Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3251 vulnerabilities reference this CWE, most recent first.

CVE-2017-3183 (GCVE-0-2017-3183)

Vulnerability from cvelistv5 – Published: 2018-07-24 15:00 – Updated: 2024-08-05 14:16
VLAI
Title
Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions
Summary
Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access privileges are determined by the USER_CODE field associated with the querying user. By modifying the USER_CODE value to match that of a privileged user, a low-privileged, authenticated user may gain privileged access to the SQL database. A remote, authenticated user can submit specially crafted SQL queries to gain privileged access to the application database.
Severity
No CVSS data available.
CWE
Assigner
References
URL Tags
https://www.kb.cert.org/vuls/id/742632 third-party-advisoryx_refsource_CERT-VN
https://www.securityfocus.com/bid/96477 vdb-entryx_refsource_BID
Impacted products
Date Public
2017-02-28 00:00
Credits
Thanks to Victor Portal Gonzalez of Deloitte Spain for reporting this vulnerability.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:16:28.331Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VU#742632",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/742632"
          },
          {
            "name": "96477",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "https://www.securityfocus.com/bid/96477"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "XRT Treasury",
          "vendor": "Sage",
          "versions": [
            {
              "status": "affected",
              "version": "3"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to Victor Portal Gonzalez of Deloitte Spain for reporting this vulnerability."
        }
      ],
      "datePublic": "2017-02-28T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access privileges are determined by the USER_CODE field associated with the querying user. By modifying the USER_CODE value to match that of a privileged user, a low-privileged, authenticated user may gain privileged access to the SQL database. A remote, authenticated user can submit specially crafted SQL queries to gain privileged access to the application database."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-24T14:57:01.000Z",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "name": "VU#742632",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://www.kb.cert.org/vuls/id/742632"
        },
        {
          "name": "96477",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "https://www.securityfocus.com/bid/96477"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The vendor has indicated that XRT Treasury version 4 addresses this issue. Users are encouraged to update to the latest release and to encrypt connections to the database server."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2017-3183",
          "STATE": "PUBLIC",
          "TITLE": "Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "XRT Treasury",
                      "version": {
                        "version_data": [
                          {
                            "affected": "=",
                            "version_affected": "=",
                            "version_name": "3",
                            "version_value": "3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Sage"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks to Victor Portal Gonzalez of Deloitte Spain for reporting this vulnerability."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access privileges are determined by the USER_CODE field associated with the querying user. By modifying the USER_CODE value to match that of a privileged user, a low-privileged, authenticated user may gain privileged access to the SQL database. A remote, authenticated user can submit specially crafted SQL queries to gain privileged access to the application database."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-639"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "VU#742632",
              "refsource": "CERT-VN",
              "url": "https://www.kb.cert.org/vuls/id/742632"
            },
            {
              "name": "96477",
              "refsource": "BID",
              "url": "https://www.securityfocus.com/bid/96477"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "The vendor has indicated that XRT Treasury version 4 addresses this issue. Users are encouraged to update to the latest release and to encrypt connections to the database server."
          }
        ],
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2017-3183",
    "datePublished": "2018-07-24T15:00:00.000Z",
    "dateReserved": "2016-12-05T00:00:00.000Z",
    "dateUpdated": "2024-08-05T14:16:28.331Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-0936 (GCVE-0-2017-0936)

Vulnerability from cvelistv5 – Published: 2018-03-28 20:00 – Updated: 2024-09-16 21:58
VLAI
Summary
Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.
Severity
No CVSS data available.
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key (CWE-639)
Assigner
References
Impacted products
Vendor Product Version
Nextcloud Nextcloud Server Affected: before 11.0.7 and 12.0.5
Create a notification for this product.
Date Public
2018-02-07 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:25:17.066Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/297751"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://nextcloud.com/security/advisory/?id=nc-sa-2018-001"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Nextcloud Server",
          "vendor": "Nextcloud",
          "versions": [
            {
              "status": "affected",
              "version": "before 11.0.7 and 12.0.5"
            }
          ]
        }
      ],
      "datePublic": "2018-02-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key (CWE-639)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-28T19:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/297751"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://nextcloud.com/security/advisory/?id=nc-sa-2018-001"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "DATE_PUBLIC": "2018-02-07T00:00:00",
          "ID": "CVE-2017-0936",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Nextcloud Server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 11.0.7 and 12.0.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Nextcloud"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/297751",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/297751"
            },
            {
              "name": "https://nextcloud.com/security/advisory/?id=nc-sa-2018-001",
              "refsource": "CONFIRM",
              "url": "https://nextcloud.com/security/advisory/?id=nc-sa-2018-001"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2017-0936",
    "datePublished": "2018-03-28T20:00:00.000Z",
    "dateReserved": "2016-11-30T00:00:00.000Z",
    "dateUpdated": "2024-09-16T21:58:27.852Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-0922 (GCVE-0-2017-0922)

