Common Weakness Enumeration

CWE-306

Allowed

Missing Authentication for Critical Function

Abstraction: Base · Status: Draft

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

3465 vulnerabilities reference this CWE, most recent first.

GHSA-P6VP-4F63-Q49C

Vulnerability from github – Published: 2026-04-28 09:34 – Updated: 2026-06-27 18:35
VLAI
Details

Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-28T08:16:01Z",
    "severity": "HIGH"
  },
  "details": "Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer\u0027s report for details and workarounds",
  "id": "GHSA-p6vp-4f63-q49c",
  "modified": "2026-06-27T18:35:15Z",
  "published": "2026-04-28T09:34:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54013"
    },
    {
      "type": "WEB",
      "url": "https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P732-89HC-M35W

Vulnerability from github – Published: 2025-12-01 18:30 – Updated: 2025-12-01 18:30
VLAI
Details

A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-01T16:15:52Z",
    "severity": "HIGH"
  },
  "details": "A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.",
  "id": "GHSA-p732-89hc-m35w",
  "modified": "2025-12-01T18:30:37Z",
  "published": "2025-12-01T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23417"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2139"
    },
    {
      "type": "WEB",
      "url": "https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-23417---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-16-19_English_0.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2139"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P75F-6FP4-P57W

Vulnerability from github – Published: 2026-06-18 13:58 – Updated: 2026-06-18 13:58
VLAI
Summary
PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
Details

Unauthenticated PraisonAI UI MCP connect endpoint executes attacker-chosen local commands

Summary

PraisonAI v4.6.48 exposes the PraisonAIUI MCP client management API through the default UI host apps without authentication. A remote unauthenticated client can send POST /api/mcp/connect with a command and args field. The endpoint passes those values into the MCP stdio client, which starts the attacker-selected local process as the PraisonAI UI service user.

The issue is reachable through PraisonAI's hosted UI integration (praisonai ui, praisonai ui agents, praisonai claw, and any app using praisonai.integration.host_app.create_host_app() / build_host_app()). praisonai ui and related Typer UI commands bind to 0.0.0.0 by default.

Affected Versions

Confirmed affected:

  • praisonai v4.6.48
  • Commit tested: d5f1114aaf1a2e9f121a6e66b929149ca2201f1d
  • Tag tested: v4.6.48
  • Pinned UI dependency: aiui==0.3.121 from src/praisonai/uv.lock

Likely affected:

  • Any PraisonAI release that exposes aiui / praisonaiui create_app() through the PraisonAI UI host apps without authentication and includes the mcp dependency. I only confirmed the latest release during this audit.

Severity

Reasoning:

  • AV: the vulnerable endpoint is an HTTP API route.
  • AC: a single POST request is sufficient.
  • PR: default UI host apps do not require credentials unless opt-in auth is configured.
  • UI: no victim interaction is needed after the server is running.
  • S: code executes in the PraisonAI UI server process context.
  • C/I/A: arbitrary local command execution permits secret exfiltration, file tampering, and service disruption.

Root Cause

PraisonAI depends on MCP by default and exposes PraisonAIUI via optional UI extras:

  • src/praisonai/pyproject.toml:11 includes base dependencies.
  • src/praisonai/pyproject.toml:19 includes mcp>=1.20.0.
  • src/praisonai/pyproject.toml:25 defines the ui extra with aiui>=0.3.121,<0.4.
  • src/praisonai/pyproject.toml:197 defines the claw extra with aiui[all]>=0.3.121,<0.4.

PraisonAI's UI commands bind externally by default and launch aiui run:

  • src/praisonai/praisonai/cli/commands/ui.py:114 sets host="0.0.0.0" for praisonai ui.
  • src/praisonai/praisonai/cli/commands/ui.py:163 passes that host to aiui run.
  • src/praisonai/praisonai/cli/commands/ui.py:186, :204, and :222 also default subcommands to 0.0.0.0.
  • src/praisonai/praisonai/cli/commands/claw.py:41 defines the full dashboard command.
  • src/praisonai/praisonai/cli/commands/claw.py:93 launches aiui run with the selected host.

PraisonAI's default apps create the PraisonAIUI Starlette app without forcing authentication:

  • src/praisonai/praisonai/ui_chat/default_app.py:18 calls configure_host(...).
  • src/praisonai/praisonai/ui_chat/default_app.py:142 exports app = create_host_app().
  • src/praisonai/praisonai/claw/default_app.py:63 calls configure_host(...).
  • src/praisonai/praisonai/claw/default_app.py:128 exports app = create_host_app().
  • src/praisonai/praisonai/integration/host_app.py:174 imports praisonaiui.server.create_app.
  • src/praisonai/praisonai/integration/host_app.py:180 returns create_app().

