Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5970 vulnerabilities reference this CWE, most recent first.

GHSA-F9WQ-3588-GPMC

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13
VLAI
Details

This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.4. A person with physical access to a Mac may be able to bypass Login Window during a software update.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-08T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.4. A person with physical access to a Mac may be able to bypass Login Window during a software update.",
  "id": "GHSA-f9wq-3588-gpmc",
  "modified": "2022-05-24T19:13:28Z",
  "published": "2022-05-24T19:13:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30668"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212529"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F9WQ-7PG8-8R2R

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

Improper authentication vulnerability in Tizen bluetooth-frwk prior to Firmware update JUN-2021 Release allows bluetooth attacker to take over the user's bluetooth device without user awareness.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-11T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper authentication vulnerability in Tizen bluetooth-frwk prior to Firmware update JUN-2021 Release allows bluetooth attacker to take over the user\u0027s bluetooth device without user awareness.",
  "id": "GHSA-f9wq-7pg8-8r2r",
  "modified": "2022-05-24T19:05:06Z",
  "published": "2022-05-24T19:05:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25424"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F9WW-7RV4-VQFQ

Vulnerability from github – Published: 2021-12-10 00:00 – Updated: 2022-04-20 00:02
VLAI
Details

An authentication bypass vulnerability exists in the get_aes_key_info_by_packetid() function of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. Generic network sniffing can lead to password recovery. An attacker can sniff network traffic to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-09T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An authentication bypass vulnerability exists in the get_aes_key_info_by_packetid() function of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. Generic network sniffing can lead to password recovery. An attacker can sniff network traffic to trigger this vulnerability.",
  "id": "GHSA-f9ww-7rv4-vqfq",
  "modified": "2022-04-20T00:02:07Z",
  "published": "2021-12-10T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21955"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1382"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FC26-M9PF-V56Q

Vulnerability from github – Published: 2026-06-18 13:52 – Updated: 2026-06-18 13:52
VLAI
Summary
PraisonAI LinearBot processes unsigned webhooks when LINEAR_WEBHOOK_SECRET is missing
Details

PraisonAI LinearBot processes unsigned webhooks when LINEAR_WEBHOOK_SECRET is missing

Summary

PraisonAI's LinearBot starts a public webhook listener on 0.0.0.0 and treats LINEAR_WEBHOOK_SECRET as optional. When the secret is absent, startup only logs a warning and _handle_webhook() skips Linear-Signature verification entirely.

An unauthenticated network caller who can reach the webhook endpoint can submit a forged Linear-Event: AgentSession request. The forged request is parsed, scheduled for background processing, dispatched to _handle_agent_session(), and passed into BotSessionManager.chat(). The bot then attempts to post the agent response back to Linear under the configured bot token.

The local PoV is offline and deterministic. It does not contact Linear. It calls the webhook handler directly, monkey-patches the outbound Linear comment path, and proves both sides of the boundary:

  • no secret configured: unsigned forged webhook returns 200, invokes the agent session path once, and attempts one Linear comment;
  • secret configured: missing and bad signatures both return 401 and do not invoke the agent;
  • secret configured with valid HMAC: request returns 200 and invokes the agent, proving the control path still works.

Affected Product

  • Repository: MervinPraison/PraisonAI
  • Package: praisonai
  • Components:
  • src/praisonai/praisonai/bots/linear.py
  • src/praisonai/praisonai/cli/features/bots_cli.py

Validated affected:

  • live main / latest observed release v4.6.58: 1ad58ca02975ff1398efeda694ea2ab78f20cf3e
  • previous local current checkout: 2f9677abb2ea68eab864ee8b6a828fd0141612e1
  • v4.6.57
  • v4.6.56
  • v4.5.50

Sampled tags where the LinearBot component was not present:

  • v4.5.49
  • v4.5.51
  • v4.6.9
  • v4.6.10

Suggested affected range: LinearBot-bearing releases with the fail-open signature behavior, at least 4.5.50 and >= 4.6.56, <= 4.6.58. The component appears non-contiguously in sampled tags, so maintainers should confirm the exact packaged version history before publishing a final range.

