CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5964 vulnerabilities reference this CWE, most recent first.
GHSA-6HR5-58C2-7W3G
Vulnerability from github – Published: 2021-12-27 00:01 – Updated: 2022-07-13 00:01Certain NETGEAR devices are affected by authentication bypass. This affects R7000P before 1.3.3.140 and R8000 before 1.0.4.68.
{
"affected": [],
"aliases": [
"CVE-2021-45500"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-26T01:15:00Z",
"severity": "HIGH"
},
"details": "Certain NETGEAR devices are affected by authentication bypass. This affects R7000P before 1.3.3.140 and R8000 before 1.0.4.68.",
"id": "GHSA-6hr5-58c2-7w3g",
"modified": "2022-07-13T00:01:50Z",
"published": "2021-12-27T00:01:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45500"
},
{
"type": "WEB",
"url": "https://kb.netgear.com/000064070/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-PSV-2019-0183"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HVV-X2XW-P422
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.
{
"affected": [],
"aliases": [
"CVE-2021-22025"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-30T18:15:00Z",
"severity": "HIGH"
},
"details": "The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.",
"id": "GHSA-6hvv-x2xw-p422",
"modified": "2022-05-24T19:12:29Z",
"published": "2022-05-24T19:12:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22025"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2021-0018.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6J24-RH4H-RQ7F
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2023-07-17 18:31A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.
{
"affected": [],
"aliases": [
"CVE-2019-1937"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-21T19:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.",
"id": "GHSA-6j24-rh4h-rq7f",
"modified": "2023-07-17T18:31:25Z",
"published": "2022-05-24T16:54:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1937"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Aug/49"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154239/Cisco-UCS-IMC-Supervisor-Authentication-Bypass-Command-Injection.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154308/Cisco-UCS-Director-Unauthenticated-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/173531/Cisco-UCS-IMC-Supervisor-2.2.0.0-Authentication-Bypass.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Aug/36"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6J2W-HJ4V-3X7G
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote unauthenticated network based attacker to login as any privileged user. This issue only affects Junos Space Network Management Platform 17.1R1 without Patch v1 and 16.1 releases prior to 16.1R3. This issue was found by an external security researcher.
{
"affected": [],
"aliases": [
"CVE-2017-10622"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-13T17:29:00Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote unauthenticated network based attacker to login as any privileged user. This issue only affects Junos Space Network Management Platform 17.1R1 without Patch v1 and 16.1 releases prior to 16.1R3. This issue was found by an external security researcher.",
"id": "GHSA-6j2w-hj4v-3x7g",
"modified": "2022-05-13T01:38:19Z",
"published": "2022-05-13T01:38:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10622"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10824"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101258"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6JCC-XGCR-Q3H4
Vulnerability from github – Published: 2025-08-08 14:29 – Updated: 2026-02-04 22:13Summary
An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances
Details
The vulnerability exists in handleInboxInternal function in fedify/federation/handler.ts. The critical flaw is in the order of operations:
- Line 1712: routeActivity() is called first, which processes the activity (either immediately or by adding to queue)
- Line 1730: Authentication check (doesActorOwnKey) happens AFTER processing
// fedify/federation/handler.ts:1712-1750
const routeResult = await routeActivity({ // ← Activity processed here
context: ctx,
json,
activity,
recipient,
inboxListeners,
inboxContextFactory,
inboxErrorHandler,
kv,
kvPrefixes,
queue,
span,
tracerProvider,
});
if (
httpSigKey != null && !await doesActorOwnKey(activity, httpSigKey, ctx) // ← Auth check too late
) {
// Returns 401, but activity already processed
return new Response("The signer and the actor do not match.", {
status: 401,
headers: { "Content-Type": "text/plain; charset=utf-8" },
});
}
By the time the 401 response is returned, the malicious activity has already been processed or queued.
PoC
- Create an activity claiming to be from any actor:
const maliciousActivity = {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "Create",
"actor": "https://victim.example.com/users/alice", // Impersonating victim
"object": {
"type": "Note",
"content": "This is a forged message!"
}
}
- Sign the HTTP request with attacker's key (not the victim's):
// Sign with attacker's key: https://attacker.com/users/eve#main-key
const signedRequest = await signRequest(request, attackerPrivateKey, attackerKeyId);
- Send to any Fedify inbox - the activity will be processed despite the key mismatch.
