CWE-305
AllowedAuthentication Bypass by Primary Weakness
Abstraction: Base · Status: Draft
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
281 vulnerabilities reference this CWE, most recent first.
CVE-2019-0042 (GCVE-0-2019-0042)
Vulnerability from cvelistv5 – Published: 2019-04-10 20:13 – Updated: 2024-09-16 18:03| URL | Tags |
|---|---|
| https://kb.juniper.net/JSA10934 | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Juniper Identity Management Service |
Affected:
unspecified , < 1.1.4
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:37:07.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.juniper.net/JSA10934"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Juniper Identity Management Service",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "1.1.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "This issue applicable only when the Windows Domain Controller\u0027s policy is set to audit account logon failures and SRX has any security policies configured with the term \"match source-identity authenticated-user\"."
}
],
"datePublic": "2019-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Juniper Identity Management Service (JIMS) for Windows versions prior to 1.1.4 may send an incorrect message to associated SRX services gateways. This may allow an attacker with physical access to an existing domain connected Windows system to bypass SRX firewall policies, or trigger a Denial of Service (DoS) condition for the network."
}
],
"exploits": [
{
"lang": "en",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability.\n\nIf the issue is being exploited to bypass SRX firewall policies, suspicious or unusual usernames or IP addresses entries may be present in the SRX auth table."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-669",
"description": "CWE-669 Incorrect Resource Transfer Between Spheres",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-10T20:13:51.000Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.juniper.net/JSA10934"
}
],
"solutions": [
{
"lang": "en",
"value": "The following software releases have been updated to resolve this specific issue: 1.1.4 and all subsequent releases.\n\nIf suspicious or unusual usernames or IP addresses entries are present in the SRX auth table, they need to be removed from the SRX auth table."
}
],
"source": {
"advisory": "JSA10934",
"defect": [
"1409607"
],
"discovery": "INTERNAL"
},
"title": "Incorrect messages from Juniper Identity Management Service (JIMS) can trigger Denial of Service or firewall bypass conditions for SRX series devices",
"workarounds": [
{
"lang": "en",
"value": "On the domain controller(s), edit GPO policy for Computer Configuration-\u003ePolicies-\u003eWindows Settings-\u003eSecurity Settings-\u003eLocal Policies-\u003eAudit Policy.\nUncheck \"Failure\" for \"Audit account logon events\". This option is unchecked by default.\nIn the cmd prompt, enter \"gpupdate /force\" to immediately update the policy change."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "sirt@juniper.net",
"DATE_PUBLIC": "2019-04-10T16:00:00.000Z",
"ID": "CVE-2019-0042",
"STATE": "PUBLIC",
"TITLE": "Incorrect messages from Juniper Identity Management Service (JIMS) can trigger Denial of Service or firewall bypass conditions for SRX series devices"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Juniper Identity Management Service",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.1.4"
}
]
}
}
]
},
"vendor_name": "Juniper Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "This issue applicable only when the Windows Domain Controller\u0027s policy is set to audit account logon failures and SRX has any security policies configured with the term \"match source-identity authenticated-user\"."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Juniper Identity Management Service (JIMS) for Windows versions prior to 1.1.4 may send an incorrect message to associated SRX services gateways. This may allow an attacker with physical access to an existing domain connected Windows system to bypass SRX firewall policies, or trigger a Denial of Service (DoS) condition for the network."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability.\n\nIf the issue is being exploited to bypass SRX firewall policies, suspicious or unusual usernames or IP addresses entries may be present in the SRX auth table."
}
],
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-404 Improper Resource Shutdown or Release"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-305 Authentication Bypass by Primary Weakness"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-669 Incorrect Resource Transfer Between Spheres"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.juniper.net/JSA10934",
"refsource": "CONFIRM",
"url": "https://kb.juniper.net/JSA10934"
}
]
},
"solution": [
{
"lang": "en",
"value": "The following software releases have been updated to resolve this specific issue: 1.1.4 and all subsequent releases.\n\nIf suspicious or unusual usernames or IP addresses entries are present in the SRX auth table, they need to be removed from the SRX auth table."