Root Cause

LinearBot.__init__() accepts an empty signing secret and falls back to an empty environment value:

self._signing_secret = signing_secret or os.environ.get("LINEAR_WEBHOOK_SECRET", "")

start() treats the missing secret as a warning instead of refusing to expose the webhook listener:

if not self._signing_secret:
    logger.warning("LINEAR_WEBHOOK_SECRET not set - webhook signatures will not be verified")

self._site = web.TCPSite(self._runner, "0.0.0.0", self._webhook_port)

_handle_webhook() only verifies the request if the secret is truthy:

if self._signing_secret:
    signature = request.headers.get("Linear-Signature", "")
    if not self._verify_signature(raw_body, signature):
        return web.Response(status=401, text="Invalid signature")

With no secret configured, the code continues to JSON parsing, accepts a caller supplied webhookTimestamp, reads the caller supplied Linear-Event header, and schedules processing:

event_type = request.headers.get("Linear-Event", "")
task = asyncio.create_task(self._process_webhook(event_type, body))
return web.Response(status=200, text="OK")

For AgentSession, the forged body is routed to the agent:

if event_type == "AgentSession":
    await self._handle_agent_session(body)
...
response = await self._session_mgr.chat(self._agent, user_id, message.content)
await self._send_comment(...)

The CLI has the same fail-open posture: start_linear() loads LINEAR_WEBHOOK_SECRET, prints a warning when it is missing, then reports a public http://0.0.0.0:<port>/webhook endpoint with verification disabled.

Why This Is Not Intended Behavior

PraisonAI's Linear Bot documentation tells operators to set LINEAR_WEBHOOK_SECRET, pass it to praisonai bot linear, copy the Linear webhook signing secret, and use it for HMAC-SHA256 verification. The same page says missing secrets disable signature verification, while its best-practices section says webhook secrets ensure authenticity.

Linear's webhook documentation says receivers should ensure requests were sent by Linear by verifying the Linear-Signature HMAC over the raw body, then checking that webhookTimestamp is recent. The timestamp check alone is not an authentication boundary because an attacker can supply a current timestamp in a forged body.

The implementation itself also confirms the intended boundary: when a secret is configured, missing and bad signatures are rejected before agent dispatch. The bug is the missing-secret fail-open mode on a public webhook server, not the signature algorithm.

Local PoV

Run against the latest observed release checkout:

python3 submission-bundle/praisonai-prai-cand-013-linear-webhook-signature-fail-open/poc/pov_prai_cand_013_linear_webhook_signature_fail_open.py --repo artifacts/repos/praisonai-v4.6.58

Expected output includes:

{
  "candidate": "PRAI-CAND-013",
  "ok": true,
  "cases": {
    "no_secret_unsigned_forged_webhook": {
      "http_status": 200,
      "signing_secret_configured": false,
      "session_calls": [
        {
          "user_id": "linear-system",
          "content": "Issue: Forged Linear AgentSession event\n\nPRAI-CAND-013 local forged webhook payload"
        }
      ],
      "sent_comments": [
        {
          "issue_id": "issue-prai-cand-013",
          "comment": "agent response",
          "session_id": "prai-cand-013-session"
        }
      ]
    },
    "secret_missing_signature_control": {
      "http_status": 401,
      "session_calls": []
    },
    "secret_bad_signature_control": {
      "http_status": 401,
      "session_calls": []
    },
    "secret_valid_signature_control": {
      "http_status": 200,
      "session_calls": [
        {
          "user_id": "linear-system"
        }
      ]
    }
  }
}

Stored evidence:

  • evidence/pov-v4.6.58.json
  • evidence/pov-live-main-v4.6.58.json
  • evidence/pov-current-head.json
  • evidence/version-sweep.tsv

Impact

If a PraisonAI operator starts LinearBot with a Linear token but omits LINEAR_WEBHOOK_SECRET, any network caller that can reach the webhook endpoint can spoof Linear webhook events and invoke the configured agent through the Linear integration.

