Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5966 vulnerabilities reference this CWE, most recent first.

GHSA-MFFC-9GX5-99G3

Vulnerability from github – Published: 2022-05-14 01:46 – Updated: 2024-09-27 15:49
VLAI
Summary
python-kerberos vulnerable to KDC spoofing attacks
Details

The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "kerberos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pykerberos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-3206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-23T20:53:08Z",
    "nvd_published_at": "2017-08-25T18:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The `checkPassword` function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.",
  "id": "GHSA-mffc-9gx5-99g3",
  "modified": "2024-09-27T15:49:07Z",
  "published": "2022-05-14T01:46:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3206"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/ccs-pykerberos/issues/31"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/ccs-pykerberos/commit/9cb61c93f9b24dd18a0a315f3df5445529c5c333"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1223802"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apple/ccs-pykerberos"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/kerberos/PYSEC-2017-49.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pykerberos/PYSEC-2017-66.yaml"
    },
    {
      "type": "WEB",
      "url": "https://pypi.python.org/pypi/kerberos"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20150910143429/https://trac.calendarserver.org/ticket/833"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228090829/http://www.securityfocus.com/bid/74760"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/05/21/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "python-kerberos vulnerable to KDC spoofing attacks"
}

GHSA-MFHM-PR46-C4C3

Vulnerability from github – Published: 2022-05-17 00:01 – Updated: 2022-05-25 00:00
VLAI
Details

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-16T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.",
  "id": "GHSA-mfhm-pr46-c4c3",
  "modified": "2022-05-25T00:00:19Z",
  "published": "2022-05-17T00:01:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1349"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/7ee95a53-5fe9-404c-a77a-d1218265e4aa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MFJ5-CF8G-G2FV

Vulnerability from github – Published: 2024-12-02 20:04 – Updated: 2024-12-18 15:56
VLAI
Summary
AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s
Details

Summary

When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.

Details

This issue is described without security warnings here:

https://github.com/AsyncHttpClient/async-http-client/issues/1964

A PR to fix this issue has been made:

https://github.com/AsyncHttpClient/async-http-client/pull/2033

PoC

  1. Add an auth Cookie to the CookieStore
    • This is identical to receiving an HTTP response that uses Set-Cookie, as shown in issue #1964 above.
  2. Handle a different user's request where the same Cookie is provided as a passthrough, like a JWT, and attempt to use it by explicitly providing it.
  3. Observe that the user's cookie in step 2 is passed as the Cookie in step 1.

Impact

This is generally going to be a problem for developers of backend services that implement third party auth features and use other features like token refresh. The moment a third party service responds by setting a cookie in the response, the CookieStore will effectively break almost every follow-up request (hopefully by being rejected, but possibly by revealing a different user's information).

If your service sets cookies based on the response that happens here, it's possible to lead to even greater levels of exposure.

Workaroud

You can avoid this issue by disabling the CookieStore during client creation:

DefaultAsyncHttpClientConfig.Builder clientBuilder = Dsl.config()
 .setCookieStore(null)
 // other configuration
 ;
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.asynchttpclient:async-http-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.asynchttpclient:async-http-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0.Beta1"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-53990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T20:04:43Z",
    "nvd_published_at": "2024-12-02T18:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nWhen making any HTTP request, the automatically enabled and self-managed `CookieStore` (aka cookie jar) will silently replace explicitly defined `Cookie`s with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user\u0027s `Cookie` being used for another user\u0027s requests.\n\n### Details\n\nThis issue is described without security warnings here:\n\nhttps://github.com/AsyncHttpClient/async-http-client/issues/1964\n\nA PR to fix this issue has been made:\n\nhttps://github.com/AsyncHttpClient/async-http-client/pull/2033\n\n### PoC\n\n1. Add an auth `Cookie` to the `CookieStore`\n    - This is identical to receiving an HTTP response that uses `Set-Cookie`, as shown in issue #1964 above.\n2. Handle a different user\u0027s request where the same `Cookie` is provided as a passthrough, like a JWT, and attempt to use it by explicitly providing it.\n3. Observe that the user\u0027s cookie in step 2 is passed as the Cookie in step 1.\n\n### Impact\n\nThis is generally going to be a problem for developers of backend services that implement third party auth features and use other features like token refresh. The moment a third party service responds by _setting_ a cookie in the response, the `CookieStore` will effectively break almost every follow-up request (hopefully by being rejected, but possibly by revealing a different user\u0027s information).\n\nIf your service sets cookies based on the response that happens here, it\u0027s possible to lead to even greater levels of exposure.\n\n### Workaroud\n\nYou can avoid this issue by disabling the `CookieStore` during client creation:\n\n```java\nDefaultAsyncHttpClientConfig.Builder clientBuilder = Dsl.config()\n .setCookieStore(null)\n // other configuration\n ;\n```",
  "id": "GHSA-mfj5-cf8g-g2fv",
  "modified": "2024-12-18T15:56:40Z",
  "published": "2024-12-02T20:04:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-mfj5-cf8g-g2fv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53990"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AsyncHttpClient/async-http-client/issues/1964"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AsyncHttpClient/async-http-client/pull/2033"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AsyncHttpClient/async-http-client/commit/d5a83362f7aed81b93ebca559746ac9be0f95425"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AsyncHttpClient/async-http-client"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AsyncHttpClient/async-http-client/blob/main/CHANGES.md#from-20-to-21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AsyncHttpClient (AHC) library\u0027s `CookieStore` replaces explicitly defined `Cookie`s"
}