Vulnerability from cvelistv5 – Published: 2018-03-21 20:00 – Updated: 2024-08-05 13:25
VLAI
Summary
Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object.
Severity
No CVSS data available.
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key (CWE-639)
Assigner
References
Impacted products
Vendor Product Version
GitLab GitLab Community and Enterprise Editions Affected: 9.1.0 - 10.1.5 Fixed in 10.1.6
Affected: 10.2.0 - 10.2.5 Fixed in 10.2.6
Affected: 10.3.0 - 10.3.3 Fixed in 10.3.4
Create a notification for this product.
Date Public
2018-01-16 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:25:16.596Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/301123"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GitLab Community and Enterprise Editions",
          "vendor": "GitLab",
          "versions": [
            {
              "status": "affected",
              "version": "9.1.0 - 10.1.5 Fixed in 10.1.6"
            },
            {
              "status": "affected",
              "version": "10.2.0 - 10.2.5 Fixed in 10.2.6"
            },
            {
              "status": "affected",
              "version": "10.3.0 - 10.3.3 Fixed in 10.3.4"
            }
          ]
        }
      ],
      "datePublic": "2018-01-16T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key (CWE-639)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-21T19:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/301123"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2017-0922",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GitLab Community and Enterprise Editions",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "9.1.0 - 10.1.5 Fixed in 10.1.6"
                          },
                          {
                            "version_value": "10.2.0 - 10.2.5 Fixed in 10.2.6"
                          },
                          {
                            "version_value": "10.3.0 - 10.3.3 Fixed in 10.3.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "GitLab"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/301123",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/301123"
            },
            {
              "name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
              "refsource": "CONFIRM",
              "url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2017-0922",
    "datePublished": "2018-03-21T20:00:00.000Z",
    "dateReserved": "2016-11-30T00:00:00.000Z",
    "dateUpdated": "2024-08-05T13:25:16.596Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-0920 (GCVE-0-2017-0920)

Vulnerability from cvelistv5 – Published: 2018-03-22 15:00 – Updated: 2024-08-05 13:25
VLAI
Summary
GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance.
Severity
No CVSS data available.
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key (CWE-639)
Assigner
References
Impacted products
Vendor Product Version
GitLab GitLab Community and Enterprise Editions Affected: Versions before 10.1.6, 10.2.6, and 10.3.4
Create a notification for this product.
Date Public
2018-03-22 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:25:16.968Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/301336"
          },
          {
            "name": "DSA-4206",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4206"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GitLab Community and Enterprise Editions",
          "vendor": "GitLab",
          "versions": [
            {
              "status": "affected",
              "version": "Versions before 10.1.6, 10.2.6, and 10.3.4"
            }
          ]
        }
      ],
      "datePublic": "2018-03-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key (CWE-639)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-22T09:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/301336"
        },
        {
          "name": "DSA-4206",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4206"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2017-0920",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GitLab Community and Enterprise Editions",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions before 10.1.6, 10.2.6, and 10.3.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "GitLab"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/301336",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/301336"
            },
            {
              "name": "DSA-4206",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4206"
            },
            {
              "name": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/",
              "refsource": "CONFIRM",
              "url": "https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2017-0920",
    "datePublished": "2018-03-22T15:00:00.000Z",
    "dateReserved": "2016-11-30T00:00:00.000Z",
    "dateUpdated": "2024-08-05T13:25:16.968Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-0882 (GCVE-0-2017-0882)