}
],
"source": {
"advisory": "JSA10934",
"defect": [
"1409607"
],
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "On the domain controller(s), edit GPO policy for Computer Configuration-\u003ePolicies-\u003eWindows Settings-\u003eSecurity Settings-\u003eLocal Policies-\u003eAudit Policy.\nUncheck \"Failure\" for \"Audit account logon events\". This option is unchecked by default.\nIn the cmd prompt, enter \"gpupdate /force\" to immediately update the policy change."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2019-0042",
"datePublished": "2019-04-10T20:13:51.587Z",
"dateReserved": "2018-10-11T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:03:05.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-24C7-PRH7-M3G7
Vulnerability from github – Published: 2026-04-14 09:30 – Updated: 2026-04-14 09:30A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 < V1.15.17), Industrial Edge Management Pro V2 (All versions >= V2.0.0 < V2.1.1), Industrial Edge Management Virtual (All versions >= V2.2.0 < V2.8.0). Affected management systems do not properly enforce user authentication on remote connections to devices. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has identified the header and port used for remote connections to devices and that the remote connection feature is enabled for the device.
Exploitation allows the attacker to tunnel to the device. Security features on this device itself (e.g. app specific authentication) are not affected.
{
"affected": [],
"aliases": [
"CVE-2026-33892"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T09:16:36Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions \u003e= V1.7.6 \u003c V1.15.17), Industrial Edge Management Pro V2 (All versions \u003e= V2.0.0 \u003c V2.1.1), Industrial Edge Management Virtual (All versions \u003e= V2.2.0 \u003c V2.8.0). Affected management systems do not properly enforce user authentication on remote connections to devices.\nThis could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user.\nSuccessful exploitation requires that the attacker has identified the header and port used for remote connections to devices and that the remote connection feature is enabled for the device.\n\nExploitation allows the attacker to tunnel to the device. Security features on this device itself (e.g. app specific authentication) are not affected.",
"id": "GHSA-24c7-prh7-m3g7",
"modified": "2026-04-14T09:30:45Z",
"published": "2026-04-14T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33892"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-609469.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-263M-WCMP-R5J6
Vulnerability from github – Published: 2024-11-14 21:32 – Updated: 2025-12-23 18:30A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.
{
"affected": [],
"aliases": [
"CVE-2024-10394"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-14T20:15:20Z",
"severity": "HIGH"
},
"details": "A local user can bypass the OpenAFS PAG (Process Authentication Group)\nthrottling mechanism in Unix clients, allowing the user to create a PAG using\nan existing id number, effectively joining the PAG and letting the user steal\nthe credentials in that PAG.",
"id": "GHSA-263m-wcmp-r5j6",
"modified": "2025-12-23T18:30:19Z",
"published": "2024-11-14T21:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10394"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00019.html"
},
{
"type": "WEB",
"url": "https://openafs.org/pages/security/OPENAFS-SA-2024-001.txt"
},
{
"type": "WEB",
"url": "https://www.openafs.org/pages/security/OPENAFS-SA-2024-001.txt"
},
{
"type": "WEB",
"url": "https://www.openafs.org/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-26QR-26WF-XV6X
Vulnerability from github – Published: 2026-03-18 09:30 – Updated: 2026-03-18 09:30A vulnerability found in Dahua NVR/XVR device. A third-party malicious attacker with physical access to the device may gain access to a restricted shell via the serial port, and bypasses the shell's authentication mechanism to escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2025-31703"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-18T08:16:26Z",
"severity": "LOW"
},
"details": "A vulnerability found in Dahua NVR/XVR device. A third-party malicious attacker with physical access to the device may gain access to a restricted shell via the serial port, and bypasses the shell\u0027s authentication mechanism to escalate privileges.",
"id": "GHSA-26qr-26wf-xv6x",
"modified": "2026-03-18T09:30:28Z",
"published": "2026-03-18T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31703"
},
{
"type": "WEB",
"url": "https://www.dahuasecurity.com/about-dahua/trust-center/dahua-psirt/security-advisory-%E2%80%93-vulnerability-found-in-dahua-nvr-xvr-device"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2CQJ-HXR6-HC5P
Vulnerability from github – Published: 2026-04-30 18:30 – Updated: 2026-04-30 18:30Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass.
This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.
{
"affected": [],
"aliases": [
"CVE-2026-4670"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T16:16:44Z",
"severity": "CRITICAL"
},
"details": "Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass.\n\nThis issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.",
"id": "GHSA-2cqj-hxr6-hc5p",
"modified": "2026-04-30T18:30:32Z",
"published": "2026-04-30T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4670"
},
{
"type": "WEB",
"url": "https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2FV9-X5CX-M494
Vulnerability from github – Published: 2026-03-05 09:30 – Updated: 2026-03-05 09:30Authentication bypass vulnerability in the device authentication module. Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
{
"affected": [],
"aliases": [
"CVE-2026-28536"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T07:16:13Z",
"severity": "CRITICAL"
},
"details": "Authentication bypass vulnerability in the device authentication module. Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.",
"id": "GHSA-2fv9-x5cx-m494",
"modified": "2026-03-05T09:30:33Z",
"published": "2026-03-05T09:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28536"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2026/3"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/3"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinvision/2026/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2HW2-HC6G-CV7V
Vulnerability from github – Published: 2025-10-28 18:30 – Updated: 2025-10-28 18:30IBM Maximo Application Suite 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.
