CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5966 vulnerabilities reference this CWE, most recent first.
GHSA-4RFM-63GF-WXJ6
Vulnerability from github – Published: 2026-04-19 21:31 – Updated: 2026-04-19 21:31A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-6577"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-19T20:16:28Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in liangliangyy DjangoBlog up to 2.1.0.0. The impacted element is an unknown function of the file owntracks/views.py of the component logtracks Endpoint. The manipulation leads to missing authentication. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-4rfm-63gf-wxj6",
"modified": "2026-04-19T21:31:28Z",
"published": "2026-04-19T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6577"
},
{
"type": "WEB",
"url": "https://github.com/3em0/cve_repo/blob/main/DjangoBlog/Vuln-2-Unauthenticated-GPS-Data-Injection.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/790282"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/358212"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/358212/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4RFM-M8CV-G888
Vulnerability from github – Published: 2022-05-02 03:31 – Updated: 2022-05-02 03:31The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property.
{
"affected": [],
"aliases": [
"CVE-2009-2088"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-08-13T18:30:00Z",
"severity": "HIGH"
},
"details": "The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a \"secure URL,\" related to a certain invokefilterscompatibility property.",
"id": "GHSA-4rfm-m8cv-g888",
"modified": "2022-05-02T03:31:38Z",
"published": "2022-05-02T03:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2088"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52079"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg24022479"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27007951"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27014463"
},
{
"type": "WEB",
"url": "http://www-1.ibm.com/support/docview.wss?uid=swg1PK77465"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4RH6-83QM-CFMJ
Vulnerability from github – Published: 2024-07-02 21:32 – Updated: 2024-07-02 21:32In versions of Akana in versions prior to and including 2022.1.3 validation is broken when using the SAML Single Sign-On (SSO) functionality.
{
"affected": [],
"aliases": [
"CVE-2024-3826"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-02T16:15:05Z",
"severity": "HIGH"
},
"details": "In versions of Akana in versions prior to and including 2022.1.3 validation is broken when using the SAML Single Sign-On (SSO) functionality.",
"id": "GHSA-4rh6-83qm-cfmj",
"modified": "2024-07-02T21:32:15Z",
"published": "2024-07-02T21:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3826"
},
{
"type": "WEB",
"url": "https://portal.perforce.com/s/detail/a91PA000001SUAfYAO"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4RJ2-GPMH-QQ5X
Vulnerability from github – Published: 2026-02-17 21:36 – Updated: 2026-03-10 22:21Summary
An authentication bypass in the optional voice-call extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to allowlist or pairing.
Deployments that do not install/enable the voice-call extension are not affected.
Affected Packages / Versions
openclaw(npm):<= 2026.2.1- Fixed in:
>= 2026.2.2
Details
In affected versions (for example 2026.2.1), the inbound allowlist check in extensions/voice-call/src/manager.ts used suffix-based matching and accepted empty caller IDs after normalization.
This allowed two bypasses:
- Missing/empty
fromvalues normalized to an empty string, which caused the allowlist predicate to evaluate as allowed. - Suffix-based matching meant any caller number whose digits ended with an allowlisted number would be accepted.
Proof Of Concept
- Configure the voice-call extension with
inboundPolicy: allowlistandallowFrom: ["+15550001234"]. - Place/trigger an inbound call with missing/empty caller ID (provider-dependent; for example anonymous/restricted caller). The call is accepted.
- Place a call from a number whose E.164 digits end with
15550001234(for example+99915550001234). The call is accepted.
Impact
Only operators who install/enable the optional voice-call extension and use inboundPolicy=allowlist or pairing could have inbound access controls bypassed, potentially allowing unauthorized callers to reach auto-response and tool execution.
Fix
The fix hardens inbound policy handling:
- Reject inbound calls when caller ID is missing.
- Require strict equality when comparing normalized caller IDs against the allowlist (no suffix/prefix matching).
- Add regression tests for missing caller ID, anonymous caller ID, and suffix-collision cases.
