Common Weakness Enumeration

CWE-306

Allowed

Missing Authentication for Critical Function

Abstraction: Base · Status: Draft

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

3442 vulnerabilities reference this CWE, most recent first.

GHSA-VJH7-5R6X-XH6G

Vulnerability from github – Published: 2023-07-17 14:36 – Updated: 2024-12-12 22:29
VLAI
Summary
CasaOS Gateway vulnerable to incorrect identification of source IP addresses
Details

Impact

Unauthenticated attackers can execute arbitrary commands as root on CasaOS instances.

Patches

The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.

Workarounds

Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.

References

  • 391dd7f
  • https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/IceWhaleTech/CasaOS-Gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-37265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-348"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-17T14:36:09Z",
    "nvd_published_at": "2023-07-17T21:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nUnauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances.\n\n### Patches\n\nThe problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS 0.4.4.\n\n### Workarounds\n\nUsers should upgrade to CasaOS 0.4.4. If they can\u0027t, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly. \n\n### References\n\n- 391dd7f\n- https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos/",
  "id": "GHSA-vjh7-5r6x-xh6g",
  "modified": "2024-12-12T22:29:30Z",
  "published": "2023-07-17T14:36:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/IceWhaleTech/CasaOS-Gateway/security/advisories/GHSA-vjh7-5r6x-xh6g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37265"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IceWhaleTech/CasaOS-Gateway/commit/391dd7f0f239020c46bf057cfa25f82031fc15f7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/IceWhaleTech/CasaOS-Gateway"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2023-1932"
    },
    {
      "type": "WEB",
      "url": "https://www.sonarsource.com/blog/security-vulnerabilities-in-casaos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CasaOS Gateway vulnerable to incorrect identification of source IP addresses"
}

GHSA-VJHJ-68J8-9Q56

Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2022-05-13 01:45
VLAI
Details

A privilege escalation vulnerability in the Secure Shell (SSH) subsystem in the StarOS operating system for Cisco ASR 5000 Series, ASR 5500 Series, ASR 5700 Series devices, and Cisco Virtualized Packet Core could allow an authenticated, remote attacker to gain unrestricted, root shell access. The vulnerability is due to missing input validation of parameters passed during SSH or SFTP login. An attacker could exploit this vulnerability by providing crafted user input to the SSH or SFTP command-line interface (CLI) during SSH or SFTP login. An exploit could allow an authenticated attacker to gain root privileges access on the router. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability can be triggered via both IPv4 and IPv6 traffic. An established TCP connection toward port 22, the SSH default port, is needed to perform the attack. The attacker must have valid credentials to login to the system via SSH or SFTP. The following products have been confirmed to be vulnerable: Cisco ASR 5000/5500/5700 Series devices running StarOS after 17.7.0 and prior to 18.7.4, 19.5, and 20.2.3 with SSH configured are vulnerable. Cisco Virtualized Packet Core - Single Instance (VPC-SI) and Distributed Instance (VPC-DI) devices running StarOS prior to N4.2.7 (19.3.v7) and N4.7 (20.2.v0) with SSH configured are vulnerable. Cisco Bug IDs: CSCva65853.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-15T20:59:00Z",
    "severity": "HIGH"
  },
  "details": "A privilege escalation vulnerability in the Secure Shell (SSH) subsystem in the StarOS operating system for Cisco ASR 5000 Series, ASR 5500 Series, ASR 5700 Series devices, and Cisco Virtualized Packet Core could allow an authenticated, remote attacker to gain unrestricted, root shell access. The vulnerability is due to missing input validation of parameters passed during SSH or SFTP login. An attacker could exploit this vulnerability by providing crafted user input to the SSH or SFTP command-line interface (CLI) during SSH or SFTP login. An exploit could allow an authenticated attacker to gain root privileges access on the router. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability can be triggered via both IPv4 and IPv6 traffic. An established TCP connection toward port 22, the SSH default port, is needed to perform the attack. The attacker must have valid credentials to login to the system via SSH or SFTP. The following products have been confirmed to be vulnerable: Cisco ASR 5000/5500/5700 Series devices running StarOS after 17.7.0 and prior to 18.7.4, 19.5, and 20.2.3 with SSH configured are vulnerable. Cisco Virtualized Packet Core - Single Instance (VPC-SI) and Distributed Instance (VPC-DI) devices running StarOS prior to N4.2.7 (19.3.v7) and N4.7 (20.2.v0) with SSH configured are vulnerable. Cisco Bug IDs: CSCva65853.",
  "id": "GHSA-vjhj-68j8-9q56",
  "modified": "2022-05-13T01:45:55Z",
  "published": "2022-05-13T01:45:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3819"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-asr"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96913"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038050"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJP9-58V6-M6FW

Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-10-31 00:30
VLAI
Details

Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the enc parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4461"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-30T22:15:41Z",
    "severity": "CRITICAL"
  },
  "details": "Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1\u00a0improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.",
  "id": "GHSA-vjp9-58v6-m6fw",
  "modified": "2025-10-31T00:30:32Z",
  "published": "2025-10-31T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4461"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/pocs/seeyon-oa-cookie-leak.yml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectdiscovery/nuclei-templates/blob/1ca6b8e6fe225cbd46dcb893dcaee01447afa8c0/http/misconfiguration/seeyon-unauth.yaml#L20"
    },
    {
      "type": "WEB",
      "url": "https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/seeyon-zhiyuan-oa-web-application-system-authentication-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VJPP-784V-C8GF

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T10:53:56Z",
    "severity": "CRITICAL"
  },
  "details": "Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server).   The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).",
  "id": "GHSA-vjpp-784v-c8gf",
  "modified": "2026-06-17T18:35:28Z",
  "published": "2026-06-17T18:35:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46789"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cspujun2026.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMF9-XX9W-86WX

Vulnerability from github – Published: 2026-06-18 13:52 – Updated: 2026-06-18 13:52
VLAI
Summary
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
Details

PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools

Summary

praisonaiagents.mcp.ToolsMCPServer.run_sse() builds a Starlette MCP HTTP+SSE server around mcp.server.sse.SseServerTransport. The server exposes /sse and /messages/, but it does not validate Origin, does not validate Host, and does not require any authentication.

This is reachable through supported PraisonAI code paths that wrap configured MCP server tools and re-expose them over legacy SSE:

  • praisonai mcp run <name> --transport sse
  • praisonai serve mcp --name <name> --transport sse
  • direct use of ToolsMCPServer(...).run_sse(...) or launch_tools_mcp_server(..., transport="sse")

A malicious website can use DNS rebinding against a local or internal PraisonAI SSE MCP server and send requests with attacker-controlled Host and Origin headers. The local PoV binds only to 127.0.0.1, sends an attacker Host and Origin, lists the registered tool, and invokes it successfully.

The same attacker Origin is rejected by PraisonAI's current Streamable HTTP transport with HTTP 403. The vulnerability is therefore a sibling transport guard gap in the legacy SSE wrapper, not intended behavior.

Affected product

  • Repository: MervinPraison/PraisonAI
  • Packages:
  • praisonaiagents
  • praisonai
  • Primary component: src/praisonai-agents/praisonaiagents/mcp/mcp_server.py
  • CLI wrappers:
  • src/praisonai/praisonai/cli/commands/mcp.py
  • src/praisonai/praisonai/cli/commands/serve.py
  • Latest verified release/current head:
  • praisonaiagents 1.6.58
  • PraisonAI 4.6.58
  • repo head 1ad58ca02975ff1398efeda694ea2ab78f20cf3e

Suggested affected ranges:

  • praisonaiagents >= 0.6.0, <= 1.6.58
  • praisonai >= 3.10.0, <= 4.6.58

No fixed version is known at submission time.