In aiui==0.3.121, the exposed server registers the MCP routes and auth is opt-in:

  • praisonaiui/server.py:1483 defines api_mcp_connect.
  • praisonaiui/server.py:1488 reads attacker-controlled JSON.
  • praisonaiui/server.py:1491 accepts either command or url.
  • praisonaiui/server.py:1496 calls connect_mcp_server(body).
  • praisonaiui/server.py:2516 defines create_app(..., require_auth=False, ...).
  • praisonaiui/server.py:2550 adds AuthEnforcementMiddleware, but it only enforces auth when AUTH_ENFORCE=true.
  • praisonaiui/server.py:2769 registers /api/mcp/servers.
  • praisonaiui/server.py:2770 registers /api/mcp/connect.

The MCP feature converts the request body into a local process launch:

  • praisonaiui/features/mcp.py:325 defines connect_server(self, server_config).
  • praisonaiui/features/mcp.py:330 chooses stdio transport when command is present.
  • praisonaiui/features/mcp.py:332 constructs StdioMCPClient(command=server_config["command"], args=server_config.get("args", [])).
  • praisonaiui/features/mcp.py:360 calls client.connect(), which invokes the MCP stdio transport and starts the process.

Minimal PoC

PoC file: poc/praisonai-aiui-mcp-connect-rce.py

The PoC runs the PraisonAI host app in-process, sends the unauthenticated HTTP request, and asks the server to execute /usr/bin/touch /tmp/praisonai_host_app_mcp_touch_marker.txt. It does not contact an LLM provider and uses no credentials.

Observed output from the tested checkout with aiui==0.3.121 and mcp==1.25.0 available:

[19:19:55] server.py:229 WARNING No auth_token provided for Gateway server. Generated temporary token: gw_****650a. For production, set GATEWAY_AUTH_TOKEN.
[19:19:55] mcp.py:135 ERROR Failed to connect to MCP stdio server: 'tuple' object has no attribute 'initialize'
HTTP_STATUS= 200
RESPONSE= {"server":{"name":"poc-stdio-process-0","transport":"stdio","status":"error","tools":[],"last_error":"Connection failed"}}
SUCCESS_AT_ATTEMPT= 0
MARKER_EXISTS= True
MARKER_PATH= /tmp/praisonai_host_app_mcp_touch_marker.txt

The MCP handshake fails because aiui==0.3.121 is not compatible with the locked mcp==1.25.0 return shape, but the attacker-selected process is already started. Process startup can race the immediate teardown caused by this version mismatch, so the checked-in PoC retries the same unauthenticated request until /usr/bin/touch wins scheduling and creates the marker. The marker file proves local command execution despite the reported MCP connection error.

Exploit Scenario

An operator runs:

pip install "praisonai[ui]"
praisonai ui

Because praisonai ui binds to 0.0.0.0 by default and the generated app does not require authentication by default, any host that can reach the UI port can send:

POST /api/mcp/connect
Content-Type: application/json

{
  "name": "evil",
  "command": "/usr/bin/touch",
  "args": ["/tmp/pwned-by-ui-mcp"]
}

In a real attack, the command can be replaced with a shell, a credential exfiltration command, a file modification command, or a payload that starts a long-lived process as the PraisonAI UI server user.

Novelty / Non-Duplicate Analysis

Searched sources:

  • OSV query for PyPI praisonai: 51 advisories returned.
  • OSV query for PyPI aiui: 0 advisories returned.
  • OSV query for PyPI praisonaiui: 0 advisories returned.
  • GitHub Advisory Database search for exact /api/mcp/connect, api_mcp_connect, StdioMCPClient, connect_mcp_server, and praisonaiui.features.mcp.
  • NVD API searches for PraisonAI StdioMCPClient, PraisonAI api_mcp_connect, PraisonAI /api/mcp/connect, PraisonAIUI /api/mcp/connect, and aiui StdioMCPClient: 0 results.
  • GitHub issue/PR searches in MervinPraison/PraisonAI for exact endpoint/function/class terms. Only one unrelated PR was returned for /api/mcp/connect; no issue/PR matched api_mcp_connect, StdioMCPClient, connect_mcp_server, or praisonaiui.features.mcp.
  • Broad web searches for exact endpoint, file, class, and function terms returned no matching public vulnerability report.

Why this is distinct from known PraisonAI advisories:

  • Not the excluded praisonai serve agents --api-key /agents auth bypass. This report targets POST /api/mcp/connect in the PraisonAIUI host app.
  • Not GHSA-9gm9-c8mq-vq7m / CVE-2026-34935 or GHSA-9qhq-v63v-fv3j / CVE-2026-41497. Those involve MCPHandler.parse_mcp_command() command parsing. This finding uses praisonaiui.server.api_mcp_connect -> praisonaiui.features.mcp.connect_mcp_server -> StdioMCPClient.
  • Not GHSA-pj2r-f9mw-vrcq / CVE-2026-40159. That advisory concerns sensitive environment variables inherited by untrusted MCP subprocesses. This finding is unauthenticated network-triggered local process execution.
  • Not GHSA-6rmh-7xcm-cpxj or GHSA-8444-4fhq-fxpq. Those concern unauthenticated legacy/generated agent servers. This is a distinct UI route and a distinct sink that starts arbitrary local processes.
  • Not GHSA-9cr9-25q5-8prj, GHSA-9mqq-jqxf-grvw, or other MCP server file-read/path-traversal advisories. This path is the UI MCP client connector, not PraisonAI's MCP server tool dispatcher.

