Common Weakness Enumeration

CWE-306

Allowed

Missing Authentication for Critical Function

Abstraction: Base · Status: Draft

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

3465 vulnerabilities reference this CWE, most recent first.

GHSA-Q5F8-CJFH-WG6R

Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2024-09-11 18:30
VLAI
Details

Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack and obtain potentially confidential information by leveraging a flaw in the authentication mechanism. For more information about these vulnerabilities, see the Details section of this advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-13T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack and obtain potentially confidential information by leveraging a flaw in the authentication mechanism. For more information about these vulnerabilities, see the Details section of this advisory.",
  "id": "GHSA-q5f8-cjfh-wg6r",
  "modified": "2024-09-11T18:30:58Z",
  "published": "2022-05-24T17:39:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1246"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5FH-2HC8-F6RQ

Vulnerability from github – Published: 2026-02-20 21:15 – Updated: 2026-02-23 22:30
VLAI
Summary
Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)
Details

Summary

Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.

### Details

  • Middleware: python/ray/dashboard/http_server_head.py#get_browsers_no_post_put_middleware only checks POST/PUT via is_browser_request (UA/Origin/Sec-Fetch heuristics). DELETE is not gated.
  • Endpoints lacking browser protection/auth by default:
    • python/ray/dashboard/modules/serve/serve_head.py: @routes.delete("/api/serve/applications/") calls serve.shutdown().
    • python/ray/dashboard/modules/job/job_head.py: @routes.delete("/api/jobs/{job_or_submission_id}").
    • python/ray/dashboard/modules/job/job_agent.py: @routes.delete("/api/job_agent/jobs/{job_or_submission_id}") (not wrapped with deny_browser_requests either).
  • Dashboard token auth is optional and off by default; binding to 0.0.0.0 is common for remote access.

### PoC

Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth.

  1. Start Serve (or have jobs present).
  2. From any browser-reachable origin (DNS rebinding or same-LAN page), issue a DELETE fetch:
fetch("http://<dashboard-host>:8265/api/serve/applications/", {
    method: "DELETE",
    headers: { "User-Agent": "Mozilla/5.0" }  // browsers set this automatically
  });

Result: Serve shuts down. 3) Similarly, delete jobs:

fetch("http://<dashboard-host>:8265/api/jobs/<job_or_submission_id>", { method: "DELETE" }); fetch("http://<dashboard-agent>:52365/api/job_agent/jobs/<job_or_submission_id>", { method: "DELETE" });

Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed.

### Impact

  • Availability loss: Serve shutdown; job deletion. Triggerable via drive-by browser requests if the dashboard/agent ports are reachable and auth is disabled (default).
  • No code execution from this vector, but breaks isolation/trust assumptions for “developer-only” endpoints.

Fix

The fix for this vulnerability is to update to Ray 2.54.0 or higher.

