Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5978 vulnerabilities reference this CWE, most recent first.

GHSA-V8HX-4VX8-WC96

Vulnerability from github – Published: 2026-07-14 00:33 – Updated: 2026-07-14 00:33
VLAI
Summary
Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP
Details

Summary

Two-factor authentication (TOTP) can be fully bypassed for the REST API. The KIMAI_SESSION cookie returned in the response to the login request; issued after only the password is verified, before the TOTP step; is already accepted as authenticated by every /api/* endpoint.

So after submitting just the password, the web UI correctly holds the browser at the TOTP screen (/en/auth/2fa), but the cookie from that same login response can be replayed against the API to act as the user without ever entering the second factor. This affects any account with 2FA enabled and requires only the account password.

Details

Affected Component

  • The API firewall / authorization.

config/packages/security.yaml guards the API with { path: '^/api', roles: IS_AUTHENTICATED }. During 2FA the session carries a Scheb TwoFactorToken, which satisfies IS_AUTHENTICATED (it is a real, non-anonymous token). App\API\Authentication\ApiRequestMatcher returns !$request->hasPreviousSession(), so a request that carries the login session skips the stateless API firewall and is served by the main session firewall; Scheb's TwoFactorAccessDecider::isAccessible() then evaluates IS_AUTHENTICATED to true for ^/api and lets it through, and App\Voter\ApiVoter grants API to any token whose user is a User. Web routes are not affected because they require concrete roles (e.g. ROLE_USER) that a TwoFactorToken does not hold.

PoC

A PoC was provided, but removed for security reasons.

Impact

Two-factor authentication provides no protection for the REST API. If an attacker obtains a user's password (phishing, credential stuffing, reuse, breach); exactly the threat 2FA is meant to defend against; they get full authenticated API access as that user without the second factor. The whole exploit is a single cookie taken from the login response; no API token, Bearer header or CSRF token is required.

Solution

  • The /api/ firewall now uses IS_AUTHENTICATED_REMEMBERED which is only assigned after 2FA. The historically used IS_AUTHENTICATED flag is applied immediately after login and before 2FA happened.
  • The APIVoter checks both $token instanceof TwoFactorTokenInterface and isGranted('IS_AUTHENTICATED_2FA_IN_PROGRESS', $user) to make sure that the user is not currently in the 2FA step.
  • Regression tests were added to prevent future escalation of the same issue.

See https://www.kimai.org/en/security/ghsa-v8hx-4vx8-wc96 for more information.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.59.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-14T00:33:39Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nTwo-factor authentication (TOTP) can be fully bypassed for the REST API. The `KIMAI_SESSION` cookie returned in the response to the login request; issued after only the password is verified, before the TOTP step; is already accepted as authenticated by every `/api/*` endpoint.\n\nSo after submitting just the password, the web UI correctly holds the browser at the TOTP screen (`/en/auth/2fa`), but the cookie from that same login response can be replayed against the API to act as the user without ever entering the second factor. This affects any account with 2FA enabled and requires only the account password.\n\n### Details\n\n#### Affected Component\n- The API firewall / authorization.\n\n`config/packages/security.yaml` guards the API with `{ path: \u0027^/api\u0027, roles: IS_AUTHENTICATED }`. During 2FA the session carries a Scheb `TwoFactorToken`, which satisfies `IS_AUTHENTICATED` (it is a real, non-anonymous token). `App\\API\\Authentication\\ApiRequestMatcher` returns `!$request-\u003ehasPreviousSession()`, so a request that carries the login session skips the stateless API firewall and is served by the main session firewall; Scheb\u0027s `TwoFactorAccessDecider::isAccessible()` then evaluates `IS_AUTHENTICATED` to true for `^/api` and lets it through, and `App\\Voter\\ApiVoter` grants `API` to any token whose user is a `User`. Web routes are not affected because they require concrete roles (e.g. `ROLE_USER`) that a `TwoFactorToken` does not hold.\n\n### PoC\n\n_A PoC was provided, but removed for security reasons._\n\n### Impact\n\nTwo-factor authentication provides no protection for the REST API. If an attacker obtains a user\u0027s password (phishing, credential stuffing, reuse, breach); exactly the threat 2FA is meant to defend against; they get full authenticated API access as that user without the second factor. The whole exploit is a single cookie taken from the login response; no API token, Bearer header or CSRF token is required.\n\n## Solution\n\n- The `/api/` firewall now uses `IS_AUTHENTICATED_REMEMBERED` which is only assigned after 2FA. The historically used `IS_AUTHENTICATED` flag  is applied immediately after login and before 2FA happened.\n- The APIVoter checks both `$token instanceof TwoFactorTokenInterface` and  `isGranted(\u0027IS_AUTHENTICATED_2FA_IN_PROGRESS\u0027, $user)` to make sure that the user is not currently in the  2FA step.\n- Regression tests were added to prevent future escalation of the same issue.\n\nSee [https://www.kimai.org/en/security/ghsa-v8hx-4vx8-wc96](https://www.kimai.org/en/security/ghsa-v8hx-4vx8-wc96) for more information.",
  "id": "GHSA-v8hx-4vx8-wc96",
  "modified": "2026-07-14T00:33:39Z",
  "published": "2026-07-14T00:33:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-v8hx-4vx8-wc96"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kimai: Pre-2FA KIMAI_SESSION\u00a0cookie grants full authenticated REST API access, bypassing TOTP"
}

