CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5964 vulnerabilities reference this CWE, most recent first.
GHSA-JPCP-6VJ6-JF48
Vulnerability from github – Published: 2022-05-14 04:04 – Updated: 2025-04-20 03:49An issue was discovered in the software on Vaultek Gun Safe VT20i products, aka BlueSteal. An attacker can remotely unlock any safe in this product line without a valid PIN code. Even though the phone application requires it and there is a field to supply the PIN code in an authorization request, the safe does not check the PIN code, so an attacker can obtain authorization using any value. Once an attacker sees the Bluetooth Low Energy (BLE) advertisement for the safe, they need only to write a BLE characteristic to enable notifications, and send a crafted getAuthor packet that returns a temporary key, and an unlock packet including that temporary key. The safe then opens after the unlock packet is processed, with no verification of PIN or other credentials.
{
"affected": [],
"aliases": [
"CVE-2017-17435"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-07T00:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the software on Vaultek Gun Safe VT20i products, aka BlueSteal. An attacker can remotely unlock any safe in this product line without a valid PIN code. Even though the phone application requires it and there is a field to supply the PIN code in an authorization request, the safe does not check the PIN code, so an attacker can obtain authorization using any value. Once an attacker sees the Bluetooth Low Energy (BLE) advertisement for the safe, they need only to write a BLE characteristic to enable notifications, and send a crafted getAuthor packet that returns a temporary key, and an unlock packet including that temporary key. The safe then opens after the unlock packet is processed, with no verification of PIN or other credentials.",
"id": "GHSA-jpcp-6vj6-jf48",
"modified": "2025-04-20T03:49:32Z",
"published": "2022-05-14T04:04:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17435"
},
{
"type": "WEB",
"url": "https://vaulteksafe.com/index.php/cve-2017-17435"
},
{
"type": "WEB",
"url": "https://www.twosixlabs.com/bluesteal-popping-gatt-safes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPJ4-4C3J-HHWF
Vulnerability from github – Published: 2022-05-17 02:56 – Updated: 2022-05-17 02:56VDG Security SENSE (formerly DIVA) 2.3.13 performs authentication with a password hash instead of a password, which allows remote attackers to gain login access by leveraging knowledge of a password hash.
{
"affected": [],
"aliases": [
"CVE-2014-9578"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-01-08T15:59:00Z",
"severity": "MODERATE"
},
"details": "VDG Security SENSE (formerly DIVA) 2.3.13 performs authentication with a password hash instead of a password, which allows remote attackers to gain login access by leveraging knowledge of a password hash.",
"id": "GHSA-jpj4-4c3j-hhwf",
"modified": "2022-05-17T02:56:49Z",
"published": "2022-05-17T02:56:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9578"
},
{
"type": "WEB",
"url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-0_VDG_Security_SENSE_Multiple_critical_vulnerabilities_v10.txt"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/129656/VDG-Security-SENSE-2.3.13-File-Disclosure-Bypass-Buffer-Overflow.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2014/Dec/76"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JPMC-7P9C-4RXF
Vulnerability from github – Published: 2024-12-09 22:43 – Updated: 2026-06-26 19:31Summary
If a server.ca file is present in LXD_DIR at LXD start up, LXD is in "PKI mode". In this mode, all clients must have certificates that have been signed by the CA.
The LXD configuration option core.trust_ca_certificates defaults to false. This means that although the client certificate has been signed by the CA, LXD will additionally add the certificate to the trust store and verify it via mTLS.
When a restricted certificate is added to the trust store in this mode, it's restrictions are not honoured, and the client has full access to LXD.
Details
When authorization was refactored to allow for generalisation (at the time for TLS, RBAC, and OpenFGA, see https://github.com/canonical/lxd/pull/12313), PKI mode did not account for the core.trust_ca_certificates configuration option. When this option is enabled, all CA-signed client certificates are given full access to LXD. This cherry-pick from Incus was added to LXD to fix the issue.
The cherry-pick fixed the immediate issue and allowed full access to LXD for CA-signed client certificates when core.trust_ca_certificates is enabled, but did not consider the behaviour of LXD when core.trust_ca_certificates is disabled.
When core.trust_ca_certificates is false, restrictions that are applied to a certificate should be honoured. Instead, they are being ignored due to the presence of a server.ca file in LXD_DIR.