Fix PR: https://github.com/ray-project/ray/pull/60526

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ray"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.54.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-396"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-20T21:15:25Z",
    "nvd_published_at": "2026-02-21T10:16:12Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n  Ray\u2019s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can\n  issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.\n\n  ### Details\n\n  - Middleware: python/ray/dashboard/http_server_head.py#get_browsers_no_post_put_middleware only checks POST/PUT via is_browser_request (UA/Origin/Sec-Fetch heuristics). DELETE is not gated.\n  - Endpoints lacking browser protection/auth by default:\n      - python/ray/dashboard/modules/serve/serve_head.py: @routes.delete(\"/api/serve/applications/\") calls serve.shutdown().\n      - python/ray/dashboard/modules/job/job_head.py: @routes.delete(\"/api/jobs/{job_or_submission_id}\").\n      - python/ray/dashboard/modules/job/job_agent.py: @routes.delete(\"/api/job_agent/jobs/{job_or_submission_id}\") (not wrapped with deny_browser_requests either).\n  - Dashboard token auth is optional and off by default; binding to 0.0.0.0 is common for remote access.\n\n  ### PoC\n\n  Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth.\n\n  1. Start Serve (or have jobs present).\n  2. From any browser-reachable origin (DNS rebinding or same-LAN page), issue a DELETE fetch:\n\n```  \nfetch(\"http://\u003cdashboard-host\u003e:8265/api/serve/applications/\", {\n    method: \"DELETE\",\n    headers: { \"User-Agent\": \"Mozilla/5.0\" }  // browsers set this automatically\n  });\n```\n\n  Result: Serve shuts down.\n  3) Similarly, delete jobs:\n\n ` fetch(\"http://\u003cdashboard-host\u003e:8265/api/jobs/\u003cjob_or_submission_id\u003e\", { method: \"DELETE\" });`\n ` fetch(\"http://\u003cdashboard-agent\u003e:52365/api/job_agent/jobs/\u003cjob_or_submission_id\u003e\", { method: \"DELETE\" });`\n\n  Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed.\n\n  ### Impact\n\n  - Availability loss: Serve shutdown; job deletion. Triggerable via drive-by browser requests if the dashboard/agent ports are reachable and auth is disabled (default).\n  - No code execution from this vector, but breaks isolation/trust assumptions for \u201cdeveloper-only\u201d endpoints.\n  \n### Fix\nThe fix for this vulnerability is to update to Ray 2.54.0 or higher. \n\nFix PR: https://github.com/ray-project/ray/pull/60526",
  "id": "GHSA-q5fh-2hc8-f6rq",
  "modified": "2026-02-23T22:30:32Z",
  "published": "2026-02-20T21:15:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/pull/60526"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ray-project/ray"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/releases/tag/ray-2.54.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)"
}

GHSA-Q5H6-49GG-2WFG

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2024-09-20 21:46
VLAI
Summary
GramAddict bot uses dependency with reverse tcp backdoor
Details

GramAddict before 1.2.5 allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port 7912, e.g., by being on the same Wi-Fi network.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "GramAddict"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T22:12:57Z",
    "nvd_published_at": "2021-02-17T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "GramAddict before 1.2.5 allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port 7912, e.g., by being on the same Wi-Fi network.",
  "id": "GHSA-q5h6-49gg-2wfg",
  "modified": "2024-09-20T21:46:38Z",
  "published": "2022-05-24T17:42:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36245"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GramAddict/bot/issues/134"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GramAddict/bot/pull/183"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GramAddict/bot/commit/b9d11691b2fb13749c3cd0f75c70ee31242053ce"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/GramAddict/bot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gramaddict/PYSEC-2021-65.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "GramAddict bot uses dependency with reverse tcp backdoor"
}

GHSA-Q5PR-32H7-QGVW

Vulnerability from github – Published: 2025-05-08 12:34 – Updated: 2025-10-03 09:30
VLAI
Details

WF2220 exposes endpoint /cgi-bin-igd/netcore_get.cgi that returns configuration of the device to unauthorized users. Returned configuration includes cleartext password. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-08T10:15:18Z",
    "severity": "HIGH"
  },
  "details": "WF2220 exposes endpoint\u00a0/cgi-bin-igd/netcore_get.cgi\u00a0that returns configuration of the device to unauthorized users. Returned configuration includes cleartext password.\nThe vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-q5pr-32h7-qgvw",
  "modified": "2025-10-03T09:30:19Z",
  "published": "2025-05-08T12:34:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3758"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/05/CVE-2025-3758"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2025/05/CVE-2025-3758"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q5QF-H3WV-5GV7

Vulnerability from github – Published: 2025-12-12 00:30 – Updated: 2025-12-12 00:30
VLAI
Details

Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-11T22:15:51Z",
    "severity": "HIGH"
  },
  "details": "Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device.",
  "id": "GHSA-q5qf-h3wv-5gv7",
  "modified": "2025-12-12T00:30:21Z",
  "published": "2025-12-12T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58300"
    },
    {
      "type": "WEB",
      "url": "https://siklu.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51932"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/siklu-multihaul-tg-series-unauthenticated-credential-disclosure-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q5W5-MH63-4M89