Confirmed source sweep:

v3.0.0   ToolsMCPServer.run_sse helper present, no Origin/Host/auth checks
v3.10.0  praisonai mcp run --transport sse wraps configured tools into helper
v3.12.3  praisonai serve mcp --name --transport sse wraps configured tools
v4.0.0   same vulnerable helper and CLI wrapping paths
v4.4.12  same vulnerable helper and CLI wrapping paths
v4.5.0   same vulnerable helper and CLI wrapping paths
v4.5.56  same vulnerable helper and CLI wrapping paths
v4.5.139 same vulnerable helper and CLI wrapping paths
v4.6.57  same vulnerable helper and CLI wrapping paths
v4.6.58  same vulnerable helper and dynamic PoV succeeds

Impact

If a PraisonAI user starts a local or internal legacy SSE MCP server with registered tools, an attacker who gets that user to visit a malicious website can use DNS rebinding to interact with the SSE server through the browser. The attacker can discover exposed tools and invoke them as the local user.

Impact depends on the configured tools. In realistic PraisonAI MCP deployments, registered tools may access local files, repositories, issue trackers, cloud APIs, internal services, or other automation targets. This can lead to confidentiality, integrity, and availability impact for the resources reachable by the exposed tools.

The PoV is local-only and harmless. It exposes one marker tool that writes a canary string to a temporary directory.

Root cause

Current ToolsMCPServer.run_sse() constructs a Starlette app directly:

sse_path = "/sse"
messages_path = "/messages/"
sse_transport = SseServerTransport(messages_path)

async def handle_sse(request: Request):
    async with sse_transport.connect_sse(
        request.scope, request.receive, request._send
    ) as (read_stream, write_stream):
        await mcp._mcp_server.run(
            read_stream,
            write_stream,
            mcp._mcp_server.create_initialization_options()
        )

app = Starlette(
    debug=self._debug,
    routes=[
        Route(sse_path, endpoint=handle_sse),
        Mount(messages_path, app=sse_transport.handle_post_message),
    ]
)

uvicorn.run(app, host=host, port=port)

There is no middleware or route-level check for:

  • Origin
  • Host
  • Authorization
  • API key
  • allowed origins / allowed hosts

The configured CLI wrapper exposes this path:

from praisonaiagents.mcp import MCP, ToolsMCPServer
cmd_string = " ".join(cmd)
mcp = MCP(cmd_string, timeout=60, env=server.env or {})
tools = mcp.get_tools()
mcp_server = ToolsMCPServer(name=name, tools=tools)
mcp_server.run_sse(host=host, port=port)

By contrast, the current Streamable HTTP transport validates Origin and returns HTTP 403 for an invalid origin:

origin = request.headers.get("Origin")
if not self._validate_origin(origin):
    return JSONResponse(..., status_code=403)

Local-only PoV

Run from the harness checkout:

uv run --with mcp --with starlette --with uvicorn --with httpx --with anyio \
  python submission-bundle/praisonai-prai-cand-015-mcp-sse-host-origin-bypass/poc/pov_prai_cand_015_sse_mcp_host_origin_bypass.py \
  --repo-src artifacts/repos/praisonai-v4.6.58/src

Observed current-head result:

{
  "candidate": "PRAI-CAND-015",
  "http_stream_control": {
    "attacker_origin": "http://attacker.example.test",
    "rejects_attacker_origin": true,
    "status_code": 403,
    "transport": "current_http_stream"
  },
  "source_checks": {
    "has_auth_check": false,
    "has_host_check": false,
    "has_origin_check": false,
    "has_sse_transport": true,
    "route_count": 2
  },
  "sse_probe": {
    "attacker_headers": {
      "Host": "attacker.example.test:62380",
      "Origin": "http://attacker.example.test:62380"
    },
    "bind_host": "127.0.0.1",
    "marker_value": "executed-from-attacker-origin",
    "marker_written": true,
    "server_started": true,
    "tool_call_content": [
      "recorded:executed-from-attacker-origin"
    ],
    "tool_call_error": false,
    "tool_names": [
      "record_marker"
    ],
    "vulnerable": true
  },
  "vulnerable": true
}

The PoV:

  1. imports the current ToolsMCPServer;
  2. registers one marker tool;
  3. monkey-patches uvicorn.run only to capture the exact Starlette app created by run_sse();
  4. starts that app on 127.0.0.1;
  5. connects to /sse with attacker-controlled Host and Origin;
  6. lists tools and calls the marker tool;
  7. runs a control against PraisonAI's current Streamable HTTP transport and confirms the same attacker Origin is rejected with HTTP 403.