PoC
# Install/initialize LXD
$ snap install lxd --channel 5.21/stable
$ lxd init --auto
$ lxc config set core.https_address=127.0.0.1:8443
# Use easyrsa for configuring CA: https://github.com/OpenVPN/easy-rsa
$ cp -R /usr/share/easy-rsa "/tmp/pki"
$ export EASYRSA_KEY_SIZE=4096
$ cd /tmp/pki
$ ./easyrsa init-pki
$ echo "lxd" | ./easyrsa build-ca nopass
$ ./easyrsa build-client-full lxd-client nopass
$ cp pki/ca.crt /var/snap/lxd/common/lxd/server.ca
$ cp pki/issued/lxd-client.crt ~/snap/lxd/common/config/client.crt
$ cp pki/private/lxd-client.key ~/snap/lxd/common/config/client.key
# Restart daemon.
$ systemctl reload snap.lxd.daemon
# Add a restricted certificate to the trust store.
$ token="$(lxc config trust add --name ca-test --quiet --restricted)"
$ lxc remote add tls "${token}"
# Our client has a CA-signed certificate, but it is restricted, so the client should not be able to view server config.
$ lxc config get tls: core.https_address
127.0.0.1:8443
Impact
I believe this vulnerability is low impact because PKI mode is:
1. Not the standard or recommended mode of operation for LXD.
2. While core.trust_ca_certificates defaults to false, we believe that users who enable PKI mode will generally have core.trust_ca_certificates enabled to allow for passwordless PKI with CRL revocation (see https://github.com/canonical/lxd/issues/3832). When this mode is enabled, all clients with CA-signed certificates have root access* anyway.
*Note: If a restricted certificate is added before core.trust_ca_certificates is enabled, the certificate becomes unrestricted. We believe this was the original intention of the PR, but this should be changed to disallow any unintended permission change.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/canonical/lxd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20240403103450-0e7f2b5bf4d2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-6219"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-09T22:43:13Z",
"nvd_published_at": "2024-12-06T00:15:04Z",
"severity": "LOW"
},
"details": "### Summary\nIf a `server.ca` file is present in `LXD_DIR` at LXD start up, LXD is in \"PKI mode\". In this mode, all clients must have certificates that have been signed by the CA. \n\nThe LXD configuration option `core.trust_ca_certificates` defaults to `false`. This means that although the client certificate has been signed by the CA, LXD will additionally add the certificate to the trust store and verify it via mTLS.\n\nWhen a restricted certificate is added to the trust store in this mode, it\u0027s restrictions are not honoured, and the client has full access to LXD.\n\n### Details\nWhen authorization was refactored to allow for generalisation (at the time for TLS, RBAC, and OpenFGA, see https://github.com/canonical/lxd/pull/12313), PKI mode did not account for the `core.trust_ca_certificates` configuration option. When this option is enabled, all CA-signed client certificates are given full access to LXD. [This cherry-pick from Incus](https://github.com/canonical/lxd/pull/12513/commits/5cdc9a35b9c51e981b1e70330bde0413ccacc7fd) was added to LXD to fix the issue. \n\nThe cherry-pick fixed the immediate issue and allowed full access to LXD for CA-signed client certificates when `core.trust_ca_certificates` is enabled, but did not consider the behaviour of LXD when `core.trust_ca_certificates` is disabled. \n\nWhen `core.trust_ca_certificates` is false, restrictions that are applied to a certificate should be honoured. Instead, they are being ignored due to the presence of a `server.ca` file in `LXD_DIR`.\n\n### PoC\n```\n# Install/initialize LXD\n$ snap install lxd --channel 5.21/stable\n$ lxd init --auto\n$ lxc config set core.https_address=127.0.0.1:8443\n\n# Use easyrsa for configuring CA: https://github.com/OpenVPN/easy-rsa\n$ cp -R /usr/share/easy-rsa \"/tmp/pki\"\n$ export EASYRSA_KEY_SIZE=4096\n$ cd /tmp/pki\n$ ./easyrsa init-pki\n$ echo \"lxd\" | ./easyrsa build-ca nopass\n$ ./easyrsa build-client-full lxd-client nopass\n$ cp pki/ca.crt /var/snap/lxd/common/lxd/server.ca\n$ cp pki/issued/lxd-client.crt ~/snap/lxd/common/config/client.crt\n$ cp pki/private/lxd-client.key ~/snap/lxd/common/config/client.key\n\n# Restart daemon.\n$ systemctl reload snap.lxd.daemon\n\n# Add a restricted certificate to the trust store.\n$ token=\"$(lxc config trust add --name ca-test --quiet --restricted)\"\n$ lxc remote add tls \"${token}\"\n\n# Our client has a CA-signed certificate, but it is restricted, so the client should not be able to view server config.\n$ lxc config get tls: core.https_address\n127.0.0.1:8443\n```\n\n### Impact\nI believe this vulnerability is low impact because PKI mode is:\n1. Not the standard or recommended mode of operation for LXD.\n2. While `core.trust_ca_certificates` defaults to false, we believe that users who enable PKI mode will generally have `core.trust_ca_certificates` enabled to allow for passwordless PKI with CRL revocation (see https://github.com/canonical/lxd/issues/3832). When this mode is enabled, all clients with CA-signed certificates have root access* anyway.\n\n*Note: If a restricted certificate is added before `core.trust_ca_certificates` is enabled, the certificate becomes unrestricted. We believe this was the original intention of the PR, but this should be changed to disallow any unintended permission change.",
"id": "GHSA-jpmc-7p9c-4rxf",
"modified": "2026-06-26T19:31:18Z",
"published": "2024-12-09T22:43:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-jpmc-7p9c-4rxf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6219"
},
{
"type": "WEB",
"url": "https://github.com/canonical/lxd/pull/12313"
},
{
"type": "WEB",
"url": "https://github.com/canonical/lxd/commit/5cdc9a35b9c51e981b1e70330bde0413ccacc7fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/canonical/lxd"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3313"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6219"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "lxd has a restricted TLS certificate privilege escalation when in PKI mode"
}
GHSA-JPMG-3WRF-2XQ2
Vulnerability from github – Published: 2022-05-14 02:41 – Updated: 2022-05-14 02:41SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - import functionality does not perform authentication checks for valid repository user. This is an unauthenticated functionality that you can use on windows machines to do SMB relaying.