Fix commit(s):
f8dfd034f5d9235c5485f492a9e4ccc114e97fdb
Thanks @simecek for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28446"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T21:36:34Z",
"nvd_published_at": "2026-03-05T22:16:16Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nAn authentication bypass in the optional `voice-call` extension/plugin allowed unapproved or anonymous callers to reach the voice-call agent when inbound policy was set to `allowlist` or `pairing`.\n\nDeployments that do not install/enable the `voice-call` extension are not affected.\n\n### Affected Packages / Versions\n\n- `openclaw` (npm): `\u003c= 2026.2.1`\n- Fixed in: `\u003e= 2026.2.2`\n\n### Details\n\nIn affected versions (for example `2026.2.1`), the inbound allowlist check in `extensions/voice-call/src/manager.ts` used suffix-based matching and accepted empty caller IDs after normalization.\n\nThis allowed two bypasses:\n\n1. Missing/empty `from` values normalized to an empty string, which caused the allowlist predicate to evaluate as allowed.\n2. Suffix-based matching meant any caller number whose digits ended with an allowlisted number would be accepted.\n\n### Proof Of Concept\n\n1. Configure the voice-call extension with `inboundPolicy: allowlist` and `allowFrom: [\"+15550001234\"]`.\n2. Place/trigger an inbound call with missing/empty caller ID (provider-dependent; for example anonymous/restricted caller). The call is accepted.\n3. Place a call from a number whose E.164 digits end with `15550001234` (for example `+99915550001234`). The call is accepted.\n\n### Impact\n\nOnly operators who install/enable the optional `voice-call` extension and use `inboundPolicy=allowlist` or `pairing` could have inbound access controls bypassed, potentially allowing unauthorized callers to reach auto-response and tool execution.\n\n### Fix\n\nThe fix hardens inbound policy handling:\n\n- Reject inbound calls when caller ID is missing.\n- Require strict equality when comparing normalized caller IDs against the allowlist (no suffix/prefix matching).\n- Add regression tests for missing caller ID, anonymous caller ID, and suffix-collision cases.\n\nFix commit(s):\n\n- `f8dfd034f5d9235c5485f492a9e4ccc114e97fdb`\n\nThanks @simecek for reporting.",
"id": "GHSA-4rj2-gpmh-qq5x",
"modified": "2026-03-10T22:21:59Z",
"published": "2026-02-17T21:36:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28446"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/f8dfd034f5d9235c5485f492a9e4ccc114e97fdb"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.2"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-inbound-allowlist-policy-bypass-in-voice-call-extension-via-empty-caller-id"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)"
}
GHSA-4RJ2-HHFH-P3J7
Vulnerability from github – Published: 2022-05-01 23:50 – Updated: 2024-02-14 18:30The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration."
{
"affected": [],
"aliases": [
"CVE-2008-2433"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-330"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-08-27T20:41:00Z",
"severity": "HIGH"
},
"details": "The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified \"manipulation of the configuration.\"",
"id": "GHSA-4rj2-hhfh-p3j7",
"modified": "2024-02-14T18:30:23Z",
"published": "2022-05-01T23:50:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2433"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44597"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31373"
},
{
"type": "WEB",
"url": "http://secunia.com/secunia_research/2008-31/advisory"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/4191"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/495670/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30792"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1020732"
},
{
"type": "WEB",
"url": "http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2402_readme.txt"
},
{
"type": "WEB",
"url": "http://www.trendmicro.com/ftp/documentation/readme/Readme_WFBS5%200_EN_CriticalPatch1404.txt"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/2421"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RM7-PGJ2-MJWP
Vulnerability from github – Published: 2022-05-17 05:40 – Updated: 2022-05-17 05:40AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal.
{
"affected": [],
"aliases": [
"CVE-2011-2956"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-07-28T18:55:00Z",
"severity": "HIGH"
},
"details": "AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal.",
"id": "GHSA-4rm7-pgj2-mjwp",
"modified": "2022-05-17T05:40:11Z",
"published": "2022-05-17T05:40:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2956"
},
{
"type": "WEB",
"url": "http://www.azeotech.com/revisionhistory.php"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/control_systems/pdf/ICSA-11-122-01.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4RMW-9CQP-2R9X
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18Improper authentication of EAP WAPI EAPOL frames from unauthenticated user can lead to information disclosure in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking
{
"affected": [],
"aliases": [
"CVE-2021-30302"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-20T07:15:00Z",
"severity": "HIGH"
},
"details": "Improper authentication of EAP WAPI EAPOL frames from unauthenticated user can lead to information disclosure in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking",
"id": "GHSA-4rmw-9cqp-2r9x",
"modified": "2022-05-24T19:18:22Z",
"published": "2022-05-24T19:18:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30302"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/october-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4RXJ-VW6J-QQRF
Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2025-04-20 03:47OpenAM (Open Source Edition) allows an attacker to bypass authentication and access unauthorized contents via unspecified vectors. Note that this vulnerability affects OpenAM (Open Source Edition) implementations configured as SAML 2.0IdP, and switches authentication methods based on AuthnContext requests sent from the service provider.
{
"affected": [],
"aliases": [
"CVE-2017-10873"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-02T15:29:00Z",
"severity": "HIGH"
},
"details": "OpenAM (Open Source Edition) allows an attacker to bypass authentication and access unauthorized contents via unspecified vectors. Note that this vulnerability affects OpenAM (Open Source Edition) implementations configured as SAML 2.0IdP, and switches authentication methods based on AuthnContext requests sent from the service provider.",
"id": "GHSA-4rxj-vw6j-qqrf",
"modified": "2025-04-20T03:47:59Z",
"published": "2022-05-13T01:06:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10873"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN79546124"
},
{
"type": "WEB",
"url": "https://www.cs.themistruct.com"
},
{
"type": "WEB",
"url": "https://www.osstech.co.jp/support/am2017-2-1-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RXR-27MM-MXQ9
Vulnerability from github – Published: 2022-09-30 05:31 – Updated: 2022-09-30 05:31Impact
Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected.