Vulnerability from cvelistv5 – Published: 2017-03-28 02:46 – Updated: 2024-08-05 13:18
VLAI
Summary
Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.
Severity
No CVSS data available.
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key (CWE-639)
Assigner
Impacted products
Vendor Product Version
n/a GitLab Community Edition and GitLab Enterprise Edition 8.7.0 through 8.15.7, 8.16.0 through 8.16.7, 8.17.0 through 8.17.3 Affected: GitLab Community Edition and GitLab Enterprise Edition 8.7.0 through 8.15.7, 8.16.0 through 8.16.7, 8.17.0 through 8.17.3
Date Public
2017-03-27 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:18:06.474Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/cdf396f456472ef8decd9598daa8dc0097cd30c5"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b"
          },
          {
            "name": "97157",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97157"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/43f5a2739dbf8f5c4c16a79f98e2630888f6b5d1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/29661"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GitLab Community Edition and GitLab Enterprise Edition 8.7.0 through 8.15.7, 8.16.0 through 8.16.7, 8.17.0 through 8.17.3",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "GitLab Community Edition and GitLab Enterprise Edition 8.7.0 through 8.15.7, 8.16.0 through 8.16.7, 8.17.0 through 8.17.3"
            }
          ]
        }
      ],
      "datePublic": "2017-03-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key (CWE-639)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-03-29T09:57:01.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/cdf396f456472ef8decd9598daa8dc0097cd30c5"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b"
        },
        {
          "name": "97157",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97157"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/43f5a2739dbf8f5c4c16a79f98e2630888f6b5d1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/29661"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2017-0882",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GitLab Community Edition and GitLab Enterprise Edition 8.7.0 through 8.15.7, 8.16.0 through 8.16.7, 8.17.0 through 8.17.3",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "GitLab Community Edition and GitLab Enterprise Edition 8.7.0 through 8.15.7, 8.16.0 through 8.16.7, 8.17.0 through 8.17.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://gitlab.com/gitlab-org/gitlab-ce/commit/cdf396f456472ef8decd9598daa8dc0097cd30c5",
              "refsource": "MISC",
              "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/cdf396f456472ef8decd9598daa8dc0097cd30c5"
            },
            {
              "name": "https://gitlab.com/gitlab-org/gitlab-ce/commit/a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b",
              "refsource": "MISC",
              "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b"
            },
            {
              "name": "97157",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97157"
            },
            {
              "name": "https://gitlab.com/gitlab-org/gitlab-ce/commit/43f5a2739dbf8f5c4c16a79f98e2630888f6b5d1",
              "refsource": "MISC",
              "url": "https://gitlab.com/gitlab-org/gitlab-ce/commit/43f5a2739dbf8f5c4c16a79f98e2630888f6b5d1"
            },
            {
              "name": "https://gitlab.com/gitlab-org/gitlab-ce/issues/29661",
              "refsource": "MISC",
              "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/29661"
            },
            {
              "name": "https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/",
              "refsource": "MISC",
              "url": "https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2017-0882",
    "datePublished": "2017-03-28T02:46:00.000Z",
    "dateReserved": "2016-11-30T00:00:00.000Z",
    "dateUpdated": "2024-08-05T13:18:06.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-20033 (GCVE-0-2016-20033)

Vulnerability from cvelistv5 – Published: 2026-03-15 18:34 – Updated: 2026-03-16 14:30
VLAI
Title
Wowza Streaming Engine 4.5.0 Local Privilege Escalation via nssm_x64.exe
Summary
Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Date Public
2016-07-20 00:00
Credits
LiquidWorm as Gjoko Krstic of Zero Science Lab
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2016-20033",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-16T14:19:07.659648Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-16T14:30:30.462Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Wowza Streaming Engine",
          "vendor": "Wowza Media Systems, LLC.",
          "versions": [
            {
              "status": "affected",
              "version": "4.5.0"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
        }
      ],
      "datePublic": "2016-07-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-15T18:34:21.181Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "ExploitDB-40132",
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/40132"
        },
        {
          "name": "Vulnerability Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5339.php"
        },
        {
          "name": "VulnCheck Advisory: Wowza Streaming Engine 4.5.0 Local Privilege Escalation via nssm_x64.exe",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/wowza-streaming-engine-local-privilege-escalation-via-nssm-x64-exe"
        }
      ],
      "title": "Wowza Streaming Engine 4.5.0 Local Privilege Escalation via nssm_x64.exe",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2016-20033",
    "datePublished": "2026-03-15T18:34:21.181Z",
    "dateReserved": "2026-03-15T18:21:47.205Z",
    "dateUpdated": "2026-03-16T14:30:30.462Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2012-5571 (GCVE-0-2012-5571)