Why this is not intended behavior

This is not only a trust-model disagreement.

PraisonAI's MCP documentation describes Streamable HTTP, WebSocket, and legacy SSE as supported MCP transport mechanisms. The same documentation says the MCP module's security properties include origin validation, authentication headers, and secure session IDs. The transport guide also has a dedicated security section for origin validation as DNS rebinding prevention and authentication.

The official MCP specification warns that HTTP transports need origin validation to prevent DNS rebinding, should bind locally for local servers, and should implement authentication. It also says that without those protections, remote websites can interact with local MCP servers.

The upstream MCP Python SDK advisory GHSA-9h52-p55h-vw2f / CVE-2025-66416 classifies unauthenticated localhost HTTP/SSE MCP servers without DNS rebinding protection as a High severity issue because malicious websites can invoke tools or access resources exposed by the local MCP server. That advisory also says custom low-level SseServerTransport configurations should explicitly configure transport security settings when running unauthenticated localhost servers.

PraisonAI's current Streamable HTTP implementation already enforces an Origin guard and rejects the exact attacker Origin used in the PoV. The issue is that the legacy SSE sibling path lacks the same boundary.

Suggested severity

Suggested severity: High.

Rationale:

  • AV: the attack uses browser-origin HTTP requests to a local/internal service.
  • AC: practical exploitation requires DNS rebinding or equivalent browser origin setup.
  • PR: no PraisonAI credentials are required by the SSE server.
  • UR: the user must visit an attacker-controlled page.
  • S: the vulnerable transport exposes tools that operate on resources outside the HTTP transport itself.
  • C/I/A: exposed tools may read, mutate, or disrupt local/internal resources depending on the configured MCP server.

Suggested fix

Bring legacy SSE server security in line with the current Streamable HTTP transport, or disable the legacy SSE server path.

Recommended changes:

  1. Add explicit allowed-origin and allowed-host validation to both /sse and /messages/.
  2. Reject invalid Origin with HTTP 403 before opening the SSE stream or accepting POST messages.
  3. Validate Host for local and internal deployments to mitigate DNS rebinding even when browsers omit or vary Origin.
  4. Require authentication for all non-stdio MCP HTTP transports, including SSE.
  5. Add --api-key, --allowed-origins, and --allowed-hosts options to praisonai mcp run and praisonai serve mcp when --transport sse is used.
  6. Where the installed MCP SDK supports it, configure the SDK transport-security settings for low-level SseServerTransport usage instead of mounting it without Host/Origin protection.
  7. Consider deprecating or disabling --transport sse server mode in favor of the current Streamable HTTP implementation.
  8. Add regression tests proving that attacker Host and Origin values are rejected on both /sse and /messages/, and that current Streamable HTTP and legacy SSE enforce the same boundary.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.6.58"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonaiagents"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.0"
            },
            {
              "fixed": "1.6.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.58"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "4.6.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-346",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:52:40Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools\n\n## Summary\n\n`praisonaiagents.mcp.ToolsMCPServer.run_sse()` builds a Starlette MCP\nHTTP+SSE server around `mcp.server.sse.SseServerTransport`. The server exposes\n`/sse` and `/messages/`, but it does not validate `Origin`, does not validate\n`Host`, and does not require any authentication.\n\nThis is reachable through supported PraisonAI code paths that wrap configured\nMCP server tools and re-expose them over legacy SSE:\n\n- `praisonai mcp run \u003cname\u003e --transport sse`\n- `praisonai serve mcp --name \u003cname\u003e --transport sse`\n- direct use of `ToolsMCPServer(...).run_sse(...)` or\n  `launch_tools_mcp_server(..., transport=\"sse\")`\n\nA malicious website can use DNS rebinding against a local or internal\nPraisonAI SSE MCP server and send requests with attacker-controlled `Host` and\n`Origin` headers. The local PoV binds only to `127.0.0.1`, sends an attacker\n`Host` and `Origin`, lists the registered tool, and invokes it successfully.\n\nThe same attacker `Origin` is rejected by PraisonAI\u0027s current Streamable HTTP\ntransport with HTTP 403. The vulnerability is therefore a sibling transport\nguard gap in the legacy SSE wrapper, not intended behavior.\n\n## Affected product\n\n- Repository: `MervinPraison/PraisonAI`\n- Packages:\n  - `praisonaiagents`\n  - `praisonai`\n- Primary component:\n  `src/praisonai-agents/praisonaiagents/mcp/mcp_server.py`\n- CLI wrappers:\n  - `src/praisonai/praisonai/cli/commands/mcp.py`\n  - `src/praisonai/praisonai/cli/commands/serve.py`\n- Latest verified release/current head:\n  - `praisonaiagents 1.6.58`\n  - `PraisonAI 4.6.58`\n  - repo head `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n\nSuggested affected ranges:\n\n- `praisonaiagents \u003e= 0.6.0, \u003c= 1.6.58`\n- `praisonai \u003e= 3.10.0, \u003c= 4.6.58`\n\nNo fixed version is known at submission time.\n\nConfirmed source sweep:\n\n```text\nv3.0.0   ToolsMCPServer.run_sse helper present, no Origin/Host/auth checks\nv3.10.0  praisonai mcp run --transport sse wraps configured tools into helper\nv3.12.3  praisonai serve mcp --name --transport sse wraps configured tools\nv4.0.0   same vulnerable helper and CLI wrapping paths\nv4.4.12  same vulnerable helper and CLI wrapping paths\nv4.5.0   same vulnerable helper and CLI wrapping paths\nv4.5.56  same vulnerable helper and CLI wrapping paths\nv4.5.139 same vulnerable helper and CLI wrapping paths\nv4.6.57  same vulnerable helper and CLI wrapping paths\nv4.6.58  same vulnerable helper and dynamic PoV succeeds\n```\n\n## Impact\n\nIf a PraisonAI user starts a local or internal legacy SSE MCP server with\nregistered tools, an attacker who gets that user to visit a malicious website\ncan use DNS rebinding to interact with the SSE server through the browser. The\nattacker can discover exposed tools and invoke them as the local user.\n\nImpact depends on the configured tools. In realistic PraisonAI MCP deployments,\nregistered tools may access local files, repositories, issue trackers, cloud\nAPIs, internal services, or other automation targets. This can lead to\nconfidentiality, integrity, and availability impact for the resources reachable\nby the exposed tools.\n\nThe PoV is local-only and harmless. It exposes one marker tool that writes a\ncanary string to a temporary directory.\n\n## Root cause\n\nCurrent `ToolsMCPServer.run_sse()` constructs a Starlette app directly:\n\n```python\nsse_path = \"/sse\"\nmessages_path = \"/messages/\"\nsse_transport = SseServerTransport(messages_path)\n\nasync def handle_sse(request: Request):\n    async with sse_transport.connect_sse(\n        request.scope, request.receive, request._send\n    ) as (read_stream, write_stream):\n        await mcp._mcp_server.run(\n            read_stream,\n            write_stream,\n            mcp._mcp_server.create_initialization_options()\n        )\n\napp = Starlette(\n    debug=self._debug,\n    routes=[\n        Route(sse_path, endpoint=handle_sse),\n        Mount(messages_path, app=sse_transport.handle_post_message),\n    ]\n)\n\nuvicorn.run(app, host=host, port=port)\n```\n\nThere is no middleware or route-level check for:\n\n- `Origin`\n- `Host`\n- `Authorization`\n- API key\n- allowed origins / allowed hosts\n\nThe configured CLI wrapper exposes this path:\n\n```python\nfrom praisonaiagents.mcp import MCP, ToolsMCPServer\ncmd_string = \" \".join(cmd)\nmcp = MCP(cmd_string, timeout=60, env=server.env or {})\ntools = mcp.get_tools()\nmcp_server = ToolsMCPServer(name=name, tools=tools)\nmcp_server.run_sse(host=host, port=port)\n```\n\nBy contrast, the current Streamable HTTP transport validates `Origin` and\nreturns HTTP 403 for an invalid origin:\n\n```python\norigin = request.headers.get(\"Origin\")\nif not self._validate_origin(origin):\n    return JSONResponse(..., status_code=403)\n```\n\n## Local-only PoV\n\nRun from the harness checkout:\n\n```bash\nuv run --with mcp --with starlette --with uvicorn --with httpx --with anyio \\\n  python submission-bundle/praisonai-prai-cand-015-mcp-sse-host-origin-bypass/poc/pov_prai_cand_015_sse_mcp_host_origin_bypass.py \\\n  --repo-src artifacts/repos/praisonai-v4.6.58/src\n```\n\nObserved current-head result:\n\n```json\n{\n  \"candidate\": \"PRAI-CAND-015\",\n  \"http_stream_control\": {\n    \"attacker_origin\": \"http://attacker.example.test\",\n    \"rejects_attacker_origin\": true,\n    \"status_code\": 403,\n    \"transport\": \"current_http_stream\"\n  },\n  \"source_checks\": {\n    \"has_auth_check\": false,\n    \"has_host_check\": false,\n    \"has_origin_check\": false,\n    \"has_sse_transport\": true,\n    \"route_count\": 2\n  },\n  \"sse_probe\": {\n    \"attacker_headers\": {\n      \"Host\": \"attacker.example.test:62380\",\n      \"Origin\": \"http://attacker.example.test:62380\"\n    },\n    \"bind_host\": \"127.0.0.1\",\n    \"marker_value\": \"executed-from-attacker-origin\",\n    \"marker_written\": true,\n    \"server_started\": true,\n    \"tool_call_content\": [\n      \"recorded:executed-from-attacker-origin\"\n    ],\n    \"tool_call_error\": false,\n    \"tool_names\": [\n      \"record_marker\"\n    ],\n    \"vulnerable\": true\n  },\n  \"vulnerable\": true\n}\n```\n\nThe PoV:\n\n1. imports the current `ToolsMCPServer`;\n2. registers one marker tool;\n3. monkey-patches `uvicorn.run` only to capture the exact Starlette app created\n   by `run_sse()`;\n4. starts that app on `127.0.0.1`;\n5. connects to `/sse` with attacker-controlled `Host` and `Origin`;\n6. lists tools and calls the marker tool;\n7. runs a control against PraisonAI\u0027s current Streamable HTTP transport and\n   confirms the same attacker `Origin` is rejected with HTTP 403.\n\n## Why this is not intended behavior\n\nThis is not only a trust-model disagreement.\n\nPraisonAI\u0027s MCP documentation describes Streamable HTTP, WebSocket, and legacy\nSSE as supported MCP transport mechanisms. The same documentation says the MCP\nmodule\u0027s security properties include origin validation, authentication headers,\nand secure session IDs. The transport guide also has a dedicated security\nsection for origin validation as DNS rebinding prevention and authentication.\n\nThe official MCP specification warns that HTTP transports need origin\nvalidation to prevent DNS rebinding, should bind locally for local servers, and\nshould implement authentication. It also says that without those protections,\nremote websites can interact with local MCP servers.\n\nThe upstream MCP Python SDK advisory `GHSA-9h52-p55h-vw2f` / `CVE-2025-66416`\nclassifies unauthenticated localhost HTTP/SSE MCP servers without DNS rebinding\nprotection as a High severity issue because malicious websites can invoke tools\nor access resources exposed by the local MCP server. That advisory also says\ncustom low-level `SseServerTransport` configurations should explicitly configure\ntransport security settings when running unauthenticated localhost servers.\n\nPraisonAI\u0027s current Streamable HTTP implementation already enforces an Origin\nguard and rejects the exact attacker Origin used in the PoV. The issue is that\nthe legacy SSE sibling path lacks the same boundary.\n\n\n## Suggested severity\n\nSuggested severity: High.\n\nRationale:\n\n- `AV`: the attack uses browser-origin HTTP requests to a local/internal\n  service.\n- `AC`: practical exploitation requires DNS rebinding or equivalent browser\n  origin setup.\n- `PR`: no PraisonAI credentials are required by the SSE server.\n- `UR`: the user must visit an attacker-controlled page.\n- `S`: the vulnerable transport exposes tools that operate on resources\n  outside the HTTP transport itself.\n- `C/I/A`: exposed tools may read, mutate, or disrupt local/internal\n  resources depending on the configured MCP server.\n\n## Suggested fix\n\nBring legacy SSE server security in line with the current Streamable HTTP\ntransport, or disable the legacy SSE server path.\n\nRecommended changes:\n\n1. Add explicit allowed-origin and allowed-host validation to both `/sse` and\n   `/messages/`.\n2. Reject invalid `Origin` with HTTP 403 before opening the SSE stream or\n   accepting POST messages.\n3. Validate `Host` for local and internal deployments to mitigate DNS rebinding\n   even when browsers omit or vary `Origin`.\n4. Require authentication for all non-stdio MCP HTTP transports, including SSE.\n5. Add `--api-key`, `--allowed-origins`, and `--allowed-hosts` options to\n   `praisonai mcp run` and `praisonai serve mcp` when `--transport sse` is used.\n6. Where the installed MCP SDK supports it, configure the SDK transport-security\n   settings for low-level `SseServerTransport` usage instead of mounting it\n   without Host/Origin protection.\n7. Consider deprecating or disabling `--transport sse` server mode in favor of\n   the current Streamable HTTP implementation.\n8. Add regression tests proving that attacker `Host` and `Origin` values are\n   rejected on both `/sse` and `/messages/`, and that current Streamable HTTP and\n   legacy SSE enforce the same boundary.",
  "id": "GHSA-vmf9-xx9w-86wx",
  "modified": "2026-06-18T13:52:40Z",
  "published": "2026-06-18T13:52:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vmf9-xx9w-86wx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools"
}