Recommended Fix

  1. Remove arbitrary command/args from the remote HTTP API. MCP stdio servers should be configured only from trusted local configuration, not caller-supplied JSON.
  2. Require authentication and authorization on /api/mcp/connect, /api/mcp/disconnect/*, and /api/mcp/servers regardless of AUTH_ENFORCE.
  3. Change UI command defaults from 0.0.0.0 to 127.0.0.1, or require an explicit --unsafe-expose style flag when binding externally without auth.
  4. If remote MCP registration is a required feature, allow only URL-based transports with SSRF protections, or maintain an administrator-configured allowlist of commands.
  5. Add regression tests that unauthenticated requests to /api/mcp/connect cannot start a subprocess, including when AUTH_ENFORCE is unset.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.48"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:58:14Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "# Unauthenticated PraisonAI UI MCP connect endpoint executes attacker-chosen local commands\n\n## Summary\n\nPraisonAI v4.6.48 exposes the PraisonAIUI MCP client management API through the default UI host apps without authentication. A remote unauthenticated client can send `POST /api/mcp/connect` with a `command` and `args` field. The endpoint passes those values into the MCP stdio client, which starts the attacker-selected local process as the PraisonAI UI service user.\n\nThe issue is reachable through PraisonAI\u0027s hosted UI integration (`praisonai ui`, `praisonai ui agents`, `praisonai claw`, and any app using `praisonai.integration.host_app.create_host_app()` / `build_host_app()`). `praisonai ui` and related Typer UI commands bind to `0.0.0.0` by default.\n\n## Affected Versions\n\nConfirmed affected:\n\n- `praisonai` v4.6.48\n- Commit tested: `d5f1114aaf1a2e9f121a6e66b929149ca2201f1d`\n- Tag tested: `v4.6.48`\n- Pinned UI dependency: `aiui==0.3.121` from `src/praisonai/uv.lock`\n\nLikely affected:\n\n- Any PraisonAI release that exposes `aiui` / `praisonaiui` `create_app()` through the PraisonAI UI host apps without authentication and includes the `mcp` dependency. I only confirmed the latest release during this audit.\n\n## Severity\n\nReasoning:\n\n- `AV`: the vulnerable endpoint is an HTTP API route.\n- `AC`: a single POST request is sufficient.\n- `PR`: default UI host apps do not require credentials unless opt-in auth is configured.\n- `UI`: no victim interaction is needed after the server is running.\n- `S`: code executes in the PraisonAI UI server process context.\n- `C/I/A`: arbitrary local command execution permits secret exfiltration, file tampering, and service disruption.\n\n## Root Cause\n\nPraisonAI depends on MCP by default and exposes PraisonAIUI via optional UI extras:\n\n- `src/praisonai/pyproject.toml:11` includes base dependencies.\n- `src/praisonai/pyproject.toml:19` includes `mcp\u003e=1.20.0`.\n- `src/praisonai/pyproject.toml:25` defines the `ui` extra with `aiui\u003e=0.3.121,\u003c0.4`.\n- `src/praisonai/pyproject.toml:197` defines the `claw` extra with `aiui[all]\u003e=0.3.121,\u003c0.4`.\n\nPraisonAI\u0027s UI commands bind externally by default and launch `aiui run`:\n\n- `src/praisonai/praisonai/cli/commands/ui.py:114` sets `host=\"0.0.0.0\"` for `praisonai ui`.\n- `src/praisonai/praisonai/cli/commands/ui.py:163` passes that host to `aiui run`.\n- `src/praisonai/praisonai/cli/commands/ui.py:186`, `:204`, and `:222` also default subcommands to `0.0.0.0`.\n- `src/praisonai/praisonai/cli/commands/claw.py:41` defines the full dashboard command.\n- `src/praisonai/praisonai/cli/commands/claw.py:93` launches `aiui run` with the selected host.\n\nPraisonAI\u0027s default apps create the PraisonAIUI Starlette app without forcing authentication:\n\n- `src/praisonai/praisonai/ui_chat/default_app.py:18` calls `configure_host(...)`.\n- `src/praisonai/praisonai/ui_chat/default_app.py:142` exports `app = create_host_app()`.\n- `src/praisonai/praisonai/claw/default_app.py:63` calls `configure_host(...)`.\n- `src/praisonai/praisonai/claw/default_app.py:128` exports `app = create_host_app()`.\n- `src/praisonai/praisonai/integration/host_app.py:174` imports `praisonaiui.server.create_app`.\n- `src/praisonai/praisonai/integration/host_app.py:180` returns `create_app()`.\n\nIn `aiui==0.3.121`, the exposed server registers the MCP routes and auth is opt-in:\n\n- `praisonaiui/server.py:1483` defines `api_mcp_connect`.\n- `praisonaiui/server.py:1488` reads attacker-controlled JSON.\n- `praisonaiui/server.py:1491` accepts either `command` or `url`.\n- `praisonaiui/server.py:1496` calls `connect_mcp_server(body)`.\n- `praisonaiui/server.py:2516` defines `create_app(..., require_auth=False, ...)`.\n- `praisonaiui/server.py:2550` adds `AuthEnforcementMiddleware`, but it only enforces auth when `AUTH_ENFORCE=true`.\n- `praisonaiui/server.py:2769` registers `/api/mcp/servers`.\n- `praisonaiui/server.py:2770` registers `/api/mcp/connect`.\n\nThe MCP feature converts the request body into a local process launch:\n\n- `praisonaiui/features/mcp.py:325` defines `connect_server(self, server_config)`.\n- `praisonaiui/features/mcp.py:330` chooses stdio transport when `command` is present.\n- `praisonaiui/features/mcp.py:332` constructs `StdioMCPClient(command=server_config[\"command\"], args=server_config.get(\"args\", []))`.