Vulnerability from cvelistv5 – Published: 2012-12-18 01:00 – Updated: 2026-04-07 06:55
VLAI
Title
Openstack keystone: openstack keystone: authorization bypass via improper ec2 token handling
Summary
A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Date Public
2012-12-18 01:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T21:14:15.748Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19"
          },
          {
            "name": "RHSA-2012:1557",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2012-1557.html"
          },
          {
            "name": "RHSA-2012:1556",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2012-1556.html"
          },
          {
            "name": "[oss-security] 20121128 [OSSA 2012-018] EC2-style credentials invalidation issue (CVE-2012-5571)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2012/11/28/5"
          },
          {
            "name": "USN-1641-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1641-1"
          },
          {
            "name": "keystone-tenant-sec-bypass(80333)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80333"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugs.launchpad.net/keystone/+bug/1064914"
          },
          {
            "name": "[oss-security] 20121128 [OSSA 2012-019] Extension of token validity through token chaining (CVE-2012-5563)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2012/11/28/6"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653"
          },
          {
            "name": "51423",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/51423"
          },
          {
            "name": "56726",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/56726"
          },
          {
            "name": "51436",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/51436"
          },
          {
            "name": "FEDORA-2012-19341",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:13"
          ],
          "defaultStatus": "affected",
          "packageName": "redhat-user-workloads/openstack-keystone",
          "product": "Red Hat OpenStack Platform 13 (Queens)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:16.2"
          ],
          "defaultStatus": "affected",
          "packageName": "openstack-keystone",
          "product": "Red Hat OpenStack Platform 16.2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:16.2"
          ],
          "defaultStatus": "affected",
          "packageName": "redhat-user-workloads/openstack-keystone",
          "product": "Red Hat OpenStack Platform 16.2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:17.1"
          ],
          "defaultStatus": "affected",
          "packageName": "openstack-keystone",
          "product": "Red Hat OpenStack Platform 17.1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:17.1"
          ],
          "defaultStatus": "affected",
          "packageName": "redhat-user-workloads/openstack-keystone",
          "product": "Red Hat OpenStack Platform 17.1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:18.0"
          ],
          "defaultStatus": "affected",
          "packageName": "openstack-keystone",
          "product": "Red Hat OpenStack Platform 18.0",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:18.0"
          ],
          "defaultStatus": "affected",
          "packageName": "redhat-user-workloads/openstack-keystone",
          "product": "Red Hat OpenStack Platform 18.0",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2012-12-18T01:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user\u0027s role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T06:55:17.789Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html"
        },
        {
          "url": "http://rhn.redhat.com/errata/RHSA-2012-1556.html"
        },
        {
          "url": "http://rhn.redhat.com/errata/RHSA-2012-1557.html"
        },
        {
          "url": "http://secunia.com/advisories/51423"
        },
        {
          "url": "http://secunia.com/advisories/51436"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2012/11/28/5"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2012/11/28/6"
        },
        {
          "url": "http://www.securityfocus.com/bid/56726"
        },
        {
          "url": "http://www.ubuntu.com/usn/USN-1641-1"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2012-5571"
        },
        {
          "url": "https://bugs.launchpad.net/keystone/+bug/1064914"
        },
        {
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80333"
        },
        {
          "url": "https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b"
        },
        {
          "url": "https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19"
        },
        {
          "url": "https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-02T15:02:50.229Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2012-12-18T01:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Openstack keystone: openstack keystone: authorization bypass via improper ec2 token handling",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2012-5571",
    "datePublished": "2012-12-18T01:00:00.000Z",
    "dateReserved": "2012-10-24T00:00:00.000Z",
    "dateUpdated": "2026-04-07T06:55:17.789Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-22CH-H6M8-G2VP