Impact
Type: Authentication Bypass / Actor Impersonation
Who is impacted: All Fedify instances and their users
Consequences: Allows complete impersonation of any ActivityPub actor, enabling: - Sending fake posts/messages as any user - Creating/removing follows as any user - Boosting/sharing content as any user - Complete compromise of federation trust model
The vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations (Mastodon, etc.) which properly validate before processing.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0-dev.585"
},
{
"fixed": "1.4.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0-dev.636"
},
{
"fixed": "1.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0-dev.754"
},
{
"fixed": "1.6.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0-pr.251.885"
},
{
"fixed": "1.7.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0-dev.909"
},
{
"fixed": "1.8.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54888"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-08T14:29:48Z",
"nvd_published_at": "2025-08-09T02:15:37Z",
"severity": "HIGH"
},
"details": "### Summary\n An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances\n\n### Details\nThe vulnerability exists in handleInboxInternal function in fedify/federation/handler.ts. The critical flaw is in the order of operations:\n\n 1. Line 1712: routeActivity() is called first, which processes the activity (either immediately or by adding to queue)\n 2. Line 1730: Authentication check (doesActorOwnKey) happens AFTER processing\n\n```ts\n // fedify/federation/handler.ts:1712-1750\n const routeResult = await routeActivity({ // \u2190 Activity processed here\n context: ctx,\n json,\n activity,\n recipient,\n inboxListeners,\n inboxContextFactory,\n inboxErrorHandler,\n kv,\n kvPrefixes,\n queue,\n span,\n tracerProvider,\n });\n\n if (\n httpSigKey != null \u0026\u0026 !await doesActorOwnKey(activity, httpSigKey, ctx) // \u2190 Auth check too late\n ) {\n // Returns 401, but activity already processed\n return new Response(\"The signer and the actor do not match.\", {\n status: 401,\n headers: { \"Content-Type\": \"text/plain; charset=utf-8\" },\n });\n }\n```\n\nBy the time the 401 response is returned, the malicious activity has already been processed or queued.\n\n### PoC\n\n 1. Create an activity claiming to be from any actor:\n```ts\n const maliciousActivity = {\n \"@context\": \"https://www.w3.org/ns/activitystreams\",\n \"type\": \"Create\",\n \"actor\": \"https://victim.example.com/users/alice\", // Impersonating victim\n \"object\": {\n \"type\": \"Note\",\n \"content\": \"This is a forged message!\"\n }\n }\n```\n 2. Sign the HTTP request with attacker\u0027s key (not the victim\u0027s):\n```ts\n // Sign with attacker\u0027s key: https://attacker.com/users/eve#main-key\n const signedRequest = await signRequest(request, attackerPrivateKey, attackerKeyId);\n```\n 3. Send to any Fedify inbox - the activity will be processed despite the key mismatch.\n\n### Impact\n\nType: Authentication Bypass / Actor Impersonation\n\nWho is impacted: All Fedify instances and their users\n\nConsequences: Allows complete impersonation of any ActivityPub actor, enabling:\n - Sending fake posts/messages as any user\n - Creating/removing follows as any user\n - Boosting/sharing content as any user\n - Complete compromise of federation trust model\n\nThe vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations (Mastodon, etc.) which properly validate before processing.",
"id": "GHSA-6jcc-xgcr-q3h4",
"modified": "2026-02-04T22:13:40Z",
"published": "2025-08-08T14:29:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54888"
},
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/commit/14a2f8c6d2c3cbc00c3170a86ad3b7b8555c6847"
},
{
"type": "PACKAGE",
"url": "https://github.com/fedify-dev/fedify"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@fedify/fedify has Improper Authentication and Incorrect Authorization"
}
GHSA-6JFX-JJM3-94JR
Vulnerability from github – Published: 2022-05-17 05:09 – Updated: 2022-05-17 05:09Cisco Unified Communications Manager (CUCM) does not properly limit the rate of authentication attempts, which allows remote attackers to cause a denial of service (application slowdown) via a series of requests, aka Bug ID CSCud39515.
