CWE-306
AllowedMissing Authentication for Critical Function
Abstraction: Base · Status: Draft
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
3467 vulnerabilities reference this CWE, most recent first.
GHSA-JW2M-W7C2-H66C
Vulnerability from github – Published: 2022-04-29 00:00 – Updated: 2022-05-10 00:00Missing authentication for critical function in AssetView prior to Ver.13.2.0 allows a remote unauthenticated attacker with some knowledge on the system configuration to upload a crafted configuration file to the managing server, which may result in the managed clients to execute arbitrary code with the administrative privilege.
{
"affected": [],
"aliases": [
"CVE-2022-28719"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-28T09:15:00Z",
"severity": "CRITICAL"
},
"details": "Missing authentication for critical function in AssetView prior to Ver.13.2.0 allows a remote unauthenticated attacker with some knowledge on the system configuration to upload a crafted configuration file to the managing server, which may result in the managed clients to execute arbitrary code with the administrative privilege.",
"id": "GHSA-jw2m-w7c2-h66c",
"modified": "2022-05-10T00:00:37Z",
"published": "2022-04-29T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28719"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN54857505/index.html"
},
{
"type": "WEB",
"url": "https://www.hammock.jp/assetview/info/220422.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JW3G-MPQ9-R6JR
Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-09 00:00An access control issue in Canaan Avalon ASIC Miner 2020.3.30 and below allows unauthenticated attackers to arbitrarily change user passwords via a crafted POST request.
{
"affected": [],
"aliases": [
"CVE-2022-36604"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-01T21:15:00Z",
"severity": "HIGH"
},
"details": "An access control issue in Canaan Avalon ASIC Miner 2020.3.30 and below allows unauthenticated attackers to arbitrarily change user passwords via a crafted POST request.",
"id": "GHSA-jw3g-mpq9-r6jr",
"modified": "2022-09-09T00:00:56Z",
"published": "2022-09-02T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36604"
},
{
"type": "WEB",
"url": "https://jamesachambers.com/cryptocurrency-asic-miners-security-and-hacking-audit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JWC3-MM8J-J745
Vulnerability from github – Published: 2024-10-08 09:30 – Updated: 2024-10-08 09:30The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13.
{
"affected": [],
"aliases": [
"CVE-2024-8943"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T09:15:19Z",
"severity": "CRITICAL"
},
"details": "The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the \"Use WordPress users as customers\" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13.",
"id": "GHSA-jwc3-mm8j-j745",
"modified": "2024-10-08T09:30:54Z",
"published": "2024-10-08T09:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8943"
},
{
"type": "WEB",
"url": "https://wpdocs.latepoint.com/changelog"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bac8c35b-2afa-4347-b86e-2f16db19a4d3?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JWHP-365F-27VV
Vulnerability from github – Published: 2024-01-11 18:31 – Updated: 2024-01-18 18:30D-Link DIR-822+ V1.0.2 contains a login bypass in the HNAP1 interface, which allows attackers to log in to administrator accounts with empty passwords.
{
"affected": [],
"aliases": [
"CVE-2023-51987"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-11T16:15:53Z",
"severity": "CRITICAL"
},
"details": "D-Link DIR-822+ V1.0.2 contains a login bypass in the HNAP1 interface, which allows attackers to log in to administrator accounts with empty passwords.",
"id": "GHSA-jwhp-365f-27vv",
"modified": "2024-01-18T18:30:24Z",
"published": "2024-01-11T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51987"
},
{
"type": "WEB",
"url": "https://github.com/funny-mud-peee/IoT-vuls/tree/main/dir822%2B/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JWJW-4HRM-4CGG
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:08Super Micro SuperDoctor 5, when restrictions are not implemented in agent.cfg, allows remote attackers to execute arbitrary commands via NRPE.
