CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5972 vulnerabilities reference this CWE, most recent first.
GHSA-3R74-6X6G-CP8V
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50An issue was discovered in CapMon Access Manager 5.4.1.1005. A regular user can obtain local administrator privileges if they run any whitelisted application through the Custom App Launcher.
{
"affected": [],
"aliases": [
"CVE-2018-18256"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-15T15:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in CapMon Access Manager 5.4.1.1005. A regular user can obtain local administrator privileges if they run any whitelisted application through the Custom App Launcher.",
"id": "GHSA-3r74-6x6g-cp8v",
"modified": "2022-05-13T01:50:38Z",
"published": "2022-05-13T01:50:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18256"
},
{
"type": "WEB",
"url": "https://improsec.com/tech-blog/cam1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R7G-WRPR-J5G4
Vulnerability from github – Published: 2022-04-22 20:48 – Updated: 2024-09-16 21:50Impact
django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed.
You are affected if you have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view.
Patches
The issue has been fixed in django-mfa3 0.5.0.
Workarounds
It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition before the admin routes:
url('admin/login/', lambda request: redirect(settings.LOGIN_URL)
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django-mfa3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24857"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-22T20:48:28Z",
"nvd_published_at": "2022-04-15T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\ndjango-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed.\n\nYou are affected if you have activated both django-mfa3 (\u003c 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view.\n\n### Patches\n\nThe issue has been fixed in django-mfa3 0.5.0.\n\n### Workarounds\n\nIt is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes:\n\n url(\u0027admin/login/\u0027, lambda request: redirect(settings.LOGIN_URL)\n\n### References\n\n- [django-mfa3 changelog](https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15)\n",
"id": "GHSA-3r7g-wrpr-j5g4",
"modified": "2024-09-16T21:50:13Z",
"published": "2022-04-22T20:48:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24857"
},
{
"type": "WEB",
"url": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-mfa3/PYSEC-2022-192.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/xi/django-mfa3"
},
{
"type": "WEB",
"url": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220609-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Improper Authentication in django-mfa3"
}
GHSA-3R7G-XHPJ-J87W
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. The security control that the application currently has in place is a simple Username and Password authentication function. Using enumeration, an attacker is able to forge a User specific token without the need for correct password to gain access to the mobile application as that victim user.
{
"affected": [],
"aliases": [
"CVE-2020-27199"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-17T05:15:00Z",
"severity": "HIGH"
},
"details": "The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. The security control that the application currently has in place is a simple Username and Password authentication function. Using enumeration, an attacker is able to forge a User specific token without the need for correct password to gain access to the mobile application as that victim user.",
"id": "GHSA-3r7g-xhpj-j87w",
"modified": "2022-05-24T17:36:45Z",
"published": "2022-05-24T17:36:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27199"
},
{
"type": "WEB",
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/magic-home-pro-mobile-application-authentication-bypass-cve-2020-27199"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3RFX-7JFH-F684
Vulnerability from github – Published: 2023-09-15 15:30 – Updated: 2023-09-15 15:30A vulnerability classified as critical has been found in Supcon InPlant SCADA up to 20230901. Affected is an unknown function of the file Project.xml. The manipulation leads to improper authentication. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239796. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2023-4985"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-15T15:15:07Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as critical has been found in Supcon InPlant SCADA up to 20230901. Affected is an unknown function of the file Project.xml. The manipulation leads to improper authentication. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239796. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-3rfx-7jfh-f684",
"modified": "2023-09-15T15:30:16Z",
"published": "2023-09-15T15:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4985"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1V_O95QddCGdZzYGgx7tkMOYQ5i_alv69/view?usp=drive_link"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.239796"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.239796"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3RG7-4F6M-6X73
Vulnerability from github – Published: 2022-04-30 18:18 – Updated: 2022-04-30 18:18SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user's authorized_keys file.