{
"affected": [],
"aliases": [
"CVE-2018-2449"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-14T16:29:00Z",
"severity": "HIGH"
},
"details": "SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - import functionality does not perform authentication checks for valid repository user. This is an unauthenticated functionality that you can use on windows machines to do SMB relaying.",
"id": "GHSA-jpmg-3wrf-2xq2",
"modified": "2022-05-14T02:41:28Z",
"published": "2022-05-14T02:41:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2449"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2655250"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105079"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPQG-VX8M-6W9J
Vulnerability from github – Published: 2025-09-05 00:32 – Updated: 2025-09-18 15:30Azure Entra Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2025-55241"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T23:15:32Z",
"severity": "CRITICAL"
},
"details": "Azure Entra Elevation of Privilege Vulnerability",
"id": "GHSA-jpqg-vx8m-6w9j",
"modified": "2025-09-18T15:30:24Z",
"published": "2025-09-05T00:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55241"
},
{
"type": "WEB",
"url": "https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPR6-P297-4W5G
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-28 00:00The CTS Web transaction system related to authentication management is implemented incorrectly. After login, remote attackers can manipulate cookies to access other accounts and trade in the stock market with spoofed identity.
{
"affected": [],
"aliases": [
"CVE-2021-32543"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-28T08:15:00Z",
"severity": "MODERATE"
},
"details": "The CTS Web transaction system related to authentication management is implemented incorrectly. After login, remote attackers can manipulate cookies to access other accounts and trade in the stock market with spoofed identity.",
"id": "GHSA-jpr6-p297-4w5g",
"modified": "2022-05-28T00:00:30Z",
"published": "2022-05-24T19:03:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32543"
},
{
"type": "WEB",
"url": "https://www.chtsecurity.com/news/40e165e2-e539-49bc-bcf1-e3b27c29e344"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-4759-92eab-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JQ2F-3XC4-634F
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2025-04-20 03:34Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress.
{
"affected": [],
"aliases": [
"CVE-2016-9124"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-28T02:59:00Z",
"severity": "CRITICAL"
},
"details": "Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress.",
"id": "GHSA-jq2f-3xc4-634f",
"modified": "2025-04-20T03:34:57Z",
"published": "2022-05-13T01:38:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9124"
},
{
"type": "WEB",
"url": "https://github.com/revive-adserver/revive-adserver/commit/847941390f5b3310d51b07c92ec91cc1f4cc82c9"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/96115"
},
{
"type": "WEB",
"url": "https://www.revive-adserver.com/security/revive-sa-2016-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ2R-G8WH-6Q3V
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.
{
"affected": [],
"aliases": [
"CVE-2020-9049"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-19T16:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House C\u2022CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.",
"id": "GHSA-jq2r-g8wh-6q3v",
"modified": "2022-05-24T22:28:46Z",
"published": "2022-05-24T22:28:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9049"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JQ3J-8JMP-V6JP
Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2022-04-05 00:00A vulnerability classified as critical was found in SourceCodester One Church Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /one_church/userregister.php. The manipulation leads to authentication bypass. The attack can be launched remotely.
{
"affected": [],
"aliases": [
"CVE-2022-1084"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-29T06:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability classified as critical was found in SourceCodester One Church Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /one_church/userregister.php. The manipulation leads to authentication bypass. The attack can be launched remotely.",
"id": "GHSA-jq3j-8jmp-v6jp",
"modified": "2022-04-05T00:00:41Z",
"published": "2022-03-30T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1084"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.195643"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ56-QCGV-3PHX
Vulnerability from github – Published: 2022-05-14 01:55 – Updated: 2022-05-14 01:55Intelbras NPLUG 1.0.0.14 wireless repeater devices have a critical vulnerability that allows an attacker to authenticate in the web interface just by using "admin:" as the name of a cookie.
{
"affected": [],
"aliases": [
"CVE-2018-12455"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-10T21:29:00Z",
"severity": "HIGH"
},
"details": "Intelbras NPLUG 1.0.0.14 wireless repeater devices have a critical vulnerability that allows an attacker to authenticate in the web interface just by using \"admin:\" as the name of a cookie.",
"id": "GHSA-jq56-qcgv-3phx",
"modified": "2022-05-14T01:55:58Z",
"published": "2022-05-14T01:55:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12455"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Oct/18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.