{
"affected": [],
"aliases": [
"CVE-2019-13131"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-01T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Super Micro SuperDoctor 5, when restrictions are not implemented in agent.cfg, allows remote attackers to execute arbitrary commands via NRPE.",
"id": "GHSA-jwjw-4hrm-4cgg",
"modified": "2024-04-04T01:08:30Z",
"published": "2022-05-24T16:49:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13131"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47030"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JWP2-VRQG-4F49
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.
{
"affected": [],
"aliases": [
"CVE-2026-23662"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T18:18:14Z",
"severity": "HIGH"
},
"details": "Missing authentication for critical function in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.",
"id": "GHSA-jwp2-vrqg-4f49",
"modified": "2026-03-10T18:31:19Z",
"published": "2026-03-10T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23662"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23662"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JX7X-FXC9-2WXV
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2026-01-16 21:30Denial of Service Vulnerability in NETGEAR C6220 and C6230 (DOCSIS® 3.0 Two-in-one Cable Modem + WiFi Router) allows authenticated local WiFi users reboot the router.
{
"affected": [],
"aliases": [
"CVE-2025-12941"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T17:15:48Z",
"severity": "MODERATE"
},
"details": "Denial of Service Vulnerability in NETGEAR\u202fC6220\u202fand\u202fC6230\u202f(DOCSIS\u00ae 3.0 Two-in-one Cable Modem + WiFi Router) allows authenticated local WiFi users reboot the router.",
"id": "GHSA-jx7x-fxc9-2wxv",
"modified": "2026-01-16T21:30:30Z",
"published": "2025-12-09T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12941"
},
{
"type": "WEB",
"url": "https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory"
},
{
"type": "WEB",
"url": "https://www.netgear.com/support/product/c6220"
},
{
"type": "WEB",
"url": "https://www.netgear.com/support/product/c6230"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:L/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-JXCW-QP4H-6JFQ
Vulnerability from github – Published: 2026-06-18 14:27 – Updated: 2026-06-18 14:27Summary
The published A2U advisory GHSA-f292-66h9-fpmf says unauthenticated A2U event streaming was fixed in praisonai 4.5.115. Current head still exposes the same A2U subscription and event routes without authentication when the operator starts the documented CLI entrypoint:
praisonai serve a2u --host 0.0.0.0 --port 8002
The current CLI wrapper does not expose --api-key, does not install the common API-key middleware, and does not generate a token for A2U. It calls create_a2u_routes(app) directly. That helper only enforces auth if A2U_AUTH_TOKEN is already present; if the variable is missing, _authenticate_request() returns None and treats auth as disabled.
This is an incomplete-fix report for the published A2U issue, not a separate trust-model-only concern.
Technical Details
The Typer command for A2U accepts only --host and --port:
src/praisonai/praisonai/cli/commands/serve.py:570-585
It forwards only those values to the shared serve handler:
args = ["a2u", "--host", host, "--port", str(port)]
The serve handler for A2U likewise accepts only host and port, then creates the app:
src/praisonai/praisonai/cli/features/serve.py:802-817
_create_a2u_app() registers A2U routes directly:
src/praisonai/praisonai/cli/features/serve.py:827-853
No call to _install_api_key_middleware(app, ...) is made for the dedicated A2U server, unlike the unified server path.
Inside create_a2u_routes(), auth is opt-in:
src/praisonai/praisonai/endpoints/a2u_server.py:245-253
auth_token = os.environ.get("A2U_AUTH_TOKEN")
if not auth_token:
# No token configured - auth disabled (development mode)
return None
The route helper then registers the same sensitive endpoints from the public advisory:
src/praisonai/praisonai/endpoints/a2u_server.py:391-409
Why This Is Not Intended Behavior
The public advisory for GHSA-f292-66h9-fpmf describes unauthenticated /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health as the vulnerability and lists 4.5.115 as patched.
Current documentation also says PraisonAI API servers are now secure by default, bind to 127.0.0.1, and generate a bearer token if no token is provided. The dedicated A2U command does not implement that secure-by-default behavior. It remains unauthenticated unless a different environment variable, A2U_AUTH_TOKEN, was set before startup.