\n- `praisonaiui/features/mcp.py:360` calls `client.connect()`, which invokes the MCP stdio transport and starts the process.\n\n## Minimal PoC\n\nPoC file: `poc/praisonai-aiui-mcp-connect-rce.py`\n\nThe PoC runs the PraisonAI host app in-process, sends the unauthenticated HTTP request, and asks the server to execute `/usr/bin/touch /tmp/praisonai_host_app_mcp_touch_marker.txt`. It does not contact an LLM provider and uses no credentials.\n\nObserved output from the tested checkout with `aiui==0.3.121` and `mcp==1.25.0` available:\n\n```text\n[19:19:55] server.py:229 WARNING No auth_token provided for Gateway server. Generated temporary token: gw_****650a. For production, set GATEWAY_AUTH_TOKEN.\n[19:19:55] mcp.py:135 ERROR Failed to connect to MCP stdio server: \u0027tuple\u0027 object has no attribute \u0027initialize\u0027\nHTTP_STATUS= 200\nRESPONSE= {\"server\":{\"name\":\"poc-stdio-process-0\",\"transport\":\"stdio\",\"status\":\"error\",\"tools\":[],\"last_error\":\"Connection failed\"}}\nSUCCESS_AT_ATTEMPT= 0\nMARKER_EXISTS= True\nMARKER_PATH= /tmp/praisonai_host_app_mcp_touch_marker.txt\n```\n\nThe MCP handshake fails because `aiui==0.3.121` is not compatible with the locked `mcp==1.25.0` return shape, but the attacker-selected process is already started. Process startup can race the immediate teardown caused by this version mismatch, so the checked-in PoC retries the same unauthenticated request until `/usr/bin/touch` wins scheduling and creates the marker. The marker file proves local command execution despite the reported MCP connection error.\n\n## Exploit Scenario\n\nAn operator runs:\n\n```bash\npip install \"praisonai[ui]\"\npraisonai ui\n```\n\nBecause `praisonai ui` binds to `0.0.0.0` by default and the generated app does not require authentication by default, any host that can reach the UI port can send:\n\n```http\nPOST /api/mcp/connect\nContent-Type: application/json\n\n{\n  \"name\": \"evil\",\n  \"command\": \"/usr/bin/touch\",\n  \"args\": [\"/tmp/pwned-by-ui-mcp\"]\n}\n```\n\nIn a real attack, the command can be replaced with a shell, a credential exfiltration command, a file modification command, or a payload that starts a long-lived process as the PraisonAI UI server user.\n\n## Novelty / Non-Duplicate Analysis\n\nSearched sources:\n\n- OSV query for PyPI `praisonai`: 51 advisories returned.\n- OSV query for PyPI `aiui`: 0 advisories returned.\n- OSV query for PyPI `praisonaiui`: 0 advisories returned.\n- GitHub Advisory Database search for exact `/api/mcp/connect`, `api_mcp_connect`, `StdioMCPClient`, `connect_mcp_server`, and `praisonaiui.features.mcp`.\n- NVD API searches for `PraisonAI StdioMCPClient`, `PraisonAI api_mcp_connect`, `PraisonAI /api/mcp/connect`, `PraisonAIUI /api/mcp/connect`, and `aiui StdioMCPClient`: 0 results.\n- GitHub issue/PR searches in `MervinPraison/PraisonAI` for exact endpoint/function/class terms. Only one unrelated PR was returned for `/api/mcp/connect`; no issue/PR matched `api_mcp_connect`, `StdioMCPClient`, `connect_mcp_server`, or `praisonaiui.features.mcp`.\n- Broad web searches for exact endpoint, file, class, and function terms returned no matching public vulnerability report.\n\nWhy this is distinct from known PraisonAI advisories:\n\n- Not the excluded `praisonai serve agents --api-key` `/agents` auth bypass. This report targets `POST /api/mcp/connect` in the PraisonAIUI host app.\n- Not GHSA-9gm9-c8mq-vq7m / CVE-2026-34935 or GHSA-9qhq-v63v-fv3j / CVE-2026-41497. Those involve `MCPHandler.parse_mcp_command()` command parsing. This finding uses `praisonaiui.server.api_mcp_connect -\u003e praisonaiui.features.mcp.connect_mcp_server -\u003e StdioMCPClient`.\n- Not GHSA-pj2r-f9mw-vrcq / CVE-2026-40159. That advisory concerns sensitive environment variables inherited by untrusted MCP subprocesses. This finding is unauthenticated network-triggered local process execution.\n- Not GHSA-6rmh-7xcm-cpxj or GHSA-8444-4fhq-fxpq. Those concern unauthenticated legacy/generated agent servers. This is a distinct UI route and a distinct sink that starts arbitrary local processes.\n- Not GHSA-9cr9-25q5-8prj, GHSA-9mqq-jqxf-grvw, or other MCP server file-read/path-traversal advisories. This path is the UI MCP client connector, not PraisonAI\u0027s MCP server tool dispatcher.\n\n## Recommended Fix\n\n1. Remove arbitrary `command`/`args` from the remote HTTP API. MCP stdio servers should be configured only from trusted local configuration, not caller-supplied JSON.\n2. Require authentication and authorization on `/api/mcp/connect`, `/api/mcp/disconnect/*`, and `/api/mcp/servers` regardless of `AUTH_ENFORCE`.\n3. Change UI command defaults from `0.0.0.0` to `127.0.0.1`, or require an explicit `--unsafe-expose` style flag when binding externally without auth.\n4. If remote MCP registration is a required feature, allow only URL-based transports with SSRF protections, or maintain an administrator-configured allowlist of commands.\n5. Add regression tests that unauthenticated requests to `/api/mcp/connect` cannot start a subprocess, including when `AUTH_ENFORCE` is unset.",
  "id": "GHSA-p75f-6fp4-p57w",
  "modified": "2026-06-18T13:58:14Z",
  "published": "2026-06-18T13:58:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-p75f-6fp4-p57w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) in praisonai"
}