{
"affected": [],
"aliases": [
"CVE-2001-1585"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user\u0027s authorized_keys file.",
"id": "GHSA-3rg7-4f6m-6x73",
"modified": "2022-04-30T18:18:19Z",
"published": "2022-04-30T18:18:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1585"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6084"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2001-02/0159.html"
},
{
"type": "WEB",
"url": "http://online.securityfocus.com/bid/2356"
},
{
"type": "WEB",
"url": "http://www.openbsd.org/advisories/ssh_bypass.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3RG8-47Q7-QH6R
Vulnerability from github – Published: 2026-01-05 06:30 – Updated: 2026-01-05 06:30A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. Executing a manipulation can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-15458"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-05T05:15:55Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. Executing a manipulation can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-3rg8-47q7-qh6r",
"modified": "2026-01-05T06:30:28Z",
"published": "2026-01-05T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15458"
},
{
"type": "WEB",
"url": "https://github.com/ueh1013/VULN/issues/9"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.339491"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.339491"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.725142"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3RH2-V3GR-35P9
Vulnerability from github – Published: 2026-03-27 22:26 – Updated: 2026-04-08 11:55Impact
What kind of vulnerability is it? Who is impacted?
A flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. The server unconditionally maps these headers to X-Minio-Internal-* encryption metadata without verifying that the request is a legitimate replication request. Objects written this way carry bogus encryption keys and become permanently unreadable through the S3 API.
Any authenticated user or service with s3:PutObject permission on any bucket can make objects permanently unreadable by injecting fake SSE encryption metadata. The attacker sends a standard PutObject request with X-Minio-Replication-Server-Side-Encryption-* headers but without the X-Minio-Source-Replication-Request header that marks legitimate replication traffic. The server maps these headers to internal encryption metadata (X-Minio-Internal-Server-Side-Encryption-Sealed-Key, etc.), causing all subsequent GetObject and HeadObject calls to treat the object as encrypted with keys that do not exist.
This is a targeted denial-of-service vulnerability. An attacker can selectively corrupt individual objects or entire buckets. The ReplicateObjectAction IAM permission is never checked because the request is a normal PutObject, not a replication request.
Affected component: cmd/handler-utils.go, function extractMetadataFromMime().
Affected Versions
All MinIO releases through the final release of the minio/minio open-source project.
The vulnerability was introduced in commit 468a9fae83e965ecefa1c1fdc2fc57b84ece95b0 ("Enable replication of SSE-C objects", PR #19107, 2024-03-28). The first affected release is RELEASE.2024-03-30T09-41-56Z.
Patches
Fixed in: MinIO AIStor RELEASE.2026-03-26T21-24-40Z
Binary Downloads
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio |
| Linux | arm64 | minio |
| macOS | arm64 | minio |
| macOS | amd64 | minio |
| Windows | amd64 | minio.exe |
FIPS Binaries
| Platform | Architecture | Download |
|---|---|---|
| Linux | amd64 | minio.fips |
| Linux | arm64 | minio.fips |
Package Downloads
| Format | Architecture | Download |
|---|---|---|
| DEB | amd64 | minio_20260326212440.0.0_amd64.deb |
| DEB | arm64 | minio_20260326212440.0.0_arm64.deb |
| RPM | amd64 | minio-20260326212440.0.0-1.x86_64.rpm |
| RPM | arm64 | minio-20260326212440.0.0-1.aarch64.rpm |
Container Images
# Standard
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z
# FIPS
docker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips
podman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips
Homebrew (macOS)
brew install minio/aistor/minio
Workarounds
If upgrading is not immediately possible:
-
Restrict replication headers at a reverse proxy / load balancer. Drop or reject any request containing
X-Minio-Replication-Server-Side-Encryption-*headers that does not also carryX-Minio-Source-Replication-Request. This blocks the injection path without modifying the server. -
Audit IAM policies. Limit
s3:PutObjectgrants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any authorized user can exploit it.