For the AgentSession event path, this lets the attacker supply issue title and description content that becomes the agent input. Depending on the configured agent and tools, this can cause unauthorized LLM/tool execution, consume paid model quota, create or update Linear comments under the bot identity, and drive the bot into workflows intended only for authenticated Linear events.

This report does not claim arbitrary code execution by default. The concrete boundary crossed is unauthenticated remote agent invocation through a forged Linear webhook.

Suggested Fix

Fail closed for public webhook listeners:

  1. Refuse to start LinearBot when LINEAR_WEBHOOK_SECRET is missing, unless an explicit development-only option such as --insecure-skip-webhook-signature-verification is provided.
  2. In _handle_webhook(), reject requests when no signing secret is configured instead of silently skipping verification.
  3. Preserve raw-body HMAC verification and constant-time comparison for the configured-secret path.
  4. Treat timestamp freshness as replay protection after signature validation, not as a replacement for authentication.
  5. Prefer loopback binding by default, or require an explicit host flag for public binding.
  6. Add regression tests:
  7. no signing secret rejects startup or rejects webhook requests;
  8. missing signature with a configured secret returns 401;
  9. invalid signature with a configured secret returns 401;
  10. valid HMAC with a configured secret returns success;
  11. stale timestamp after valid HMAC returns 401;
  12. the CLI does not advertise a public unauthenticated webhook by default.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.58"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.6.56"
            },
            {
              "fixed": "4.6.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-306",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:52:55Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# PraisonAI LinearBot processes unsigned webhooks when `LINEAR_WEBHOOK_SECRET` is missing\n\n## Summary\n\nPraisonAI\u0027s LinearBot starts a public webhook listener on `0.0.0.0` and treats\n`LINEAR_WEBHOOK_SECRET` as optional. When the secret is absent, startup only logs\na warning and `_handle_webhook()` skips `Linear-Signature` verification entirely.\n\nAn unauthenticated network caller who can reach the webhook endpoint can submit\na forged `Linear-Event: AgentSession` request. The forged request is parsed,\nscheduled for background processing, dispatched to `_handle_agent_session()`,\nand passed into `BotSessionManager.chat()`. The bot then attempts to post the\nagent response back to Linear under the configured bot token.\n\nThe local PoV is offline and deterministic. It does not contact Linear. It calls\nthe webhook handler directly, monkey-patches the outbound Linear comment path,\nand proves both sides of the boundary:\n\n- no secret configured: unsigned forged webhook returns `200`, invokes the\n  agent session path once, and attempts one Linear comment;\n- secret configured: missing and bad signatures both return `401` and do not\n  invoke the agent;\n- secret configured with valid HMAC: request returns `200` and invokes the\n  agent, proving the control path still works.\n\n## Affected Product\n\n- Repository: `MervinPraison/PraisonAI`\n- Package: `praisonai`\n- Components:\n  - `src/praisonai/praisonai/bots/linear.py`\n  - `src/praisonai/praisonai/cli/features/bots_cli.py`\n\nValidated affected:\n\n- live `main` / latest observed release `v4.6.58`:\n  `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n- previous local current checkout:\n  `2f9677abb2ea68eab864ee8b6a828fd0141612e1`\n- `v4.6.57`\n- `v4.6.56`\n- `v4.5.50`\n\nSampled tags where the LinearBot component was not present:\n\n- `v4.5.49`\n- `v4.5.51`\n- `v4.6.9`\n- `v4.6.10`\n\nSuggested affected range: LinearBot-bearing releases with the fail-open\nsignature behavior, at least `4.5.50` and `\u003e= 4.6.56, \u003c= 4.6.58`. The\ncomponent appears non-contiguously in sampled tags, so maintainers should\nconfirm the exact packaged version history before publishing a final range.\n\n## Root Cause\n\n`LinearBot.__init__()` accepts an empty signing secret and falls back to an\nempty environment value:\n\n```python\nself._signing_secret = signing_secret or os.environ.get(\"LINEAR_WEBHOOK_SECRET\", \"\")\n```\n\n`start()` treats the missing secret as a warning instead of refusing to expose\nthe webhook listener:\n\n```python\nif not self._signing_secret:\n    logger.warning(\"LINEAR_WEBHOOK_SECRET not set - webhook signatures will not be verified\")\n\nself._site = web.TCPSite(self._runner, \"0.0.0.0\", self._webhook_port)\n```\n\n`_handle_webhook()` only verifies the request if the secret is truthy:\n\n```python\nif self._signing_secret:\n    signature = request.headers.get(\"Linear-Signature\", \"\")\n    if not self._verify_signature(raw_body, signature):\n        return web.Response(status=401, text=\"Invalid signature\")\n```\n\nWith no secret configured, the code continues to JSON parsing, accepts a caller\nsupplied `webhookTimestamp`, reads the caller supplied `Linear-Event` header,\nand schedules processing:\n\n```python\nevent_type = request.headers.get(\"Linear-Event\", \"\")\ntask = asyncio.create_task(self._process_webhook(event_type, body))\nreturn web.Response(status=200, text=\"OK\")\n```\n\nFor `AgentSession`, the forged body is routed to the agent:\n\n```python\nif event_type == \"AgentSession\":\n    await self._handle_agent_session(body)\n...