Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5964 vulnerabilities reference this CWE, most recent first.

GHSA-9QVJ-RPJ8-V5C8

Vulnerability from github – Published: 2025-06-03 15:31 – Updated: 2025-11-14 16:17
VLAI
Summary
Pekko Management may not properly apply authenticator when Basic Authentication is enabled
Details

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.

Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pekko:pekko-management_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.lightbend.akka.management:akka-management_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pekko:pekko-management_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pekko:pekko-management_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.lightbend.akka.management:akka-management_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.lightbend.akka.management:akka-management_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-06T15:33:33Z",
    "nvd_published_at": "2025-06-03T15:15:59Z",
    "severity": "MODERATE"
  },
  "details": "If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.\n\n\nUsers that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.",
  "id": "GHSA-9qvj-rpj8-v5c8",
  "modified": "2025-11-14T16:17:00Z",
  "published": "2025-06-03T15:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46548"
    },
    {
      "type": "WEB",
      "url": "https://github.com/akka/akka-management/pull/1385"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/pekko-management/pull/418"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/06/03/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pekko Management may not properly apply authenticator when Basic Authentication is enabled"
}

GHSA-9QXP-4454-64H6

Vulnerability from github – Published: 2022-05-02 00:03 – Updated: 2022-05-02 00:03
VLAI
Details

Unspecified vulnerability in Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.0 before 7.0(8)3, 7.1 before 7.1(2)78, 7.2 before 7.2(4)16, 8.0 before 8.0(4)6, and 8.1 before 8.1(1)13, when configured as a VPN using Microsoft Windows NT Domain authentication, allows remote attackers to bypass VPN authentication via unknown vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-3815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-10-23T22:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Unspecified vulnerability in Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances 7.0 before 7.0(8)3, 7.1 before 7.1(2)78, 7.2 before 7.2(4)16, 8.0 before 8.0(4)6, and 8.1 before 8.1(1)13, when configured as a VPN using Microsoft Windows NT Domain authentication, allows remote attackers to bypass VPN authentication via unknown vectors.",
  "id": "GHSA-9qxp-4454-64h6",
  "modified": "2022-05-02T00:03:52Z",
  "published": "2022-05-02T00:03:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3815"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46024"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5983"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32360"
    },
    {
      "type": "WEB",
      "url": "http://www.cisco.com/en/US/products/products_security_advisory09186a0080a183ba.shtml"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/31864"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1021089"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1021090"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2899"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9R38-F9P6-3F7P

Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12
VLAI
Details

rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-2245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-07-29T13:59:00Z",
    "severity": "MODERATE"
  },
  "details": "rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed.",
  "id": "GHSA-9r38-f9p6-3f7p",
  "modified": "2022-05-13T01:12:53Z",
  "published": "2022-05-13T01:12:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2245"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=232502"
    },
    {
      "type": "WEB",
      "url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-37818"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9R4H-6JQX-QW6H

Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2025-04-20 03:42
VLAI
Details

It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-07T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.",
  "id": "GHSA-9r4h-6jqx-qw6h",
  "modified": "2025-04-20T03:42:19Z",
  "published": "2022-05-13T01:04:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12477"
    },
    {
      "type": "WEB",
      "url": "https://support.unitrends.com/UnitrendsBackup/s/article/000005755"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43031"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9R6P-3954-JM8W

Vulnerability from github – Published: 2022-05-14 02:38 – Updated: 2022-05-14 02:38
VLAI
Details

Eaton MGEOPS Network Shutdown Module before 3.10 Build 13 allows remote attackers to execute arbitrary code by adding a custom action to the MGE frontend via pane_actionbutton.php, and then executing this action via exec_action.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-6816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-05-28T14:30:00Z",
    "severity": "HIGH"
  },
  "details": "Eaton MGEOPS Network Shutdown Module before 3.10 Build 13 allows remote attackers to execute arbitrary code by adding a custom action to the MGE frontend via pane_actionbutton.php, and then executing this action via exec_action.php.",
  "id": "GHSA-9r6p-3954-jm8w",
  "modified": "2022-05-14T02:38:19Z",
  "published": "2022-05-14T02:38:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6816"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46131"
    },
    {
      "type": "WEB",
      "url": "http://download.mgeops.com/install/win32/nsm/release_note_nsm_320.txt"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/50051"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32456"
    },
    {
      "type": "WEB",
      "url": "http://www.nruns.com/security_advisory_eaton_mge_ops_network_shutdown_module_authentication_bypass.php"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/497824/100/100/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/31933"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9R74-CMM5-QV85