This report does not claim that explicit local-only development mode is always a vulnerability. The issue is the mismatch between the published fixed version / secure-by-default posture and the current A2U CLI behavior, including external binding via --host 0.0.0.0.
PoV
Run:
python3 poc/pov_poc.py \
--repo /path/to/PraisonAI \
--json
Observed current-head output:
{
"no_token": {
"info_status_no_auth": 200,
"subscribe_status_no_auth": 200,
"health_status_no_auth": 200,
"subscribe_body": {
"stream_name": "events",
"stream_url": "http://testserver/a2u/events/sub-d8ee868a5491"
}
},
"with_token": {
"info_status_no_auth": 401,
"subscribe_status_no_auth": 401,
"info_with_token": 200,
"subscribe_with_token": 200
},
"vulnerable_current_default": true
}
The PoV is local-only. It uses a small Starlette response/route shim so it can invoke the registered A2U handlers without starting a network listener or installing dependencies. The control shows that the route-level token check works when A2U_AUTH_TOKEN is configured; the vulnerable behavior is that the current documented CLI path does not require or generate that token.
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
An attacker who can reach a current A2U server started without A2U_AUTH_TOKEN can subscribe to agent event streams without credentials. The prior public advisory already classifies the exposed data as agent responses, tool calls, thinking/progress events, and stream metadata.
If operators rely on the published fixed version or the secure-by-default serve documentation, they may expose A2U on a network interface believing the unauthenticated stream issue is fixed.
Severity
Suggested severity: High.
Suggested Fix
Recommended:
- Make
praisonai serve a2usecure by default in the same way as the documented API servers: generate a bearer token when none is configured, print it to stderr, and enforce it on all non-public A2U endpoints. - Add
--api-key/--auth-tokensupport to the dedicated A2U command and pass the configured token intocreate_a2u_routes()or shared middleware. - Fail closed for external binds such as
--host 0.0.0.0unless authentication is enabled. - Require auth on
/a2u/healthor remove subscription and stream counts from unauthenticated health responses. - Add regression tests for
praisonai serve a2uproving unauthenticated/a2u/subscribereturns401on current/fixed versions by default.
Affected Package/Versions
- Repository:
MervinPraison/PraisonAI - Ecosystem:
pip - Package:
praisonai - Component: A2U Agent-to-User event stream server
- Current checkout validated:
2f9677abb2ea68eab864ee8b6a828fd0141612e1 - Current checkout tag state:
v4.6.57-4-g2f9677ab - Public prior advisory:
GHSA-f292-66h9-fpmf, fixed range claimspraisonai <= 4.5.114
Suggested affected range:
pip:praisonai >= 4.5.115, <= 4.6.58
If maintainers prefer to update the public advisory rather than create a new advisory, the important correction is that the fixed version/range should not mark the current praisonai serve a2u behavior as fixed.
Advisory History
This is intentionally adjacent to GHSA-f292-66h9-fpmf. The report-grade point is that current versions after the claimed patched version still reproduce the same default unauthenticated A2U behavior through the maintained CLI entrypoint.