\nresponse = await self._session_mgr.chat(self._agent, user_id, message.content)\nawait self._send_comment(...)\n```\n\nThe CLI has the same fail-open posture: `start_linear()` loads\n`LINEAR_WEBHOOK_SECRET`, prints a warning when it is missing, then reports a\npublic `http://0.0.0.0:\u003cport\u003e/webhook` endpoint with verification disabled.\n\n## Why This Is Not Intended Behavior\n\nPraisonAI\u0027s Linear Bot documentation tells operators to set\n`LINEAR_WEBHOOK_SECRET`, pass it to `praisonai bot linear`, copy the Linear\nwebhook signing secret, and use it for HMAC-SHA256 verification. The same page\nsays missing secrets disable signature verification, while its best-practices\nsection says webhook secrets ensure authenticity.\n\nLinear\u0027s webhook documentation says receivers should ensure requests were sent\nby Linear by verifying the `Linear-Signature` HMAC over the raw body, then\nchecking that `webhookTimestamp` is recent. The timestamp check alone is not an\nauthentication boundary because an attacker can supply a current timestamp in a\nforged body.\n\nThe implementation itself also confirms the intended boundary: when a secret is\nconfigured, missing and bad signatures are rejected before agent dispatch. The\nbug is the missing-secret fail-open mode on a public webhook server, not the\nsignature algorithm.\n\n## Local PoV\n\nRun against the latest observed release checkout:\n\n```bash\npython3 submission-bundle/praisonai-prai-cand-013-linear-webhook-signature-fail-open/poc/pov_prai_cand_013_linear_webhook_signature_fail_open.py --repo artifacts/repos/praisonai-v4.6.58\n```\n\nExpected output includes:\n\n```json\n{\n  \"candidate\": \"PRAI-CAND-013\",\n  \"ok\": true,\n  \"cases\": {\n    \"no_secret_unsigned_forged_webhook\": {\n      \"http_status\": 200,\n      \"signing_secret_configured\": false,\n      \"session_calls\": [\n        {\n          \"user_id\": \"linear-system\",\n          \"content\": \"Issue: Forged Linear AgentSession event\\n\\nPRAI-CAND-013 local forged webhook payload\"\n        }\n      ],\n      \"sent_comments\": [\n        {\n          \"issue_id\": \"issue-prai-cand-013\",\n          \"comment\": \"agent response\",\n          \"session_id\": \"prai-cand-013-session\"\n        }\n      ]\n    },\n    \"secret_missing_signature_control\": {\n      \"http_status\": 401,\n      \"session_calls\": []\n    },\n    \"secret_bad_signature_control\": {\n      \"http_status\": 401,\n      \"session_calls\": []\n    },\n    \"secret_valid_signature_control\": {\n      \"http_status\": 200,\n      \"session_calls\": [\n        {\n          \"user_id\": \"linear-system\"\n        }\n      ]\n    }\n  }\n}\n```\n\nStored evidence:\n\n- `evidence/pov-v4.6.58.json`\n- `evidence/pov-live-main-v4.6.58.json`\n- `evidence/pov-current-head.json`\n- `evidence/version-sweep.tsv`\n\n## Impact\n\nIf a PraisonAI operator starts LinearBot with a Linear token but omits\n`LINEAR_WEBHOOK_SECRET`, any network caller that can reach the webhook endpoint\ncan spoof Linear webhook events and invoke the configured agent through the\nLinear integration.\n\nFor the `AgentSession` event path, this lets the attacker supply issue title and\ndescription content that becomes the agent input. Depending on the configured\nagent and tools, this can cause unauthorized LLM/tool execution, consume paid\nmodel quota, create or update Linear comments under the bot identity, and drive\nthe bot into workflows intended only for authenticated Linear events.\n\nThis report does not claim arbitrary code execution by default. The concrete\nboundary crossed is unauthenticated remote agent invocation through a forged\nLinear webhook.\n\n## Suggested Fix\n\nFail closed for public webhook listeners:\n\n1. Refuse to start LinearBot when `LINEAR_WEBHOOK_SECRET` is missing, unless an\n   explicit development-only option such as\n   `--insecure-skip-webhook-signature-verification` is provided.\n2. In `_handle_webhook()`, reject requests when no signing secret is configured\n   instead of silently skipping verification.\n3. Preserve raw-body HMAC verification and constant-time comparison for the\n   configured-secret path.\n4. Treat timestamp freshness as replay protection after signature validation,\n   not as a replacement for authentication.\n5. Prefer loopback binding by default, or require an explicit host flag for\n   public binding.\n6. Add regression tests:\n   - no signing secret rejects startup or rejects webhook requests;\n   - missing signature with a configured secret returns `401`;\n   - invalid signature with a configured secret returns `401`;\n   - valid HMAC with a configured secret returns success;\n   - stale timestamp after valid HMAC returns `401`;\n   - the CLI does not advertise a public unauthenticated webhook by default.",
  "id": "GHSA-fc26-m9pf-v56q",
  "modified": "2026-06-18T13:52:55Z",
  "published": "2026-06-18T13:52:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-fc26-m9pf-v56q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI LinearBot processes unsigned webhooks when LINEAR_WEBHOOK_SECRET is missing"
}

