Common Weakness Enumeration

CWE-303

Allowed

Incorrect Implementation of Authentication Algorithm

Abstraction: Base · Status: Draft

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

153 vulnerabilities reference this CWE, most recent first.

GHSA-9475-XG6M-J7PW

Vulnerability from github – Published: 2020-04-22 20:59 – Updated: 2021-01-08 20:21
VLAI
Summary
Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET
Details

Impact

Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a tocken to create a log in session.

Patches

Version 1.0.2 and 2.7.0 are patched.

Workarounds

Ensure that any IdentityProvider trusted by the Sustainsys.Saml2 SP only issues bearer tokens if the audience matches the Sustainsys.Saml2 SP.

For more information

If you have any questions or comments about this advisory: * Comment on #103 * Email us at security@sustainsys.com if you think that there are further security issues.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Sustainsys.Saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Sustainsys.Saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-303"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-04-21T18:41:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nSaml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved.\nThe Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a tocken to create a log in session.\n\n### Patches\nVersion 1.0.2 and 2.7.0 are patched.\n\n### Workarounds\nEnsure that any IdentityProvider trusted by the Sustainsys.Saml2 SP only issues bearer tokens if the audience matches the Sustainsys.Saml2 SP.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Comment on #103\n* Email us at security@sustainsys.com if you think that there are further security issues.",
  "id": "GHSA-9475-xg6m-j7pw",
  "modified": "2021-01-08T20:21:35Z",
  "published": "2020-04-22T20:59:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sustainsys/Saml2/issues/712"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241"
    },
    {
      "type": "WEB",
      "url": "https://www.nuget.org/packages/Sustainsys.Saml2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET"
}

GHSA-9MRV-8PVF-HF4M

Vulnerability from github – Published: 2026-06-12 12:31 – Updated: 2026-07-10 12:31
VLAI
Details

The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50627"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-289",
      "CWE-303"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T10:16:22Z",
    "severity": "CRITICAL"
  },
  "details": "The JwtAccessTokenValidator class in Apache CXF fails to validate the \u0027aud\u0027 (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.",
  "id": "GHSA-9mrv-8pvf-hf4m",
  "modified": "2026-07-10T12:31:37Z",
  "published": "2026-06-12T12:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50627"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37390"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-50627"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488298"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/0jfzz9q992957b99tw7hodcqjfyxwb1m"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50627.json"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/11/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C3RR-7229-8P7F

Vulnerability from github – Published: 2024-11-20 09:32 – Updated: 2026-02-23 12:31
VLAI
Details

Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-303"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-20T09:15:04Z",
    "severity": "CRITICAL"
  },
  "details": "Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.",
  "id": "GHSA-c3rr-7229-8p7f",
  "modified": "2026-02-23T12:31:29Z",
  "published": "2024-11-20T09:32:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10127"
    },
    {
      "type": "WEB",
      "url": "https://empower.m-files.com/security-advisories/CVE-2024-10127"
    },
    {
      "type": "WEB",
      "url": "https://product.m-files.com/security-advisories/CVE-2024-10127"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-C4FM-X36H-PWF6

Vulnerability from github – Published: 2025-08-13 03:30 – Updated: 2025-08-13 21:30
VLAI
Details

Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-303"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-13T03:15:38Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-c4fm-x36h-pwf6",
  "modified": "2025-08-13T21:30:27Z",
  "published": "2025-08-13T03:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8881"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop_12.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/433800617"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CF66-C678-24R2

Vulnerability from github – Published: 2026-06-22 18:34 – Updated: 2026-07-08 09:31
VLAI
Details

Incorrect caching of authentication between different users of the  qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-303",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T16:16:35Z",
    "severity": "HIGH"
  },
  "details": "Incorrect caching of authentication between different users of the\u00a0 qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.",
  "id": "GHSA-cf66-c678-24r2",
  "modified": "2026-07-08T09:31:46Z",
  "published": "2026-06-22T18:34:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41049"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1262218"
    },
    {
      "type": "WEB",
      "url": "https://github.com/presire/qSnapper/releases/tag/v1.3.3"
    },
    {
      "type": "WEB",
      "url": "https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-auth-caching"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CMP6-J4F4-VM9F