Vulnerability from github – Published: 2026-02-27 03:30 – Updated: 2026-03-05 21:30
VLAI
Details

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27028"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-27T01:16:20Z",
    "severity": "CRITICAL"
  },
  "details": "WebSocket endpoints lack proper authentication mechanisms, enabling \nattackers to perform unauthorized station impersonation and manipulate \ndata sent to the backend. An unauthenticated attacker can connect to the\n OCPP WebSocket endpoint using a known or discovered charging station \nidentifier, then issue or receive OCPP commands as a legitimate charger.\n Given that no authentication is required, this can lead to privilege \nescalation, unauthorized control of charging infrastructure, and \ncorruption of charging network data reported to the backend.",
  "id": "GHSA-q5w5-mh63-4m89",
  "modified": "2026-03-05T21:30:27Z",
  "published": "2026-02-27T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27028"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-08.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08"
    },
    {
      "type": "WEB",
      "url": "https://www.mobility46.se/en/contact-us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q684-MWHH-PHMM

Vulnerability from github – Published: 2026-06-02 00:31 – Updated: 2026-06-02 00:31
VLAI
Details

Cryptographic issue while processing partition table entries allows unauthorized modification of boot flow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-01T23:16:19Z",
    "severity": "HIGH"
  },
  "details": "Cryptographic issue while processing partition table entries allows unauthorized modification of boot flow.",
  "id": "GHSA-q684-mwhh-phmm",
  "modified": "2026-06-02T00:31:58Z",
  "published": "2026-06-02T00:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24090"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2026-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6G6-CFVX-2C7G

Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-11-06 15:30
VLAI
Details

The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-25T18:17:33Z",
    "severity": "HIGH"
  },
  "details": "The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address), use HTTP protocol to retrieve  sensitive information (ip address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user.",
  "id": "GHSA-q6g6-cfvx-2c7g",
  "modified": "2023-11-06T15:30:30Z",
  "published": "2023-10-25T18:32:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45220"
    },
    {
      "type": "WEB",
      "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-175607.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6H5-P9Q5-MW7Q

Vulnerability from github – Published: 2022-05-17 02:35 – Updated: 2022-05-17 02:35
VLAI
Details

In all Android releases from CAF using the Linux kernel, the Hypervisor API could be misused to bypass authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-9030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-13T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "In all Android releases from CAF using the Linux kernel, the Hypervisor API could be misused to bypass authentication.",
  "id": "GHSA-q6h5-p9q5-mw7q",
  "modified": "2022-05-17T02:35:20Z",
  "published": "2022-05-17T02:35:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9030"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-06-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98874"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038623"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6HX-X875-R6J4

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:01
VLAI
Details

RedwoodHQ 2.5.5 does not require any authentication for database operations, which allows remote attackers to create admin users via a con.automationframework users insert_one call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-19T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "RedwoodHQ 2.5.5 does not require any authentication for database operations, which allows remote attackers to create admin users via a con.automationframework users insert_one call.",
  "id": "GHSA-q6hx-x875-r6j4",
  "modified": "2024-04-04T01:01:02Z",
  "published": "2022-05-24T16:48:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12890"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46992"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=MK9AvoJDtxY"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability.
  • Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port.
  • In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation
Architecture and Design
  • Where possible, avoid implementing custom, "grow-your-own" authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These capabilities may avoid common weaknesses that are unique to authentication; support automatic auditing and tracking; and make it easier to provide a clear separation between authentication tasks and authorization tasks.
  • In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly.
Mitigation MIT-4.5
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].
Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].

CAPEC-12: Choosing Message Identifier

This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.

CAPEC-166: Force the System to Reset Values

An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.

CAPEC-216: Communication Channel Manipulation

An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.

CAPEC-36: Using Unpublished Interfaces or Functionality

An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.

CAPEC-62: Cross Site Request Forgery

An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.