GHSA-FC3J-3F83-7FHR

Vulnerability from github – Published: 2022-05-02 03:41 – Updated: 2022-05-02 03:41
VLAI
Details

Symantec Altiris Deployment Solution 6.9.x before 6.9 SP3 Build 430 does not properly restrict access to the listening port for the DBManager service, which allows remote attackers to bypass authentication and modify tasks or the Altiris Database via a connection to this service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-3107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-09-08T23:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Symantec Altiris Deployment Solution 6.9.x before 6.9 SP3 Build 430 does not properly restrict access to the listening port for the DBManager service, which allows remote attackers to bypass authentication and modify tasks or the Altiris Database via a connection to this service.",
  "id": "GHSA-fc3j-3f83-7fhr",
  "modified": "2022-05-02T03:41:45Z",
  "published": "2022-05-02T03:41:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3107"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/36502"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/36110"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1022779"
    },
    {
      "type": "WEB",
      "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=2009\u0026suid=20090826_00"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FC42-9767-VR66

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The "send" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can use its functionality. The handler can be invoked using any method that invokes the URL handler such as a hyperlink in an email. The user is not prompted when the handler processes the "send" command, thus leading to automatic transmission of an attacker crafted email from the target account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-21T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The \"send\" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can use its functionality. The handler can be invoked using any method that invokes the URL handler such as a hyperlink in an email. The user is not prompted when the handler processes the \"send\" command, thus leading to automatic transmission of an attacker crafted email from the target account.",
  "id": "GHSA-fc42-9767-vr66",
  "modified": "2022-05-13T01:19:12Z",
  "published": "2022-05-13T01:19:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15667"
    },
    {
      "type": "WEB",
      "url": "https://versprite.com/advisories/airmail-3-for-mac"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FC8P-R363-WJ97

Vulnerability from github – Published: 2022-05-17 01:32 – Updated: 2022-05-17 01:32
VLAI
Details