{
"affected": [],
"aliases": [
"CVE-2013-1188"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-05-16T03:36:00Z",
"severity": "MODERATE"
},
"details": "Cisco Unified Communications Manager (CUCM) does not properly limit the rate of authentication attempts, which allows remote attackers to cause a denial of service (application slowdown) via a series of requests, aka Bug ID CSCud39515.",
"id": "GHSA-6jfx-jjm3-94jr",
"modified": "2022-05-17T05:09:38Z",
"published": "2022-05-17T05:09:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1188"
},
{
"type": "WEB",
"url": "http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1188"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6JVJ-39C6-MH4M
Vulnerability from github – Published: 2022-05-02 03:43 – Updated: 2024-02-13 18:38pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.
{
"affected": [],
"aliases": [
"CVE-2009-3232"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-09-17T10:30:00Z",
"severity": "HIGH"
},
"details": "pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an \"empty selection\" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.",
"id": "GHSA-6jvj-39c6-mh4m",
"modified": "2024-02-13T18:38:21Z",
"published": "2022-05-02T03:43:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3232"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/410171"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/828-1"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/36620"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/09/08/7"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/36306"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6M36-86VP-X4XX
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A vulnerability in the TCP Intercept functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Access Control Policies (including Geolocation) and Service Polices on an affected system. The vulnerability exists because TCP Intercept is invoked when the embryonic connection limit is reached, which can cause the underlying detection engine to process the packet incorrectly. An attacker could exploit this vulnerability by sending a crafted stream of traffic that matches a policy on which TCP Intercept is configured. A successful exploit could allow the attacker to match on an incorrect policy, which could allow the traffic to be forwarded when it should be dropped. In addition, the traffic could incorrectly be dropped.
{
"affected": [],
"aliases": [
"CVE-2020-3565"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-21T19:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the TCP Intercept functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Access Control Policies (including Geolocation) and Service Polices on an affected system. The vulnerability exists because TCP Intercept is invoked when the embryonic connection limit is reached, which can cause the underlying detection engine to process the packet incorrectly. An attacker could exploit this vulnerability by sending a crafted stream of traffic that matches a policy on which TCP Intercept is configured. A successful exploit could allow the attacker to match on an incorrect policy, which could allow the traffic to be forwarded when it should be dropped. In addition, the traffic could incorrectly be dropped.",
"id": "GHSA-6m36-86vp-x4xx",
"modified": "2022-05-24T17:31:48Z",
"published": "2022-05-24T17:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3565"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tcp-intercept-bypass-xG9M3PbY"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6M3C-QM8Q-JF8F
Vulnerability from github – Published: 2022-05-17 04:43 – Updated: 2022-05-17 04:43The default configuration in the standalone controller quickstack manifest in openstack-foreman-installer, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, disables authentication for Qpid, which allows remote attackers to gain access by connecting to Qpid.
{
"affected": [],
"aliases": [
"CVE-2013-6470"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-06-02T15:55:00Z",
"severity": "MODERATE"
},
"details": "The default configuration in the standalone controller quickstack manifest in openstack-foreman-installer, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, disables authentication for Qpid, which allows remote attackers to gain access by connecting to Qpid.",
"id": "GHSA-6m3c-qm8q-jf8f",
"modified": "2022-05-17T04:43:02Z",
"published": "2022-05-17T04:43:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6470"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051994"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0517.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6M48-JXWX-76Q7
Vulnerability from github – Published: 2022-05-14 01:10 – Updated: 2022-07-08 19:07java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.21"
},
{
"fixed": "6.0.37"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-2067"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-08T19:07:27Z",
"nvd_published_at": "2013-06-01T14:21:00Z",
"severity": "MODERATE"
},
"details": "java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.",
"id": "GHSA-6m48-jxwx-76q7",
"modified": "2022-07-08T19:07:27Z",
"published": "2022-05-14T01:10:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2067"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-05/0041.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0833.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0834.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0839.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0964.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?r1=1417891\u0026r2=1417890\u0026pathrev=1417891"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?r1=1408044\u0026r2=1408043\u0026pathrev=1408044"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1408044"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1417891"
},
{
"type": "WEB",
"url": "http://tomcat.apache.org/security-6.html"
},
{
"type": "WEB",
"url": "http://tomcat.apache.org/security-7.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/59799"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/64758"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1841-1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper Authentication in Apache Tomcat"
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.