Visible PraisonAI advisories and prior submissions were checked. None cover A2U incomplete authentication after GHSA-f292-66h9-fpmf.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.115"
},
{
"fixed": "4.6.61"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:27:00Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe published A2U advisory `GHSA-f292-66h9-fpmf` says unauthenticated A2U event streaming was fixed in `praisonai` `4.5.115`. Current head still exposes the same A2U subscription and event routes without authentication when the operator starts the documented CLI entrypoint:\n\n```text\npraisonai serve a2u --host 0.0.0.0 --port 8002\n```\n\nThe current CLI wrapper does not expose `--api-key`, does not install the common API-key middleware, and does not generate a token for A2U. It calls `create_a2u_routes(app)` directly. That helper only enforces auth if `A2U_AUTH_TOKEN` is already present; if the variable is missing, `_authenticate_request()` returns `None` and treats auth as disabled.\n\nThis is an incomplete-fix report for the published A2U issue, not a separate trust-model-only concern.\n\n## Technical Details\n\nThe Typer command for A2U accepts only `--host` and `--port`:\n\n```text\nsrc/praisonai/praisonai/cli/commands/serve.py:570-585\n```\n\nIt forwards only those values to the shared serve handler:\n\n```python\nargs = [\"a2u\", \"--host\", host, \"--port\", str(port)]\n```\n\nThe serve handler for A2U likewise accepts only `host` and `port`, then creates the app:\n\n```text\nsrc/praisonai/praisonai/cli/features/serve.py:802-817\n```\n\n`_create_a2u_app()` registers A2U routes directly:\n\n```text\nsrc/praisonai/praisonai/cli/features/serve.py:827-853\n```\n\nNo call to `_install_api_key_middleware(app, ...)` is made for the dedicated A2U server, unlike the unified server path.\n\nInside `create_a2u_routes()`, auth is opt-in:\n\n```text\nsrc/praisonai/praisonai/endpoints/a2u_server.py:245-253\n```\n\n```python\nauth_token = os.environ.get(\"A2U_AUTH_TOKEN\")\nif not auth_token:\n # No token configured - auth disabled (development mode)\n return None\n```\n\nThe route helper then registers the same sensitive endpoints from the public advisory:\n\n```text\nsrc/praisonai/praisonai/endpoints/a2u_server.py:391-409\n```\n\n### Why This Is Not Intended Behavior\n\nThe public advisory for `GHSA-f292-66h9-fpmf` describes unauthenticated `/a2u/info`, `/a2u/subscribe`, `/a2u/events/{stream_name}`, `/a2u/events/sub/{id}`, and `/a2u/health` as the vulnerability and lists `4.5.115` as patched.\n\nCurrent documentation also says PraisonAI API servers are now secure by default, bind to `127.0.0.1`, and generate a bearer token if no token is provided. The dedicated A2U command does not implement that secure-by-default behavior. It remains unauthenticated unless a different environment variable, `A2U_AUTH_TOKEN`, was set before startup.\n\nThis report does not claim that explicit local-only development mode is always a vulnerability. The issue is the mismatch between the published fixed version / secure-by-default posture and the current A2U CLI behavior, including external binding via `--host 0.0.0.0`.\n\n## PoV\n\nRun:\n\n```bash\npython3 poc/pov_poc.py \\\n --repo /path/to/PraisonAI \\\n --json\n```\n\nObserved current-head output:\n\n```json\n{\n \"no_token\": {\n \"info_status_no_auth\": 200,\n \"subscribe_status_no_auth\": 200,\n \"health_status_no_auth\": 200,\n \"subscribe_body\": {\n \"stream_name\": \"events\",\n \"stream_url\": \"http://testserver/a2u/events/sub-d8ee868a5491\"\n }\n },\n \"with_token\": {\n \"info_status_no_auth\": 401,\n \"subscribe_status_no_auth\": 401,\n \"info_with_token\": 200,\n \"subscribe_with_token\": 200\n },\n \"vulnerable_current_default\": true\n}\n```\n\nThe PoV is local-only. It uses a small Starlette response/route shim so it can invoke the registered A2U handlers without starting a network listener or installing dependencies. The control shows that the route-level token check works when `A2U_AUTH_TOKEN` is configured; the vulnerable behavior is that the current documented CLI path does not require or generate that token.\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nAn attacker who can reach a current A2U server started without `A2U_AUTH_TOKEN` can subscribe to agent event streams without credentials. The prior public advisory already classifies the exposed data as agent responses, tool calls, thinking/progress events, and stream metadata.\n\nIf operators rely on the published fixed version or the secure-by-default serve documentation, they may expose A2U on a network interface believing the unauthenticated stream issue is fixed.\n\n### Severity\n\nSuggested severity: High.