The Management Console in Symantec Endpoint Protection (SEP) 11.x before 11.0.7.4 and 12.x before 12.1.2 RU2 and Endpoint Protection Small Business Edition 12.x before 12.1.2 RU2 does not properly perform authentication, which allows remote authenticated users to gain privileges by leveraging access to a limited-admin account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-5009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-01-10T16:47:00Z",
    "severity": "HIGH"
  },
  "details": "The Management Console in Symantec Endpoint Protection (SEP) 11.x before 11.0.7.4 and 12.x before 12.1.2 RU2 and Endpoint Protection Small Business Edition 12.x before 12.1.2 RU2 does not properly perform authentication, which allows remote authenticated users to gain privileges by leveraging access to a limited-admin account.",
  "id": "GHSA-fc8p-r363-wj97",
  "modified": "2022-05-17T01:32:39Z",
  "published": "2022-05-17T01:32:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5009"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90224"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/64128"
    },
    {
      "type": "WEB",
      "url": "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory\u0026pvid=security_advisory\u0026year=\u0026suid=20140109_00"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FCHM-M3GC-4JJG

Vulnerability from github – Published: 2022-05-17 01:22 – Updated: 2022-05-17 01:22
VLAI
Details

LXDM before 0.5.2 did not start X server with -auth, which allows local users to bypass authentication with X connections.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-24T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "LXDM before 0.5.2 did not start X server with -auth, which allows local users to bypass authentication with X connections.",
  "id": "GHSA-fchm-m3gc-4jjg",
  "modified": "2022-05-17T01:22:41Z",
  "published": "2022-05-17T01:22:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8308"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1284460"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/11/20/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FCJC-W42V-V5HP

Vulnerability from github – Published: 2022-05-03 03:20 – Updated: 2022-05-03 03:20
VLAI
Details

The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 before FP7, and 9.5 before FP4, when LDAP security (aka IBMLDAPauthserver) and anonymous bind are enabled, allows remote attackers to bypass password authentication and establish a database connection via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-1905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-06-03T21:00:00Z",
    "severity": "LOW"
  },
  "details": "The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 before FP7, and 9.5 before FP4, when LDAP security (aka IBMLDAPauthserver) and anonymous bind are enabled, allows remote attackers to bypass password authentication and establish a database connection via unspecified vectors.",
  "id": "GHSA-fcjc-w42v-v5hp",
  "modified": "2022-05-03T03:20:27Z",
  "published": "2022-05-03T03:20:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1905"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50909"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31787"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/35235"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1022319"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1JR32268"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1JR32272"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1JR32273"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21293566"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21318189"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21386689"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/35171"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/36540"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FCJP-H8CC-6879

Vulnerability from github – Published: 2026-03-24 21:39 – Updated: 2026-03-27 20:55
VLAI
Summary
NATS is vulnerable to MQTT hijacking via Client ID
Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

Sessions and Messages can by hijacked via MQTT Client ID malfeasance.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Resources

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.0-RC.1"
            },
            {
              "fixed": "2.12.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T21:39:52Z",
    "nvd_published_at": "2026-03-24T21:16:28Z",
    "severity": "MODERATE"
  },
  "details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nThe nats-server provides an MQTT client interface.\n\n### Problem Description\n\nSessions and Messages can by hijacked via MQTT Client ID malfeasance.\n\n### Affected Versions\n\nAny version before v2.12.6 or v2.11.15\n\n### Workarounds\n\nNone.\n\n### Resources\n\n * This document is canonically: \u003chttps://advisories.nats.io/CVE/secnote-2026-06.txt\u003e\n * GHSA advisory: \u003chttps://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879\u003e\n * MITRE CVE entry: \u003chttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33215\u003e",
  "id": "GHSA-fcjp-h8cc-6879",
  "modified": "2026-03-27T20:55:01Z",
  "published": "2026-03-24T21:39:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33215"
    },
    {
      "type": "WEB",
      "url": "https://advisories.nats.io/CVE/secnote-2026-06.tx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nats-io/nats-server"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4833"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NATS is vulnerable to MQTT hijacking via Client ID"
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.