Vulnerability from github – Published: 2025-12-03 15:30 – Updated: 2025-12-03 18:30
VLAI
Details

The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-303"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-03T14:15:48Z",
    "severity": "CRITICAL"
  },
  "details": "The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the \"wdk_generate_auto_login_link\" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.",
  "id": "GHSA-cmp6-j4f4-vm9f",
  "modified": "2025-12-03T18:30:24Z",
  "published": "2025-12-03T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13390"
    },
    {
      "type": "WEB",
      "url": "https://github.com/d0n601/CVE-2025-13390"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit"
    },
    {
      "type": "WEB",
      "url": "https://ryankozak.com/posts/cve-2025-13390"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FG35-5RF6-QG3G

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-31 05:19
VLAI
Summary
Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw
Details

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow. Mattermost Advisory ID: MMSA-2026-00590

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.4.0-rc1"
            },
            {
              "fixed": "11.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.3.0-rc1"
            },
            {
              "fixed": "11.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.2.0-rc1"
            },
            {
              "fixed": "11.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.11.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.11.0-rc1"
            },
            {
              "fixed": "10.11.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-20260105080200-d27a2195068d"
            },
            {
              "fixed": "8.0.0-20260217110922-b7d4a1f1f59b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-303"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T05:19:17Z",
    "nvd_published_at": "2026-03-25T17:16:56Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 11.4.x \u003c= 11.4.0, 11.3.x \u003c= 11.3.1, 11.2.x \u003c= 11.2.3, 10.11.x \u003c= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow. Mattermost Advisory ID: MMSA-2026-00590",
  "id": "GHSA-fg35-5rf6-qg3g",
  "modified": "2026-03-31T05:19:17Z",
  "published": "2026-03-25T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27656"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw"
}

GHSA-FGQ7-V63G-3F6X

Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30
VLAI
Details

In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-303"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.",
  "id": "GHSA-fgq7-v63g-3f6x",
  "modified": "2024-11-12T18:30:57Z",
  "published": "2024-11-12T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9999"
    },
    {
      "type": "WEB",
      "url": "https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2024"
    },
    {
      "type": "WEB",
      "url": "https://www.progress.com/ftp-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FRC2-W2CC-X794

Vulnerability from github – Published: 2024-04-09 12:30 – Updated: 2024-04-15 20:19
VLAI
Summary
Eclipse Kura LogServlet vulnerability
Details

In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.

This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1].

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.kura:org.eclipse.kura.web2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.600"
            },
            {
              "last_affected": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-3046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-303"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-09T18:53:17Z",
    "nvd_published_at": "2024-04-09T10:15:08Z",
    "severity": "HIGH"
  },
  "details": "In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.\n\nThis issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1].",
  "id": "GHSA-frc2-w2cc-x794",
  "modified": "2024-04-15T20:19:17Z",
  "published": "2024-04-09T12:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3046"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse/kura"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Eclipse Kura LogServlet vulnerability"
}

GHSA-FWV7-JRXJ-Q9QV

Vulnerability from github – Published: 2023-06-13 09:30 – Updated: 2024-04-04 04:45
VLAI
Details

A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.3 < V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.1 < V3.6.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.6.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0). The affected versions of the module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.

This CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-303"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-13T09:15:16Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.17.3 \u003c V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.16.4 \u003c V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.2.0 \u003c V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.6.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.6.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.3.0). The affected versions of the module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.\n\nThis CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration.",
  "id": "GHSA-fwv7-jrxj-q9qv",
  "modified": "2024-04-04T04:45:46Z",
  "published": "2023-06-13T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29129"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-90: Reflection Attack in Authentication Protocol

An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.