GHSA-P77H-46HR-84FF

Vulnerability from github – Published: 2022-09-01 00:00 – Updated: 2024-02-13 18:38
VLAI
Details

Honeywell Experion LX through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0055, there is a Honeywell Experion LX Control Data Access (CDA) EpicMo protocol with unauthenticated functionality issue. The affected components are characterized as: Honeywell Control Data Access (CDA) EpicMo (55565/TCP). The potential impact is: Firmware manipulation, Denial of service. The Honeywell Experion LX Distributed Control System (DCS) utilizes the Control Data Access (CDA) EpicMo protocol (55565/TCP) for device diagnostics and maintenance purposes. This protocol does not have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocol in question. An attacker capable of invoking the protocols' functionalities could issue firmware download commands potentially allowing for firmware manipulation and reboot devices causing denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-31T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Honeywell Experion LX through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0055, there is a Honeywell Experion LX Control Data Access (CDA) EpicMo protocol with unauthenticated functionality issue. The affected components are characterized as: Honeywell Control Data Access (CDA) EpicMo (55565/TCP). The potential impact is: Firmware manipulation, Denial of service. The Honeywell Experion LX Distributed Control System (DCS) utilizes the Control Data Access (CDA) EpicMo protocol (55565/TCP) for device diagnostics and maintenance purposes. This protocol does not have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocol in question. An attacker capable of invoking the protocols\u0027 functionalities could issue firmware download commands potentially allowing for firmware manipulation and reboot devices causing denial of service.",
  "id": "GHSA-p77h-46hr-84ff",
  "modified": "2024-02-13T18:38:22Z",
  "published": "2022-09-01T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30317"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-242-07"
    },
    {
      "type": "WEB",
      "url": "https://www.forescout.com/blog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P786-96F8-68FF

Vulnerability from github – Published: 2022-04-22 00:24 – Updated: 2024-04-03 23:05
VLAI
Details

xscreensaver before 5.14 crashes during activation and leaves the screen unlocked when in Blank Only Mode and when DPMS is disabled, which allows local attackers to access resources without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-2187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-27T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "xscreensaver before 5.14 crashes during activation and leaves the screen unlocked when in Blank Only Mode and when DPMS is disabled, which allows local attackers to access resources without authentication.",
  "id": "GHSA-p786-96f8-68ff",
  "modified": "2024-04-03T23:05:50Z",
  "published": "2022-04-22T00:24:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2187"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2011-2187"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627382"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2187"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2011-2187"
    },
    {
      "type": "WEB",
      "url": "https://www.jwz.org/xscreensaver/changelog.html"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2011/06/06/17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7C4-8X34-8J8F