References
- Introducing commit:
468a9fae8(PR #19107) - MinIO AIStor
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/minio/minio"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-20240328174456-468a9fae83e9"
},
{
"last_affected": "0.0.0-20260212201848-7aac2a2c5b7c"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34204"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T22:26:05Z",
"nvd_published_at": "2026-03-31T20:16:28Z",
"severity": "HIGH"
},
"details": "## Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nA flaw in `extractMetadataFromMime()` allows any authenticated user with `s3:PutObject` permission to inject internal server-side encryption metadata into objects by sending crafted `X-Minio-Replication-*` headers on a normal PutObject request. The server unconditionally maps these headers to `X-Minio-Internal-*` encryption metadata without verifying that the request is a legitimate replication request. Objects written this way carry bogus encryption keys and become **permanently unreadable** through the S3 API.\n\nAny authenticated user or service with `s3:PutObject` permission on any bucket can make objects permanently unreadable by injecting fake SSE encryption metadata. The attacker sends a standard PutObject request with `X-Minio-Replication-Server-Side-Encryption-*` headers but **without** the `X-Minio-Source-Replication-Request` header that marks legitimate replication traffic. The server maps these headers to internal encryption metadata (`X-Minio-Internal-Server-Side-Encryption-Sealed-Key`, etc.), causing all subsequent GetObject and HeadObject calls to treat the object as encrypted with keys that do not exist.\n\nThis is a targeted denial-of-service vulnerability. An attacker can selectively corrupt individual objects or entire buckets. The `ReplicateObjectAction` IAM permission is never checked because the request is a normal PutObject, not a replication request.\n\n**Affected component:** `cmd/handler-utils.go`, function `extractMetadataFromMime()`.\n\n## Affected Versions\n\nAll MinIO releases through the final release of the minio/minio open-source project.\n\nThe vulnerability was introduced in commit `468a9fae83e965ecefa1c1fdc2fc57b84ece95b0` (\"Enable replication of SSE-C objects\", [PR #19107](https://github.com/minio/minio/pull/19107), 2024-03-28). The first affected release is `RELEASE.2024-03-30T09-41-56Z`.\n\n## Patches\n\n**Fixed in**: MinIO AIStor RELEASE.2026-03-26T21-24-40Z\n\n### Binary Downloads\n\n| Platform | Architecture | Download |\n| -------- | ------------ | -------- |\n| Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) |\n| Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) |\n| macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) |\n| macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) |\n| Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) |\n\n### FIPS Binaries\n\n| Platform | Architecture | Download |\n| -------- | ------------ | -------- |\n| Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) |\n| Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) |\n\n### Package Downloads\n\n| Format | Architecture | Download |\n| ------ | ------------ | -------- |\n| DEB | amd64 | [minio_20260326212440.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260326212440.0.0_amd64.deb) |\n| DEB | arm64 | [minio_20260326212440.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260326212440.0.0_arm64.deb) |\n| RPM | amd64 | [minio-20260326212440.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260326212440.0.0-1.x86_64.rpm) |\n| RPM | arm64 | [minio-20260326212440.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260326212440.0.0-1.aarch64.rpm) |\n\n### Container Images\n\n```bash\n# Standard\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z\n\n# FIPS\ndocker pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips\npodman pull quay.io/minio/aistor/minio:RELEASE.2026-03-26T21-24-40Z.fips\n```\n\n### Homebrew (macOS)\n\n```bash\nbrew install minio/aistor/minio\n```\n\n## Workarounds\n\n[Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-03-26T21-24-40Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/)\n\nIf upgrading is not immediately possible:\n\n- **Restrict replication headers at a reverse proxy / load balancer.** Drop or reject any request containing `X-Minio-Replication-Server-Side-Encryption-*` headers that does not also carry `X-Minio-Source-Replication-Request`. This blocks the injection path without modifying the server.\n\n- **Audit IAM policies.** Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any authorized user can exploit it.\n\n## References\n\n- Introducing commit: [`468a9fae8`](https://github.com/minio/minio/commit/468a9fae83e965ecefa1c1fdc2fc57b84ece95b0) ([PR #19107](https://github.com/minio/minio/pull/19107))\n- [MinIO AIStor](https://min.io/aistor)",
"id": "GHSA-3rh2-v3gr-35p9",
"modified": "2026-04-08T11:55:44Z",
"published": "2026-03-27T22:26:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34204"
},
{
"type": "WEB",
"url": "https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition"
},
{
"type": "PACKAGE",
"url": "https://github.com/minio/minio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MinIO is Vulnerable to SSE Metadata Injection via Replication Headers"
}
GHSA-3RMW-76M6-4GJC
Vulnerability from github – Published: 2024-10-25 19:30 – Updated: 2024-10-25 19:30Impact
Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.63.4, disabling the "User Registration allowed" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way.