Vulnerability from github – Published: 2022-05-17 02:56 – Updated: 2025-04-20 03:33
VLAI
Details

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-02T06:59:00Z",
    "severity": "HIGH"
  },
  "details": "The \"OpenID Connect Relying Party and OAuth 2.0 Resource Server\" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an \"AuthType oauth20\" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.",
  "id": "GHSA-9r74-cmm5-qv85",
  "modified": "2025-04-20T03:33:32Z",
  "published": "2022-05-17T02:56:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6413"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pingidentity/mod_auth_openidc/commit/21e3728a825c41ab41efa75e664108051bb9665e"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2112"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTWUMQ46GZY3O4WU4JCF333LN53R2XQH"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96549"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9R75-G2CR-3H76

Vulnerability from github – Published: 2026-03-06 18:45 – Updated: 2026-03-06 18:45
VLAI
Summary
Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens
Details

createWebhook() in Vercel Workflow DevKit accepts a user-specified token parameter that serves as the credential for the public webhook endpoint /.well-known/workflow/v1/webhook/{token}. Official documentation recommended predictable token patterns, making it possible for an unauthenticated remote attacker to guess the token and inject arbitrary payloads into the workflow execution context.

Impact

An attacker who guesses a webhook token can resume the associated workflow with an attacker-controlled HTTP request body, potentially triggering downstream side effects such as API calls, database writes, or deployments.

Fix

  • Upgrade to version 4.2.0-beta.64. The fix removes the token option from createWebhook() so that webhook tokens are always randomly generated by the SDK.
  • Runs created with versions prior to 4.2.0-beta.64, that are 1) still active (i.e. running), and 2) have open hooks, are still susceptible to this vulnerability. If users suspect the hook tokens are predictable or leaked - consider cancelling those runs and restarting them on the latest patch.

Workarounds

In case a version upgrade is not possible, avoid passing predictable or guessable values to the token parameter of createWebhook(). Instead, users can either

  • switch from createWebhook() to createHook() instead and programmatically resume hooks using resumeHook() instead of the public webhook endpoint, or
  • use createWebhook() without passing a user-provided token, which uses a non-guessable random nanoid by default.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.0-beta.63"
      },
      "package": {
        "ecosystem": "npm",
        "name": "workflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.0-beta.64"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.0-beta.63"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@workflow/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.0-beta.64"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-06T18:45:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "`createWebhook()` in Vercel Workflow DevKit accepts a user-specified `token` parameter that serves as the credential for the public webhook endpoint `/.well-known/workflow/v1/webhook/{token}`. Official documentation recommended predictable token patterns, making it possible for an unauthenticated remote attacker to guess the token and inject arbitrary payloads into the workflow execution context.\n\n#### Impact\n\nAn attacker who guesses a webhook token can resume the associated workflow with an attacker-controlled HTTP request body, potentially triggering downstream side effects such as API calls, database writes, or deployments.\n\n#### Fix\n\n* Upgrade to version 4.2.0-beta.64. The fix removes the `token` option from `createWebhook()` so that webhook tokens are always randomly generated by the SDK.\n* Runs created with versions prior to 4.2.0-beta.64, that are 1) still active (i.e. running), and 2) have open hooks, are still susceptible to this vulnerability. If users suspect the hook tokens are predictable or leaked - consider cancelling those runs and restarting them on the latest patch.\n\n#### Workarounds\n\nIn case a version upgrade is not possible, avoid passing predictable or guessable values to the `token` parameter of `createWebhook()`. Instead, users can either\n\n* switch from `createWebhook()` to `createHook()` instead and programmatically resume hooks using `resumeHook()` instead of the public webhook endpoint, or\n* use `createWebhook()` without passing a user-provided `token`, which uses a non-guessable random `nanoid` by default.",
  "id": "GHSA-9r75-g2cr-3h76",
  "modified": "2026-03-06T18:45:02Z",
  "published": "2026-03-06T18:45:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/workflow/security/advisories/GHSA-9r75-g2cr-3h76"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/workflow/commit/30e24d441e735635ffa4522198e6905d0e51e175"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/workflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/workflow/releases/tag/workflow%404.2.0-beta.64"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens"
}

GHSA-9R7G-325H-MXRM

Vulnerability from github – Published: 2022-05-17 02:53 – Updated: 2022-07-07 22:54
VLAI
Summary
Improper Authentication in Apache Hadoop
Details