Vulnerability from github – Published: 2026-05-18 17:20 – Updated: 2026-06-09 11:56
VLAI
Summary
TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection
Details

Title

Missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection in TinyIce

Ecosystem / Package

  • Ecosystem: Go (or "Other" — TinyIce is shipped as a Go binary, not a Go module published to a registry)
  • Package name: github.com/DatanoiseTV/tinyice

Affected versions

>= 0.8.95, <= 2.4.1

(Introduced 2026-02-21 in commit e2b60d6 — "debug: add Go Live connection tracing and backend data flow logging" — when handleWebRTCSourceOffer was registered at /webrtc/source-offer without an authentication check. Every tagged release from v0.8.95 through v2.4.1 ships the vulnerable handler.)

Patched versions

>= 2.5.0

Severity

Description

TinyIce's WebRTC source-ingest HTTP endpoint, POST /webrtc/source-offer?mount=<mount>, accepted any inbound WebRTC SDP offer with no authentication check. The handler routed the offer to WebRTCManager.HandleSourceOffer, which then accepted whatever audio/video tracks the peer published and broadcast them on the named mount as if they were the legitimate source.

The other ingest paths (POST /<mount> over HTTP/1 with the icecast SOURCE / PUT verb, RTMP, SRT) all require the per-mount source password, falling back to default_source_password from the config. The WebRTC ingest path didn't.

Impact

A network attacker who can reach the TinyIce HTTP port can:

  1. Identify a target mount (mount names are public — they appear in the directory listing, the player URL, and the YP listing).
  2. Negotiate a WebRTC peer connection with the server.
  3. Publish arbitrary Opus / H.264 to that mount.
  4. Have it broadcast to every listener on the mount.

This is a high-integrity-impact issue: an attacker can replace a radio's broadcast with their own audio (silence, noise, malicious content, branded competitor content, etc.). Listeners hear what the attacker sends, not what the legitimate publisher intended.

The legitimate publisher can re-establish their session — TinyIce's source-takeover handshake gives the new offer priority once it arrives, with a 3-second drain of the previous pump goroutine — but the attacker can in principle re-connect immediately after, producing a sustained broadcast hijack until the operator manually intervenes (block at firewall, rotate source passwords once the patch is applied, restart the service).

There is no direct confidentiality impact through this endpoint: the attacker doesn't gain access to listener data or other mounts' content.

Workarounds

If users cannot upgrade immediately:

  • Recommended: block POST /webrtc/source-offer at the reverse proxy in front of TinyIce. The endpoint has no production use case for clients outside the operator's own administration — disabling it loses no functionality unless the consuming application specifically use the browser-based "go-live" feature.
  • Restrict TinyIce's HTTP port to a trusted network (VPN, internal LAN). Listener access can still be served via a separately-firewalled CDN if the application needs public listening.

Detection

To check whether an application's deployment is exposed, run from outside the network:

curl -i -X POST 'https://your-tinyice-host/webrtc/source-offer?mount=/anymount' \
  -H 'Content-Type: application/json' \
  -d '{"type":"offer","sdp":"v=0\r\n"}'
  • If the response is 400 Bad Request with a JSON body containing an SDP-parsing error from pion/webrtc, a consuming application is vulnerable — the server tried to negotiate the (malformed) offer without asking for credentials.
  • If the response is 401 Unauthorized (Basic auth challenge), the consuming application has been patched.

Authenticated log lines on a patched server will look like:

WARN  Authentication failed for user 'webrtc-source' from 1.2.3.4: invalid source password

Fix

Upstream commit: 8067d6b "fix(api): require source password on /webrtc/source-offer + CSRF/access on /go-live-chunk".

The handler now:

  1. Requires either HTTP Basic auth or a ?password= query parameter.
  2. Compares the supplied password against the per-mount source password (or the default_source_password fallback) using bcrypt.
  3. Hooks into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout).
  4. Rejects requests for mounts in disabled_mounts.

The same release also tightens an adjacent endpoint, POST /admin/golive/chunk, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token.