\n\n## Suggested Fix\n\nRecommended:\n\n1. Make `praisonai serve a2u` secure by default in the same way as the documented API servers: generate a bearer token when none is configured, print it to stderr, and enforce it on all non-public A2U endpoints.\n2. Add `--api-key` / `--auth-token` support to the dedicated A2U command and pass the configured token into `create_a2u_routes()` or shared middleware.\n3. Fail closed for external binds such as `--host 0.0.0.0` unless authentication is enabled.\n4. Require auth on `/a2u/health` or remove subscription and stream counts from unauthenticated health responses.\n5. Add regression tests for `praisonai serve a2u` proving unauthenticated `/a2u/subscribe` returns `401` on current/fixed versions by default.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Ecosystem: `pip`\n- Package: `praisonai`\n- Component: A2U Agent-to-User event stream server\n- Current checkout validated: `2f9677abb2ea68eab864ee8b6a828fd0141612e1`\n- Current checkout tag state: `v4.6.57-4-g2f9677ab`\n- Public prior advisory: `GHSA-f292-66h9-fpmf`, fixed range claims `praisonai \u003c= 4.5.114`\n\nSuggested affected range:\n\n```text\npip:praisonai \u003e= 4.5.115, \u003c= 4.6.58\n```\n\nIf maintainers prefer to update the public advisory rather than create a new advisory, the important correction is that the fixed version/range should not mark the current `praisonai serve a2u` behavior as fixed.\n\n## Advisory History\n\nThis is intentionally adjacent to `GHSA-f292-66h9-fpmf`. The report-grade point is that current versions after the claimed patched version still reproduce the same default unauthenticated A2U behavior through the maintained CLI entrypoint.\n\nVisible PraisonAI advisories and prior submissions were checked. None cover A2U incomplete authentication after `GHSA-f292-66h9-fpmf`.",
"id": "GHSA-jxcw-qp4h-6jfq",
"modified": "2026-06-18T14:27:00Z",
"published": "2026-06-18T14:27:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-jxcw-qp4h-6jfq"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default"
}
GHSA-JXGQ-QHVG-X244
Vulnerability from github – Published: 2025-05-26 09:30 – Updated: 2025-05-26 09:30An unauthenticated remote attacker can access information about running processes via the SNMP protocol. The amount of returned data can trigger a reboot by the watchdog.
{
"affected": [],
"aliases": [
"CVE-2025-41654"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-26T09:15:20Z",
"severity": "HIGH"
},
"details": "An unauthenticated remote attacker can access information about running processes via the SNMP protocol. The amount of returned data can trigger a reboot by the watchdog.",
"id": "GHSA-jxgq-qhvg-x244",
"modified": "2025-05-26T09:30:43Z",
"published": "2025-05-26T09:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41654"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2025-011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JXM9-Q78J-5XXX
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43register_send.php on D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices does not require authentication, which can result in unintended enrollment in mydlink Cloud Services.
{
"affected": [],
"aliases": [
"CVE-2017-14417"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-13T17:29:00Z",
"severity": "CRITICAL"
},
"details": "register_send.php on D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices does not require authentication, which can result in unintended enrollment in mydlink Cloud Services.",
"id": "GHSA-jxm9-q78j-5xxx",
"modified": "2022-05-13T01:43:25Z",
"published": "2022-05-13T01:43:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14417"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability.
- Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port.
- In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
- Where possible, avoid implementing custom, "grow-your-own" authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These capabilities may avoid common weaknesses that are unique to authentication; support automatic auditing and tracking; and make it easier to provide a clear separation between authentication tasks and authorization tasks.
- In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly.
Mitigation MIT-4.5
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].
CAPEC-12: Choosing Message Identifier
This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.
CAPEC-166: Force the System to Reset Values
An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.
CAPEC-216: Communication Channel Manipulation
An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.
CAPEC-36: Using Unpublished Interfaces or Functionality
An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.
CAPEC-62: Cross Site Request Forgery
An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.