Patches
2.x versions are fixed on >= 2.64.0 2.63.x versions are fixed on >= 2.63.5 2.62.x versions are fixed on >= 2.62.7 2.61.x versions are fixed on >= 2.61.4 2.60.x versions are fixed on >= 2.60.4 2.59.x versions are fixed on >= 2.59.5 2.58.x versions are fixed on >= 2.58.7
Workarounds
Updating to the patched version is the recommended solution.
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
Credits
Thanks to @sevensolutions and @evilgensec for disclosing this!
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.63.0"
},
{
"fixed": "2.63.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.62.0"
},
{
"fixed": "2.62.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.61.0"
},
{
"fixed": "2.61.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.60.0"
},
{
"fixed": "2.60.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "2.59.0"
},
{
"fixed": "2.59.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.58.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-49757"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-25T19:30:14Z",
"nvd_published_at": "2024-10-25T15:15:18Z",
"severity": "HIGH"
},
"details": "### Impact\nZitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.63.4, disabling the \"User Registration allowed\" option only hid the registration button on the login page. Users could bypass this restriction by directly accessing the registration URL (/ui/login/loginname) and register a user that way.\n\n### Patches\n\n2.x versions are fixed on \u003e= [2.64.0](https://github.com/zitadel/zitadel/releases/tag/v2.64.0)\n2.63.x versions are fixed on \u003e= [2.63.5](https://github.com/zitadel/zitadel/releases/tag/v2.63.5)\n2.62.x versions are fixed on \u003e= [2.62.7](https://github.com/zitadel/zitadel/releases/tag/v2.62.7)\n2.61.x versions are fixed on \u003e= [2.61.4](https://github.com/zitadel/zitadel/releases/tag/v2.61.4)\n2.60.x versions are fixed on \u003e= [2.60.4](https://github.com/zitadel/zitadel/releases/tag/v2.60.4)\n2.59.x versions are fixed on \u003e= [2.59.5](https://github.com/zitadel/zitadel/releases/tag/v2.59.5)\n2.58.x versions are fixed on \u003e= [2.58.7](https://github.com/zitadel/zitadel/releases/tag/v2.58.7)\n\n### Workarounds\nUpdating to the patched version is the recommended solution.\n\n### Questions\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\nThanks to @sevensolutions and @evilgensec for disclosing this!\n",
"id": "GHSA-3rmw-76m6-4gjc",
"modified": "2024-10-25T19:30:14Z",
"published": "2024-10-25T19:30:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-3rmw-76m6-4gjc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49757"
},
{
"type": "PACKAGE",
"url": "https://github.com/zitadel/zitadel"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.58.7"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.59.5"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.60.4"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.61.4"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.62.7"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.63.5"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v2.64.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "User Registration Bypass in Zitadel"
}
GHSA-3RV4-77XR-W6JX
Vulnerability from github – Published: 2023-10-27 21:30 – Updated: 2023-11-07 21:30A vulnerability has been identified in the MR2600 router v1.0.18 and earlier that could allow an attacker within range of the wireless network to successfully brute force the WPS pin, potentially allowing them unauthorized access to a wireless network.
{
"affected": [],
"aliases": [
"CVE-2022-3681"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-27T20:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in the MR2600 router v1.0.18 and earlier that could allow an attacker within range of the wireless network to successfully brute force the WPS pin, potentially allowing them unauthorized access to a wireless network.\n ",
"id": "GHSA-3rv4-77xr-w6jx",
"modified": "2023-11-07T21:30:23Z",
"published": "2023-10-27T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3681"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20230317174952/https://help.motorolanetwork.com/hc/en-us/articles/9933302506523"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3RWG-QF5G-XVJV
Vulnerability from github – Published: 2021-12-27 00:01 – Updated: 2022-07-13 00:01Certain NETGEAR devices are affected by authentication bypass. This affects CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.
{
"affected": [],
"aliases": [
"CVE-2021-45506"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-26T01:15:00Z",
"severity": "HIGH"
},
"details": "Certain NETGEAR devices are affected by authentication bypass. This affects CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.",
"id": "GHSA-3rwg-qf5g-xvjv",
"modified": "2022-07-13T00:01:50Z",
"published": "2021-12-27T00:01:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45506"
},
{
"type": "WEB",
"url": "https://kb.netgear.com/000064130/Security-Advisory-for-Authentication-Bypass-on-Some-WiFi-Systems-PSV-2020-0483"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.