Timeline

  • 2026-02-21 — Vulnerable handler introduced (e2b60d6).
  • 2026-05-09 — Vulnerability identified during a maintainer-led audit.
  • 2026-05-09 — Patched in commit 8067d6b, released as v2.5.0.
  • 2026-05-09 — GitHub Security Advisory published, CVE assigned.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.4.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/DatanoiseTV/tinyice"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.95"
            },
            {
              "fixed": "2.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:20:17Z",
    "nvd_published_at": "2026-06-05T18:17:27Z",
    "severity": "HIGH"
  },
  "details": "## Title\n\nMissing authentication on WebRTC ingest endpoint allows unauthenticated stream injection in TinyIce\n\n## Ecosystem / Package\n\n- **Ecosystem:** `Go` (or \"Other\" \u2014 TinyIce is shipped as a Go binary, not a Go module published to a registry)\n- **Package name:** `github.com/DatanoiseTV/tinyice`\n\n## Affected versions\n\n```\n\u003e= 0.8.95, \u003c= 2.4.1\n```\n\n(Introduced 2026-02-21 in commit `e2b60d6` \u2014 \"debug: add Go Live connection tracing and backend data flow logging\" \u2014 when `handleWebRTCSourceOffer` was registered at `/webrtc/source-offer` without an authentication check. Every tagged release from `v0.8.95` through `v2.4.1` ships the vulnerable handler.)\n\n## Patched versions\n\n```\n\u003e= 2.5.0\n```\n\n## Severity\n\n- **CVSS 3.1 base score:** 7.4 (High)\n- **CVSS vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L`\n- **CWE:** [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)\n\n## Description\n\nTinyIce\u0027s WebRTC source-ingest HTTP endpoint, `POST /webrtc/source-offer?mount=\u003cmount\u003e`, accepted any inbound WebRTC SDP offer with no authentication check. The handler routed the offer to `WebRTCManager.HandleSourceOffer`, which then accepted whatever audio/video tracks the peer published and broadcast them on the named mount as if they were the legitimate source.\n\nThe other ingest paths (`POST /\u003cmount\u003e` over HTTP/1 with the icecast `SOURCE` / `PUT` verb, RTMP, SRT) all require the per-mount source password, falling back to `default_source_password` from the config. The WebRTC ingest path didn\u0027t.\n\n## Impact\n\nA network attacker who can reach the TinyIce HTTP port can:\n\n1. Identify a target mount (mount names are public \u2014 they appear in the directory listing, the player URL, and the YP listing).\n2. Negotiate a WebRTC peer connection with the server.\n3. Publish arbitrary Opus / H.264 to that mount.\n4. Have it broadcast to every listener on the mount.\n\nThis is a high-integrity-impact issue: an attacker can replace a radio\u0027s broadcast with their own audio (silence, noise, malicious content, branded competitor content, etc.). Listeners hear what the attacker sends, not what the legitimate publisher intended.\n\nThe legitimate publisher can re-establish their session \u2014 TinyIce\u0027s source-takeover handshake gives the new offer priority once it arrives, with a 3-second drain of the previous pump goroutine \u2014 but the attacker can in principle re-connect immediately after, producing a sustained broadcast hijack until the operator manually intervenes (block at firewall, rotate source passwords once the patch is applied, restart the service).\n\nThere is no direct confidentiality impact through this endpoint: the attacker doesn\u0027t gain access to listener data or other mounts\u0027 content.\n\n## Workarounds\n\nIf users cannot upgrade immediately:\n\n- **Recommended:** block `POST /webrtc/source-offer` at the reverse proxy in front of TinyIce. The endpoint has no production use case for clients outside the operator\u0027s own administration \u2014 disabling it loses no functionality unless the consuming application specifically use the browser-based \"go-live\" feature.\n- Restrict TinyIce\u0027s HTTP port to a trusted network (VPN, internal LAN). Listener access can still be served via a separately-firewalled CDN if the application needs public listening.\n\n## Detection\n\nTo check whether an application\u0027s deployment is exposed, run from outside the network:\n\n```\ncurl -i -X POST \u0027https://your-tinyice-host/webrtc/source-offer?mount=/anymount\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"type\":\"offer\",\"sdp\":\"v=0\\r\\n\"}\u0027\n```\n\n- If the response is `400 Bad Request` with a JSON body containing an SDP-parsing error from `pion/webrtc`, **a consuming application is vulnerable** \u2014 the server tried to negotiate the (malformed) offer without asking for credentials.\n- If the response is `401 Unauthorized` (Basic auth challenge), the consuming application has been patched.\n\nAuthenticated log lines on a patched server will look like:\n\n```\nWARN  Authentication failed for user \u0027webrtc-source\u0027 from 1.2.3.4: invalid source password\n```\n\n## Fix\n\nUpstream commit: [`8067d6b`](https://github.com/DatanoiseTV/tinyice/commit/8067d6b) \"fix(api): require source password on /webrtc/source-offer + CSRF/access on /go-live-chunk\".\n\nThe handler now:\n\n1. Requires either HTTP Basic auth or a `?password=` query parameter.\n2. Compares the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt.\n3. Hooks into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout).\n4. Rejects requests for mounts in `disabled_mounts`.\n\nThe same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user\u0027s per-mount access nor check the CSRF token.\n\n## Timeline\n\n- 2026-02-21 \u2014 Vulnerable handler introduced (`e2b60d6`).\n- 2026-05-09 \u2014 Vulnerability identified during a maintainer-led audit.\n- 2026-05-09 \u2014 Patched in commit `8067d6b`, released as `v2.5.0`.\n- 2026-05-09 \u2014 GitHub Security Advisory published, CVE assigned.",
  "id": "GHSA-p7c4-8x34-8j8f",
  "modified": "2026-06-09T11:56:10Z",
  "published": "2026-05-18T17:20:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DatanoiseTV/tinyice/security/advisories/GHSA-p7c4-8x34-8j8f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45327"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DatanoiseTV/tinyice/commit/8067d6b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DatanoiseTV/tinyice"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DatanoiseTV/tinyice/releases/tag/v2.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection"
}