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30
VLAI
Details

Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40792"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T21:16:51Z",
    "severity": "MODERATE"
  },
  "details": "Subscriber Insecure Direct Object References (IDOR) in KiviCare \u003c= 4.2.1 versions.",
  "id": "GHSA-22ch-h6m8-g2vp",
  "modified": "2026-06-15T21:30:46Z",
  "published": "2026-06-15T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40792"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-4-2-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-234Q-VVW3-MRFQ

Vulnerability from github – Published: 2026-03-04 20:52 – Updated: 2026-03-04 20:52
VLAI
Summary
Craft CMS has unauthenticated activation email trigger with potential user enumeration
Details

The actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.

The vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary userId parameters without verifying ownership.

Craft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why send-activation-email is in the allowAnonymous array - it’s intentional self-service functionality.

The Security Gap

The endpoint accepts userId as the identifier:

$userId = $this->request->getRequiredBodyParam('userId');

This allows any visitor to trigger activation emails for any pending user, not just their own registration.


Background

When administrators create new user accounts in Craft CMS, users are created in a “pending” state until they activate their account via an emailed link. The actionSendActivationEmail() function sends (or resends) this activation email.

Expected Behavior: Anonymous users should only be able to resend activation emails for their own registration.

Actual Behavior: 1. The endpoint is listed in allowAnonymous - no login required (intentional for self-service) 2. For pending users, there is NO ownership verification 3. Any unauthenticated visitor can trigger activation emails for ANY pending user by ID


Attack Scenarios

Scenario 1: Targeted Account Takeover

Prerequisites: Attacker controls target user’s email (compromised email, shared mailbox, typosquatting, etc.)

1. Admin creates a user account for victim@company.com
2. User account is in PENDING state (hasn’t activated yet)
3. Attacker has compromised victim@company.com (or it’s a typo of attacker’s domain)
4. Attacker discovers user ID (brute-force, GraphQL enumeration, or insider knowledge)
5. Attacker (unauthenticated) triggers: POST /actions/users/send-activation-email
6. Activation email sent to victim@company.com (attacker-controlled)
7. Attacker clicks activation link, sets password
8. Attacker gains access as that user with pre-assigned permissions

Scenario 2: User ID Brute-Force Enumeration

1. Attacker iterates through user IDs (1, 2, 3, ...)
2. For each ID, the attacker calls send-activation-email
3. Response reveals user state:
   - "Activation email sent." = Pending user exists
   - "User not found" = No user with this ID
   - "Activation emails can only be sent to inactive or pending users" = Active user exists
4. Attacker builds a map of all user IDs and their states
5. For any pending user whose email an attacker controls → account takeover

Scenario 3: GraphQL + Targeted Attack

Prerequisites: GraphQL public schema allows user queries

1. Attacker queries GraphQL: { users { id email status } }
2. Filters for pending users
3. Cross-references with emails attacker controls
4. Triggers activation for the target user
5. Account takeover

Scenario 4: Email Spam / Harassment

1. Attacker brute-forces all pending user IDs
2. Repeatedly triggers activation emails
3. Victims receive unwanted emails from the Craft site
4. Potential for:
   - Reputation damage to the site
   - Email deliverability issues (spam reports)
   - User confusion/phishing vector