Description
The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration.
Patches
The vulnerability is patched in v3.0.2. To upgrade, run one of the following:
npm i @next-auth/upstash-redis-adapter@latest
yarn add @next-auth/upstash-redis-adapter@latest
pnpm add @next-auth/upstash-redis-adapter@latest
Workarounds
Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding. Below is an example of how to do this: (Upgrading is still strongly recommended)
import { createHash } from "crypto"
export default async function auth(req, res) {
if (req.method === "POST" && req.action === "callback") {
const token = req.query?.token
const identifier = req.query?.email
function hashToken(token: string) {
const provider = authOptions.providers.find((p) => p.id === "email")
const secret = authOptions.secret
return (
createHash("sha256")
// Prefer provider specific secret, but use default secret if none specified
.update(`${token}${provider.secret ?? secret}`)
.digest("hex")
)
}
const hashedToken = hashToken(token)
const invite = await authOptions.adapter.useVerificationToken?.({
identifier,
token: hashedToken,
})
if (invite.token !== hashedToken) {
res.status(400).json({ error: "Invalid token" })
}
}
return await NextAuth(req, res, authOptions)
}
References
EmailProvider: https://next-auth.js.org/providers/email Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization Upstash Redis Adapter: https://next-auth.js.org/adapters/upstash-redis
For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@next-auth/upstash-redis-adapter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39263"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-30T05:31:32Z",
"nvd_published_at": "2022-09-28T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nApplications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected.\n\n### Description\nThe Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim\u0027s email could easily sign in as the victim, given the attacker also knows about the verification token\u0027s expired duration. \n\n### Patches\nThe vulnerability is patched in v3.0.2.\nTo upgrade, run one of the following:\n```\nnpm i @next-auth/upstash-redis-adapter@latest\n```\n```\nyarn add @next-auth/upstash-redis-adapter@latest\n```\n```\npnpm add @next-auth/upstash-redis-adapter@latest\n```\n\n### Workarounds\nUsing Advanced Initialization, developers can check the requests and compare the query\u0027s token and identifier before proceeding. Below is an example of how to do this: (Upgrading is still strongly recommended)\n\n```js\nimport { createHash } from \"crypto\"\nexport default async function auth(req, res) {\n if (req.method === \"POST\" \u0026\u0026 req.action === \"callback\") {\n const token = req.query?.token\n const identifier = req.query?.email\n function hashToken(token: string) {\n const provider = authOptions.providers.find((p) =\u003e p.id === \"email\")\n const secret = authOptions.secret\n return (\n createHash(\"sha256\")\n // Prefer provider specific secret, but use default secret if none specified\n .update(`${token}${provider.secret ?? secret}`)\n .digest(\"hex\")\n )\n }\n const hashedToken = hashToken(token)\n\n const invite = await authOptions.adapter.useVerificationToken?.({\n identifier,\n token: hashedToken,\n })\n if (invite.token !== hashedToken) {\n res.status(400).json({ error: \"Invalid token\" })\n }\n }\n return await NextAuth(req, res, authOptions)\n}\n\n```\n### References\nEmailProvider: https://next-auth.js.org/providers/email\nAdvanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization\nUpstash Redis Adapter: https://next-auth.js.org/adapters/upstash-redis\n\n### For more information\nIf you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability\n\n",
"id": "GHSA-4rxr-27mm-mxq9",
"modified": "2022-09-30T05:31:32Z",
"published": "2022-09-30T05:31:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-4rxr-27mm-mxq9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39263"
},
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/commit/d16e04848ee703cf797724194d4ad2907fe125a9"
},
{
"type": "PACKAGE",
"url": "https://github.com/nextauthjs/next-auth"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Upstash Adapter missing token verification"
}
GHSA-4V3V-2C52-V3V9
Vulnerability from github – Published: 2022-05-01 02:31 – Updated: 2022-05-01 02:31eZ publish 3.4.4 through 3.7 before 20050722 applies certain permissions on the node level, which allows remote authenticated users to bypass the original permissions on embedded objects in XML fields and read these objects.
{
"affected": [],
"aliases": [
"CVE-2005-4851"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "eZ publish 3.4.4 through 3.7 before 20050722 applies certain permissions on the node level, which allows remote authenticated users to bypass the original permissions on embedded objects in XML fields and read these objects.",
"id": "GHSA-4v3v-2c52-v3v9",
"modified": "2022-05-01T02:31:27Z",
"published": "2022-05-01T02:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-4851"
},
{
"type": "WEB",
"url": "http://ez.no/download/ez_publish/changelogs/ez_publish_3_8/changelog_3_6_x_3_7_x_to_3_8_0"
},
{
"type": "WEB",
"url": "http://issues.ez.no/6841"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.