1/oauthproxy.go#L582-L584"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/blob/f4b33b64bd66ad28e9b0d63bea51837b83c00ca1/pkg/requests/util/util.go#L37-L44"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.11.0"
    },
    {
      "type": "WEB",
      "url": "https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview/#proxy-options"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion"
}

GHSA-7WWR-H8CM-9JF7

Vulnerability from github – Published: 2025-02-10 21:31 – Updated: 2025-03-03 20:08
VLAI
Summary
Duplicate Advisory: Authentication Bypass by Spoofing in OPC UA .NET Standard Stack
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-4rcc-7pg7-f57f. This link is maintained to preserve external references.

Original Description

Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "OPCFoundation.NetStandard.Opc.Ua"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.374.158"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-305"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-10T22:57:35Z",
    "nvd_published_at": "2025-02-10T19:15:38Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-4rcc-7pg7-f57f. This link is maintained to preserve external references.\n\n## Original Description\nVulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.",
  "id": "GHSA-7wwr-h8cm-9jf7",
  "modified": "2025-03-03T20:08:30Z",
  "published": "2025-02-10T21:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42513"
    },
    {
      "type": "WEB",
      "url": "https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2024-42513.pdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OPCFoundation/UA-.NETStandard"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OPCFoundation/UA-.NETStandard/tree/1.5.374.158"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Authentication Bypass by Spoofing in OPC UA .NET Standard Stack",
  "withdrawn": "2025-03-03T20:08:30Z"
}

GHSA-7X63-XV5R-3P2X

Vulnerability from github – Published: 2026-04-15 19:21 – Updated: 2026-04-24 21:11
VLAI
Summary
OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing
Details

Impact

A configuration-dependent authentication bypass exists in OAuth2 Proxy.

Deployments are affected when all of the following are true:

  • OAuth2 Proxy is configured with --reverse-proxy
  • and at least one rule is defined with --skip_auth_routes or the legacy --skip-auth-regex

OAuth2 Proxy may trust a client-supplied X-Forwarded-Uri header when --reverse-proxy is enabled and --skip-auth-route or --skip-auth-regex is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application.

This can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session.

Patches

This issue is addressed as part of the newly introduced --trusted-proxy-ip flag in v7.15.2. If you leave it unset, OAuth2 Proxy will continue to trust ALL source IPs (0.0.0.0/0) for backwards compatibility, which means a client may still be able to spoof forwarded headers. Therefore after upgrading we urge you to use the new --trusted-proxy-ip flag to set the IPs or CIDR ranges of the reverse proxies that are allowed to send X-Forwarded-* headers and furthermore implement the mitigation steps outlined below to properly configure your load balancer infrastructure.

Mitigation

  • Strip any client-provided X-Forwarded-Uri header at the reverse proxy or load balancer level
  • Explicitly overwrite X-Forwarded-Uri with the actual request URI before forwarding requests to OAuth2 Proxy

Example nginx mitigation for the auth subrequest: ``` location /internal-auth/ { internal; # Ensure external users can't access this path

  # Make sure the OAuth2 Proxy knows where the original request came from.
  proxy_set_header Host       $host;
  proxy_set_header X-Real-IP  $remote_addr;
  # set the value to the actual $request_uri and therefore strip any user provided X-Forwarded-Uri
  proxy_set_header X-Forwarded-Uri $request_uri;

  proxy_pass http://oauth2-proxy:4180/;
}

`` - Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy - Remove or narrow--skip-auth-route/--skip-auth-regex` rules where possible

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/oauth2-proxy/oauth2-proxy/v7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.5.0"
            },
            {
              "fixed": "7.15.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:21:06Z",
    "nvd_published_at": "2026-04-22T00:16:27Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nA configuration-dependent authentication bypass exists in OAuth2 Proxy.\n\nDeployments are affected when all of the following are true:\n\n* OAuth2 Proxy is configured with `--reverse-proxy`\n* and at least one rule is defined with `--skip_auth_routes` or the legacy `--skip-auth-regex`\n\nOAuth2 Proxy may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabled and `--skip-auth-route` or `--skip-auth-regex` is configured. An attacker can spoof this header so OAuth2 Proxy evaluates authentication and skip-auth rules against a different path than the one actually sent to the upstream application.\n\nThis can result in an unauthenticated remote attacker bypassing authentication and accessing protected routes without a valid session.\n\n\n### Patches\nThis issue is addressed as part of the newly introduced `--trusted-proxy-ip` flag in `v7.15.2`. If you leave it unset, OAuth2 Proxy will **continue to trust ALL** source IPs (0.0.0.0/0) for backwards compatibility, which means a client may still be able to spoof forwarded headers. Therefore after upgrading we urge you to use the new `--trusted-proxy-ip` flag to set the IPs or CIDR ranges of the reverse proxies that are allowed to send `X-Forwarded-*` headers and furthermore implement the mitigation steps outlined below to properly configure your load balancer infrastructure.\n\n### Mitigation\n\n- Strip any client-provided `X-Forwarded-Uri` header at the reverse proxy or load balancer level\n- Explicitly overwrite `X-Forwarded-Uri` with the actual request URI before forwarding requests to OAuth2 Proxy\n\n  Example nginx mitigation for the auth subrequest:\n  ```\n    location /internal-auth/ {\n      internal; # Ensure external users can\u0027t access this path\n  \n      # Make sure the OAuth2 Proxy knows where the original request came from.\n      proxy_set_header Host       $host;\n      proxy_set_header X-Real-IP  $remote_addr;\n      # set the value to the actual $request_uri and therefore strip any user provided X-Forwarded-Uri\n      proxy_set_header X-Forwarded-Uri $request_uri;\n  \n      proxy_pass http://oauth2-proxy:4180/;\n    }\n  ```\n- Restrict direct client access to OAuth2 Proxy so it can only be reached through a trusted reverse proxy\n- Remove or narrow `--skip-auth-route` / `--skip-auth-regex` rules where possible",
  "id": "GHSA-7x63-xv5r-3p2x",
  "modified": "2026-04-24T21:11:06Z",
  "published": "2026-04-15T19:21:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-7x63-xv5r-3p2x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40575"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oauth2-proxy/oauth2-proxy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing"
}