GHSA-MFJQ-7FFC-QGMV

Vulnerability from github – Published: 2024-03-08 18:30 – Updated: 2024-03-08 18:30
VLAI
Details

An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.

We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-08T17:15:22Z",
    "severity": "CRITICAL"
  },
  "details": "An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n",
  "id": "GHSA-mfjq-7ffc-qgmv",
  "modified": "2024-03-08T18:30:31Z",
  "published": "2024-03-08T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21899"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-24-09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MFM8-X888-WXXX

Vulnerability from github – Published: 2022-05-17 01:39 – Updated: 2022-05-17 01:39
VLAI
Details

Java Open Single Sign-On Project Home (JOSSO) allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-5352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-10-09T23:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Java Open Single Sign-On Project Home (JOSSO) allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a \"Signature exclusion attack.\"",
  "id": "GHSA-mfm8-x888-wxxx",
  "modified": "2022-05-17T01:39:46Z",
  "published": "2022-05-17T01:39:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5352"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=865169"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79241"
    },
    {
      "type": "WEB",
      "url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/55892"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MFPX-CX7P-6JC6

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-13 00:01
VLAI
Details

HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-31T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.",
  "id": "GHSA-mfpx-cx7p-6jc6",
  "modified": "2022-07-13T00:01:13Z",
  "published": "2022-05-24T19:12:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27668"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2021-05-vault-enterprise-s-dr-secondaries-exposed-license-metadata-without-authentication/21427"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202207-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MFRQ-67VR-MFX7

Vulnerability from github – Published: 2022-05-17 00:37 – Updated: 2022-05-17 00:37
VLAI
Details

Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin/home.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-6912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-08-07T19:00:00Z",
    "severity": "HIGH"
  },
  "details": "Zeeways SHAADICLONE 2.0 allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin/home.php.",
  "id": "GHSA-mfrq-67vr-mfx7",
  "modified": "2022-05-17T00:37:30Z",
  "published": "2022-05-17T00:37:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6912"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46502"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/7066"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/49746"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32222"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/3069"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MFXF-3HWQ-XPWQ

Vulnerability from github – Published: 2022-05-17 00:38 – Updated: 2022-05-17 00:38
VLAI
Details

MyShoutPro 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin_access cookie to 1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-6738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-04-21T18:30:00Z",
    "severity": "HIGH"
  },
  "details": "MyShoutPro 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin_access cookie to 1.",
  "id": "GHSA-mfxf-3hwq-xpwq",
  "modified": "2022-05-17T00:38:32Z",
  "published": "2022-05-17T00:38:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6738"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43145"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/5845"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/29780"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MG2F-G382-VVC6

Vulnerability from github – Published: 2024-09-05 12:31 – Updated: 2024-09-05 12:31
VLAI
Details

This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-305"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-05T11:15:12Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly",
  "id": "GHSA-mg2f-g382-vvc6",
  "modified": "2024-09-05T12:31:16Z",
  "published": "2024-09-05T12:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5956"
    },
    {
      "type": "WEB",
      "url": "https://thrive.trellix.com/s/article/000013870"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MG2G-8PWJ-R2J2

Vulnerability from github – Published: 2021-06-10 17:21 – Updated: 2022-03-15 16:38
VLAI
Summary
Authentication bypass in SilverStripe GraphQL
Details

The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.

Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha1"
            },
            {
              "fixed": "4.0.0-alpha2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-10T14:41:10Z",
    "nvd_published_at": "2021-06-08T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.\n\nBasic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\\Graphql\\Auth\\Handler",
  "id": "GHSA-mg2g-8pwj-r2j2",
  "modified": "2022-03-15T16:38:13Z",
  "published": "2021-06-10T17:21:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26136"
    },
    {
      "type": "WEB",
      "url": "https://forum.silverstripe.org/c/releases"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-26136.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/blog/tag/release"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases/cve-2020-26136"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authentication bypass in SilverStripe GraphQL"
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.