GHSA-VMHC-4P3P-6GPV

Vulnerability from github – Published: 2025-09-17 09:30 – Updated: 2025-09-17 12:30
VLAI
Details

Certain models of Industrial Cellular Gateway developed by Planet Technology have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to manipulate the device via a specific functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T07:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "Certain models of Industrial Cellular Gateway developed by Planet Technology have a Missing Authentication vulnerability, allowing unauthenticated remote attackers to manipulate the device via a specific functionality.",
  "id": "GHSA-vmhc-4p3p-6gpv",
  "modified": "2025-09-17T12:30:57Z",
  "published": "2025-09-17T09:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9971"
    },
    {
      "type": "WEB",
      "url": "https://www.planet.com.tw/en/support/security-advisory/8"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10390-7ce12-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10389-265a3-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VMR4-XXX4-79M3

Vulnerability from github – Published: 2026-01-05 15:32 – Updated: 2026-01-08 18:30
VLAI
Details

Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-05T15:15:44Z",
    "severity": "CRITICAL"
  },
  "details": "Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs.\n\nThis issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.",
  "id": "GHSA-vmr4-xxx4-79m3",
  "modified": "2026-01-08T18:30:33Z",
  "published": "2026-01-05T15:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15026"
    },
    {
      "type": "WEB",
      "url": "https://github.com/centreon/centreon/releases"
    },
    {
      "type": "WEB",
      "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPFM-675M-RFM8

Vulnerability from github – Published: 2024-04-12 18:33 – Updated: 2025-04-11 15:32
VLAI
Details

A Missing Authentication for Critical Function vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an unauthenticated network-based attacker to cause limited impact to the integrity or availability of the device.

If a device is configured with IPsec authentication algorithm hmac-sha-384 or hmac-sha-512, tunnels are established normally but for traffic traversing the tunnel no authentication information is sent with the encrypted data on egress, and no authentication information is expected on ingress. So if the peer is an unaffected device transit traffic is going to fail in both directions. If the peer is an also affected device transit traffic works, but without authentication, and configuration and CLI operational commands indicate authentication is performed. This issue affects Junos OS:

All versions before 20.4R3-S7,

21.1 versions before 21.1R3, 

21.2 versions before 21.2R2-S1, 21.2R3, 

21.3 versions before 21.3R1-S2, 21.3R2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-12T16:15:38Z",
    "severity": "MODERATE"
  },
  "details": "A Missing Authentication for Critical Function vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series with SPC3, and\u00a0SRX Series\u00a0allows an unauthenticated network-based attacker to cause limited impact to the integrity or availability of the device.\n\nIf a device is configured with IPsec authentication algorithm hmac-sha-384 or hmac-sha-512, tunnels are established normally but for traffic traversing the tunnel no authentication information is sent with the encrypted data on egress, and no authentication information is expected on ingress. So if the peer is an unaffected device transit traffic is going to fail in both directions. If the peer is an also affected device transit traffic works, but without authentication, and configuration and CLI operational commands indicate authentication is performed.\nThis issue affects Junos OS:\n\nAll versions before 20.4R3-S7,\n\n21.1 versions before 21.1R3,\u00a0\n\n21.2 versions before 21.2R2-S1, 21.2R3,\u00a0\n\n21.3 versions before 21.3R1-S2, 21.3R2.",
  "id": "GHSA-vpfm-675m-rfm8",
  "modified": "2025-04-11T15:32:17Z",
  "published": "2024-04-12T18:33:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30391"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"
    },
    {
      "type": "WEB",
      "url": "http://supportportal.juniper.net/JSA79188"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VPJ2-69HF-RPPW

Vulnerability from github – Published: 2026-03-02 21:49 – Updated: 2026-03-30 13:17
VLAI
Summary
OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure
Details

Summary

When browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication.

Impact

On affected deployments, a local process (or a loopback-reachable SSRF path) could access browser-control routes, including evaluate-capable actions, without auth.

Fix

Startup now fails closed: if bootstrap auth fails and no explicit token/password is configured, browser-control startup aborts.

Affected and Patched Versions

  • Affected: <= 2026.2.26
  • Patched: 2026.3.1
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T21:49:14Z",
    "nvd_published_at": "2026-03-19T22:16:40Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen browser control started without explicit auth credentials, OpenClaw attempted to bootstrap auth automatically. In affected versions, if that bootstrap step threw an error, startup could continue and expose browser-control routes without authentication.\n\n### Impact\nOn affected deployments, a local process (or a loopback-reachable SSRF path) could access browser-control routes, including evaluate-capable actions, without auth.\n\n### Fix\nStartup now fails closed: if bootstrap auth fails and no explicit token/password is configured, browser-control startup aborts.\n\n### Affected and Patched Versions\n- Affected: `\u003c= 2026.2.26`\n- Patched: `2026.3.1`",
  "id": "GHSA-vpj2-69hf-rppw",
  "modified": "2026-03-30T13:17:04Z",
  "published": "2026-03-02T21:49:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vpj2-69hf-rppw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32041"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-unauthenticated-browser-control-access-via-failed-auth-bootstrap"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure"
}

GHSA-VPVH-G5CR-PVMJ

Vulnerability from github – Published: 2023-11-22 12:30 – Updated: 2023-11-22 12:30
VLAI
Details

Lack of authentication vulnerability. An unauthenticated local user is able to see through the cameras using the web server due to the lack of any form of authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-22T12:15:22Z",
    "severity": "MODERATE"
  },
  "details": "Lack of authentication vulnerability. An unauthenticated local user is able to see through the cameras using the web server due to the lack of any form of authentication.",
  "id": "GHSA-vpvh-g5cr-pvmj",
  "modified": "2023-11-22T12:30:26Z",
  "published": "2023-11-22T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3104"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-unitree-robotics-a1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability.
  • Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port.
  • In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation
Architecture and Design
  • Where possible, avoid implementing custom, "grow-your-own" authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These capabilities may avoid common weaknesses that are unique to authentication; support automatic auditing and tracking; and make it easier to provide a clear separation between authentication tasks and authorization tasks.
  • In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly.
Mitigation MIT-4.5
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].
Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].

CAPEC-12: Choosing Message Identifier

This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.

CAPEC-166: Force the System to Reset Values

An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.

CAPEC-216: Communication Channel Manipulation

An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.

CAPEC-36: Using Unpublished Interfaces or Functionality

An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.

CAPEC-62: Cross Site Request Forgery

An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.