References

https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.9.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.17.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T20:52:31Z",
    "nvd_published_at": "2026-03-04T17:16:22Z",
    "severity": "HIGH"
  },
  "details": "The `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user\u2019s email address, they can activate the account and gain access to the system.\n\nThe vulnerability is not that anonymous access exists - there\u2019s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership.\n\nCraft CMS allows public user registration. When a user registers but doesn\u2019t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why `send-activation-email` is in the `allowAnonymous` array - it\u2019s intentional self-service functionality.\n\n### The Security Gap\n\nThe endpoint accepts `userId` as the identifier:\n```php\n$userId = $this-\u003erequest-\u003egetRequiredBodyParam(\u0027userId\u0027);\n```\n\nThis allows any visitor to trigger activation emails for any pending user, not just their own registration.\n\n---\n\n## Background\n\nWhen administrators create new user accounts in Craft CMS, users are created in a \u201cpending\u201d state until they activate their account via an emailed link. The `actionSendActivationEmail()` function sends (or resends) this activation email.\n\n**Expected Behavior:** Anonymous users should only be able to resend activation emails for their own registration.\n\n**Actual Behavior:**\n1. The endpoint is listed in `allowAnonymous` - no login required (intentional for self-service)\n2. For pending users, there is NO ownership verification\n3. Any unauthenticated visitor can trigger activation emails for ANY pending user by ID\n\n---\n\n## Attack Scenarios\n\n### Scenario 1: Targeted Account Takeover\n\n**Prerequisites:** Attacker controls target user\u2019s email (compromised email, shared mailbox, typosquatting, etc.)\n\n```\n1. Admin creates a user account for victim@company.com\n2. User account is in PENDING state (hasn\u2019t activated yet)\n3. Attacker has compromised victim@company.com (or it\u2019s a typo of attacker\u2019s domain)\n4. Attacker discovers user ID (brute-force, GraphQL enumeration, or insider knowledge)\n5. Attacker (unauthenticated) triggers: POST /actions/users/send-activation-email\n6. Activation email sent to victim@company.com (attacker-controlled)\n7. Attacker clicks activation link, sets password\n8. Attacker gains access as that user with pre-assigned permissions\n```\n\n### Scenario 2: User ID Brute-Force Enumeration\n\n```\n1. Attacker iterates through user IDs (1, 2, 3, ...)\n2. For each ID, the attacker calls send-activation-email\n3. Response reveals user state:\n   - \"Activation email sent.\" = Pending user exists\n   - \"User not found\" = No user with this ID\n   - \"Activation emails can only be sent to inactive or pending users\" = Active user exists\n4. Attacker builds a map of all user IDs and their states\n5. For any pending user whose email an attacker controls \u2192 account takeover\n```\n\n### Scenario 3: GraphQL + Targeted Attack\n\n**Prerequisites:** GraphQL public schema allows user queries\n\n```\n1. Attacker queries GraphQL: { users { id email status } }\n2. Filters for pending users\n3. Cross-references with emails attacker controls\n4. Triggers activation for the target user\n5. Account takeover\n```\n\n### Scenario 4: Email Spam / Harassment\n\n```\n1. Attacker brute-forces all pending user IDs\n2. Repeatedly triggers activation emails\n3. Victims receive unwanted emails from the Craft site\n4. Potential for:\n   - Reputation damage to the site\n   - Email deliverability issues (spam reports)\n   - User confusion/phishing vector\n```\n\n---\n\n## References\n\nhttps://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8",
  "id": "GHSA-234q-vvw3-mrfq",
  "modified": "2026-03-04T20:52:32Z",
  "published": "2026-03-04T20:52:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29069"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS has unauthenticated activation email trigger with potential user enumeration"
}

GHSA-2397-FJXQ-4XVJ

Vulnerability from github – Published: 2025-08-04 21:30 – Updated: 2025-08-15 21:31
VLAI
Details

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify whether the authenticated user is authorized to use the specified sender identity, resulting in unauthorized message delivery as another user. This can lead to impersonation, phishing, or unauthorized communication within the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-04T20:15:30Z",
    "severity": "MODERATE"
  },
  "details": "An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify whether the authenticated user is authorized to use the specified sender identity, resulting in unauthorized message delivery as another user. This can lead to impersonation, phishing, or unauthorized communication within the system.",
  "id": "GHSA-2397-fjxq-4xvj",
  "modified": "2025-08-15T21:31:17Z",
  "published": "2025-08-04T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50340"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/millad7/SOGo_web_mail-vulnerability-CVE-2025-50340"
    },
    {
      "type": "WEB",
      "url": "https://www.mail-archive.com/users%40sogo.nu/msg34098.html"
    },
    {
      "type": "WEB",
      "url": "https://www.sogo.nu"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.