GHSA-7XF9-6RPX-2C4R

Vulnerability from github – Published: 2025-02-12 00:32 – Updated: 2025-02-12 15:31
VLAI
Details

The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-11T22:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator accounts.",
  "id": "GHSA-7xf9-6rpx-2c4r",
  "modified": "2025-02-12T15:31:56Z",
  "published": "2025-02-12T00:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3180"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpgateway/wpgateway-35-unauthenticated-privilege-escalation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83GR-GJXH-XVRX

Vulnerability from github – Published: 2026-04-29 21:31 – Updated: 2026-04-29 21:31
VLAI
Details

Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-25317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-29T20:16:27Z",
    "severity": "CRITICAL"
  },
  "details": "Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.",
  "id": "GHSA-83gr-gjxh-xvrx",
  "modified": "2026-04-29T21:31:30Z",
  "published": "2026-04-29T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25317"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44380"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/tenda-w3002r-a302-w309r-64-en-cookie-session-weakness-dns-change"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-844J-XRRQ-WGH4

Vulnerability from github – Published: 2026-03-26 21:42 – Updated: 2026-04-10 19:43
VLAI
Summary
OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection
Details

Summary

When gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • fc2d29ea926f47c428c556e92ec981441228d2a4

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • src/gateway/net.ts now ignores loopback forwarded hops before trusted-proxy client resolution.
  • That shipped origin fix is the one consumed by canvas auth and gateway auth-rate-limit paths that rely on resolved client identity.

OpenClaw thanks @lintsinghua for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T21:42:30Z",
    "nvd_published_at": "2026-04-10T17:17:06Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nWhen gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: \u003c 2026.3.22\n- Fixed: \u003e= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `fc2d29ea926f47c428c556e92ec981441228d2a4`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/gateway/net.ts now ignores loopback forwarded hops before trusted-proxy client resolution.\n- That shipped origin fix is the one consumed by canvas auth and gateway auth-rate-limit paths that rely on resolved client identity.\n\nOpenClaw thanks @lintsinghua for reporting.",
  "id": "GHSA-844j-xrrq-wgh4",
  "modified": "2026-04-10T19:43:21Z",
  "published": "2026-03-26T21:42:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-844j-xrrq-wgh4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35656"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-xff-loopback-spoofing-bypass-in-canvas-authentication-and-rate-limiter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection"
}

GHSA-84WQ-7X6V-V62W

Vulnerability from github – Published: 2023-06-16 15:30 – Updated: 2024-04-04 04:54
VLAI
Details

There is a traffic hijacking vulnerability in Huawei routers. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-16T13:15:09Z",
    "severity": "MODERATE"
  },
  "details": "There is a traffic hijacking vulnerability in Huawei routers. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers.\u00a0",
  "id": "GHSA-84wq-7x6v-v62w",
  "modified": "2024-04-04T04:54:56Z",
  "published": "2023-06-16T15:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48469"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-thvihr-7015cbae-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-86WC-GR98-6P59

Vulnerability from github – Published: 2024-09-17 21:30 – Updated: 2024-09-23 18:30
VLAI
Details

Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-17T21:15:13Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)",
  "id": "GHSA-86wc-gr98-6p59",
  "modified": "2024-09-23T18:30:33Z",
  "published": "2024-09-17T21:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8908"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/337222641"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-87WP-C9X7-PPQ5

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-25 00:00
VLAI
Details

Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is vulnerable to Authentication Bypass by spoofing. Tesla Model 3's Phone Key authentication is vulnerable to Man-in-the-middle attacks in the BLE channel. It allows attackers to open a door and drive the car away by leveraging access to a legitimate Phone Key.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-16T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is vulnerable to Authentication Bypass by spoofing. Tesla Model 3\u0027s Phone Key authentication is vulnerable to Man-in-the-middle attacks in the BLE channel. It allows attackers to open a door and drive the car away by leveraging access to a legitimate Phone Key.",
  "id": "GHSA-87wp-c9x7-ppq5",
  "modified": "2022-09-25T00:00:27Z",
  "published": "2022-09-17T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37709"
    },
    {
      "type": "WEB",
      "url": "https://fmsh-seclab.github.io"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fmsh-seclab/TesMla"
    },
    {
      "type": "WEB",
      "url": "https://youtu.be/cPhYW5FzA9A"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-89MG-WJHC-7PJP

Vulnerability from github – Published: 2024-04-02 09:30 – Updated: 2024-04-02 09:30
VLAI
Details

in OpenHarmony v3.2.4 and prior versions allow a remote attacker bypass permission verification to install apps, although these require user action.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-02T07:15:41Z",
    "severity": "HIGH"
  },
  "details": "in OpenHarmony v3.2.4 and prior versions allow a remote attacker bypass permission verification to install apps, although these require user action.",
  "id": "GHSA-89mg-wjhc-7pjp",
  "modified": "2024-04-02T09:30:40Z",
  "published": "2024-04-02T09:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22092"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-04.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-21: Exploitation of Trusted Identifiers

An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness

An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.

CAPEC-473: Signature Spoof

An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.

CAPEC-476: Signature Spoofing by Misrepresentation

An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

CAPEC-60: Reusing Session IDs (aka Session Replay)

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

CAPEC-667: Bluetooth Impersonation AttackS (BIAS)

An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.