{
"affected": [],
"aliases": [
"CVE-2025-36386"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-28T16:15:38Z",
"severity": "CRITICAL"
},
"details": "IBM Maximo Application Suite 9.0.0 through 9.0.15 and 9.1.0 through 9.1.4 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application.",
"id": "GHSA-2hw2-hc6g-cv7v",
"modified": "2025-10-28T18:30:29Z",
"published": "2025-10-28T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36386"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7249416"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2MXQ-Q8P2-G2C8
Vulnerability from github – Published: 2023-10-21 09:30 – Updated: 2026-04-08 21:32The SALESmanago plugin for WordPress is vulnerable to Log Injection in versions up to, and including, 3.2.4. This is due to the use of a weak authentication token for the /wp-json/salesmanago/v1/callbackApiV3 API endpoint which is simply a SHA1 hash of the site URL and client ID found in the page source of the website. This makes it possible for unauthenticated attackers to inject arbitrary content into the log files, and when combined with another vulnerability this could have significant consequences.
{
"affected": [],
"aliases": [
"CVE-2023-4939"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-21T08:15:08Z",
"severity": "MODERATE"
},
"details": "The SALESmanago plugin for WordPress is vulnerable to Log Injection in versions up to, and including, 3.2.4. This is due to the use of a weak authentication token for the /wp-json/salesmanago/v1/callbackApiV3 API endpoint which is simply a SHA1 hash of the site URL and client ID found in the page source of the website. This makes it possible for unauthenticated attackers to inject arbitrary content into the log files, and when combined with another vulnerability this could have significant consequences.",
"id": "GHSA-2mxq-q8p2-g2c8",
"modified": "2026-04-08T21:32:05Z",
"published": "2023-10-21T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4939"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/salesmanago/trunk/src/Admin/Controller/CallbackController.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/salesmanago/trunk/src/Includes/Helper.php#L376"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2981700%40salesmanago\u0026new=2981700%40salesmanago\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de7db1d6-b352-44c7-a6cc-b21cb65a0482?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2R3J-V23V-HX4J
Vulnerability from github – Published: 2025-10-09 18:30 – Updated: 2025-10-09 18:30An Authentication Bypass by Primary Weakness
in the FTP server of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to get limited read-write access to files on the device. When the FTP server is enabled and a user named "ftp" or "anonymous" is configured, that user can login without providing the configured password and then has read-write access to their home directory.
This issue affects Junos OS:
- all versions before 22.4R3-S8,
- 23.2 versions before 23.2R2-S3,
- 23.4 versions before 23.4R2.
{
"affected": [],
"aliases": [
"CVE-2025-59980"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-09T17:15:59Z",
"severity": "MODERATE"
},
"details": "An Authentication Bypass by Primary Weakness\n\nin the FTP server of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to get limited read-write access to files on the device.\nWhen the FTP server is enabled and a user named \"ftp\" or \"anonymous\" is configured, that user can login without providing the configured password and then has read-write access to their home directory.\n\nThis issue affects Junos OS:\u00a0\n\n\n\n * all versions before 22.4R3-S8,\n * 23.2 versions before 23.2R2-S3,\n * 23.4 versions before 23.4R2.",
"id": "GHSA-2r3j-v23v-hx4j",
"modified": "2025-10-09T18:30:37Z",
"published": "2025-10-09T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59980"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA103167"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2RGX-X72W-66R6
Vulnerability from github – Published: 2024-03-05 15:32 – Updated: 2026-05-20 09:30Authentication Bypass by Primary Weakness vulnerability in ZKSoftware Biometric Security Solutions UFace 5 allows Authentication Bypass.This issue affects UFace 5: through 12022024.
{
"affected": [],
"aliases": [
"CVE-2023-7103"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-05T13:15:06Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass by Primary Weakness vulnerability in ZKSoftware Biometric Security Solutions UFace 5 allows Authentication Bypass.This issue affects UFace 5: through 12022024.",
"id": "GHSA-2rgx-x72w-66r6",
"modified": "2026-05-20T09:30:33Z",
"published": "2024-03-05T15:32:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7103"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0173"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-0173"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.