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.hadoop:hadoop-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.23.0"
            },
            {
              "fixed": "0.23.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.hadoop:hadoop-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-0229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-07T22:54:01Z",
    "nvd_published_at": "2017-03-23T20:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.",
  "id": "GHSA-9r7g-325h-mxrm",
  "modified": "2022-07-07T22:54:01Z",
  "published": "2022-05-17T02:53:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0229"
    },
    {
      "type": "WEB",
      "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Authentication in Apache Hadoop"
}

GHSA-9R7G-86M8-JW9M

Vulnerability from github – Published: 2022-05-17 01:14 – Updated: 2022-05-17 01:14
VLAI
Details

Juniper Junos 11.4 before R12, 12.1 before R10, 12.1X44 before D35, 12.1X45 before D25, 12.1X46 before D20, 12.1X47 before D10, 12.2 before R8, 12.2X50 before D70, 12.3 before R6, 13.1 before R4-S3, 13.1X49 before D55, 13.1X50 before D30, 13.2 before R4, 13.2X50 before D20, 13.2X51 before D26 and D30, 13.2X52 before D15, 13.3 before R2, and 14.1 before R1, when a RADIUS accounting server is configured as [system accounting destination radius], creates an entry in /var/etc/pam_radius.conf, which might allow remote attackers to bypass authentication via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-6379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-10-14T14:55:00Z",
    "severity": "HIGH"
  },
  "details": "Juniper Junos 11.4 before R12, 12.1 before R10, 12.1X44 before D35, 12.1X45 before D25, 12.1X46 before D20, 12.1X47 before D10, 12.2 before R8, 12.2X50 before D70, 12.3 before R6, 13.1 before R4-S3, 13.1X49 before D55, 13.1X50 before D30, 13.2 before R4, 13.2X50 before D20, 13.2X51 before D26 and D30, 13.2X52 before D15, 13.3 before R2, and 14.1 before R1, when a RADIUS accounting server is configured as [system accounting destination radius], creates an entry in /var/etc/pam_radius.conf, which might allow remote attackers to bypass authentication via unspecified vectors.",
  "id": "GHSA-9r7g-86m8-jw9m",
  "modified": "2022-05-17T01:14:25Z",
  "published": "2022-05-17T01:14:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6379"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96905"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10654"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/70365"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1031010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9R87-MVCW-X35F

Vulnerability from github – Published: 2026-07-06 20:52 – Updated: 2026-07-06 20:52
VLAI
Summary
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
Details

Summary

Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the email_verified claim was only enforced when present as a boolean false so an absent or non-boolean claim was treated as verified.

Impact

An attacker who could authenticate at the configured OIDC provider with an email matching a victim's Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.

Patches

The fix restricts the email fallback to first-time and legacy linking and defaults email_verified to false when the claim is absent or of an unexpected type.

The fix was backported to all supported release lines:

Release line Patched version
2.34 v2.34.2
2.33 v2.33.8
2.32 v2.32.7
2.29 (ESR) v2.29.17

Workarounds

Configure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.

Resources

  • Fix: #25712, #25713

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22450) for independently disclosing this issue!

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.34.0"
            },
            {
              "fixed": "2.34.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.33.0"
            },
            {
              "fixed": "2.33.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.30.0"
            },
            {
              "fixed": "2.32.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coder/coder/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.29.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-289"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T20:52:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nTwo flaws in Coder\u0027s OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the `email_verified` claim was only enforced when present as a boolean `false` so an absent or non-boolean claim was treated as verified.\n\n### Impact\n\nAn attacker who could authenticate at the configured OIDC provider with an email matching a victim\u0027s Coder account could log in as that victim and gain full access to their workspaces, templates and resources. This required OIDC authentication, attacker control of a matching email at the IdP and a victim account not yet linked to a different IdP subject.\n\n### Patches\n\nThe fix restricts the email fallback to first-time and legacy linking and defaults `email_verified` to false when the claim is absent or of an unexpected type.\n\nThe fix was backported to all supported release lines:\n\n| Release line | Patched version |\n|---|---|\n| 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) |\n| 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) |\n| 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) |\n| 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) |\n\n### Workarounds\n\nConfigure the OIDC provider to disallow self-registration or to require email verification before issuing tokens.\n\n### Resources\n\n- Fix: #25712, #25713\n\n### Credits\n\nCoder would like to thank Anthropic\u0027s Security Team (ANT-2026-22450) for independently disclosing this issue!",
  "id": "GHSA-9r87-mvcw-x35f",
  "modified": "2026-07-06T20:52:13Z",
  "published": "2026-07-06T20:52:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/security/advisories/GHSA-9r87-mvcw-x35f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/pull/25712"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coder/coder/pull/25713"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coder/coder"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass"
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.