GHSA-P7CQ-WXFH-7J76

Vulnerability from github – Published: 2025-07-02 15:30 – Updated: 2025-09-17 15:30
VLAI
Details

A remote code execution vulnerability in GFI Kerio Control 9.4.5 allows attackers with administrative access to upload and execute arbitrary code through the firmware upgrade feature. The system upgrade mechanism accepts unsigned .img files, which can be modified to include malicious scripts within the upgrade.sh or disk image components. These modified upgrade images are not validated for authenticity or integrity, and are executed by the system post-upload, enabling root access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-02T14:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "A remote code execution vulnerability in GFI Kerio Control 9.4.5 allows attackers with administrative access to upload and execute arbitrary code through the firmware upgrade feature. The system upgrade mechanism accepts unsigned .img files, which can be modified to include malicious scripts within the upgrade.sh or disk image components. These modified upgrade images are not validated for authenticity or integrity, and are executed by the system post-upload, enabling root access.",
  "id": "GHSA-p7cq-wxfh-7j76",
  "modified": "2025-09-17T15:30:26Z",
  "published": "2025-07-02T15:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34071"
    },
    {
      "type": "WEB",
      "url": "https://ssd-disclosure.com/ssd-advisory-kerio-control-authentication-bypass-and-rce"
    },
    {
      "type": "WEB",
      "url": "https://vulncheck.com/advisories/gfi-kerio-control-auth-bypass-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P7MR-JQMX-QQ7X

Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2025-04-20 03:50
VLAI
Details

Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, via the publicKey parameter to the /sendKey URI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-18001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-31T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device\u0027s SSH Authorized Keys data, and consequently obtain remote root access, via the publicKey parameter to the /sendKey URI.",
  "id": "GHSA-p7mr-jqmx-qq7x",
  "modified": "2025-04-20T03:50:41Z",
  "published": "2022-05-13T01:44:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18001"
    },
    {
      "type": "WEB",
      "url": "https://blogs.securiteam.com/index.php/archives/3550"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44047"
    },
    {
      "type": "WEB",
      "url": "https://www.trustwave.com/Resources/Trustwave-Software-Updates/Important-Security-Update-for-Trustwave-Secure-Web-Gateway"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Dec/88"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7MR-MFC2-48QW

Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35
VLAI
Details

A vulnerability in the Policy Builder database of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by connecting directly to the Policy Builder database. A successful exploit could allow the attacker to access and change any data in the Policy Builder database. Cisco Bug IDs: CSCvh06134.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-18T23:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the Policy Builder database of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by connecting directly to the Policy Builder database. A successful exploit could allow the attacker to access and change any data in the Policy Builder database. Cisco Bug IDs: CSCvh06134.",
  "id": "GHSA-p7mr-mfc2-48qw",
  "modified": "2022-05-13T01:35:17Z",
  "published": "2022-05-13T01:35:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0374"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-unauth-access"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104851"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7WW-WJH2-G3GW

Vulnerability from github – Published: 2025-11-05 09:30 – Updated: 2025-11-05 09:30
VLAI
Details

The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration).

NOTE: The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55108"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-05T09:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "The Control-M/Agent is vulnerable to unauthenticated remote code execution, arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled (i.e. in the default configuration).\n\n\nNOTE: The vendor believes that this vulnerability only occurs when documented security best practices are not followed. BMC has always strongly recommended to use security best practices such as configuring SSL/TLS between Control-M Server and Agent.",
  "id": "GHSA-p7ww-wjh2-g3gw",
  "modified": "2025-11-05T09:30:26Z",
  "published": "2025-11-05T09:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55108"
    },
    {
      "type": "WEB",
      "url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441962"
    },
    {
      "type": "WEB",
      "url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099"
    },
    {
      "type": "WEB",
      "url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442271"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability.
  • Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port.
  • In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation
Architecture and Design
  • Where possible, avoid implementing custom, "grow-your-own" authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These capabilities may avoid common weaknesses that are unique to authentication; support automatic auditing and tracking; and make it easier to provide a clear separation between authentication tasks and authorization tasks.
  • In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly.
Mitigation MIT-4.5
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].
Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].

CAPEC-12: Choosing Message Identifier

This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.

CAPEC-166: Force the System to Reset Values

An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.

CAPEC-216: Communication Channel Manipulation

An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.

CAPEC-36: Using Unpublished Interfaces or Functionality

An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.

CAPEC-62: Cross Site Request Forgery

An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.