GHSA-V8JW-9WV4-WXG3

Vulnerability from github – Published: 2026-07-04 15:30 – Updated: 2026-07-04 15:30
VLAI
Details

A security vulnerability has been detected in NousResearch hermes-agent up to 0.15.2. This affects the function DiscordAdapter._is_allowed_user of the file gateway/platforms/discord.py of the component Discord Platform Integration. Such manipulation leads to improper authentication. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14627"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-04T13:16:30Z",
    "severity": "LOW"
  },
  "details": "A security vulnerability has been detected in NousResearch hermes-agent up to 0.15.2. This affects the function DiscordAdapter._is_allowed_user of the file gateway/platforms/discord.py of the component Discord Platform Integration. Such manipulation leads to improper authentication. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-v8jw-9wv4-wxg3",
  "modified": "2026-07-04T15:30:23Z",
  "published": "2026-07-04T15:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14627"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/YLChen-007/d030c690b10a97319efb129ca2f5badb"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-14627"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/845598"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/376143"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/376143/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V8QG-Q79M-VP4Q

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13
VLAI
Details

An issue existed with authenticating the action triggered by an NFC tag. The issue was addressed with improved action authentication. This issue is fixed in iOS 14.5 and iPadOS 14.5. A person with physical access to an iOS device may be able to place phone calls to any phone number.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-08T15:15:00Z",
    "severity": "LOW"
  },
  "details": "An issue existed with authenticating the action triggered by an NFC tag. The issue was addressed with improved action authentication. This issue is fixed in iOS 14.5 and iPadOS 14.5. A person with physical access to an iOS device may be able to place phone calls to any phone number.",
  "id": "GHSA-v8qg-q79m-vp4q",
  "modified": "2022-05-24T19:13:33Z",
  "published": "2022-05-24T19:13:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1863"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212317"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V92C-556H-XM93

Vulnerability from github – Published: 2025-08-06 18:31 – Updated: 2025-08-06 18:31
VLAI
Details

On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-06T16:15:30Z",
    "severity": "HIGH"
  },
  "details": "On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment.",
  "id": "GHSA-v92c-556h-xm93",
  "modified": "2025-08-06T18:31:20Z",
  "published": "2025-08-06T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53786"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V92F-PW9W-HQP7

Vulnerability from github – Published: 2022-05-17 05:20 – Updated: 2022-05-17 05:20
VLAI
Details

user.php in NextBBS 0.6 allows remote attackers to bypass authentication and gain administrator access by setting the userkey cookie to 1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-1602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-10-01T23:55:00Z",
    "severity": "HIGH"
  },
  "details": "user.php in NextBBS 0.6 allows remote attackers to bypass authentication and gain administrator access by setting the userkey cookie to 1.",
  "id": "GHSA-v92f-pw9w-hqp7",
  "modified": "2022-05-17T05:20:46Z",
  "published": "2022-05-17T05:20:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1602"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2012-03/0135.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.org/files/111250/NextBBS-0.6.0-Authentication-Bypass-SQL-Injection-XSS.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/03/29/8"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/03/30/2"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/80626"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/52728"
    },
    {
      "type": "WEB",
      "url": "http://www.waraxe.us/advisory-80.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V95F-QPG4-XQ52

Vulnerability from github – Published: 2024-11-05 09:30 – Updated: 2024-11-05 09:30
VLAI
Details

The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T09:15:03Z",
    "severity": "HIGH"
  },
  "details": "The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.",
  "id": "GHSA-v95f-qpg4-xq52",
  "modified": "2024-11-05T09:30:37Z",
  "published": "2024-11-05T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10114"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71df23bf-8f51-4260-be1f-ed5bc29d4afe?source=cve"
    },
    {
      "type": "WEB",
      "url": "https://www.wpwebelite.com/changelogs/woocommerce-social-login/changelog.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V95J-QHVJ-8V9X

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-05T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration.",
  "id": "GHSA-v95j-qhvj-8v9x",
  "modified": "2022-05-24T19:16:34Z",
  "published": "2022-05-24T19:16:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39872"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1285226"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39872.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/337954"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V985-H9J9-WV32

Vulnerability from github – Published: 2025-09-23 12:31 – Updated: 2026-03-31 15:31
VLAI
Details

Improper authentication vulnerability in Novakon P series allows unauthenticated attackers to upload and download any application from/to the device.This issue affects P series: P – V2001.A.C518o2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-23T12:15:29Z",
    "severity": "CRITICAL"
  },
  "details": "Improper authentication vulnerability in Novakon P series allows unauthenticated attackers to upload and download any application from/to the device.This issue affects P series: P \u2013 V2001.A.C518o2.",
  "id": "GHSA-v985-h9j9-wv32",
  "modified": "2026-03-31T15:31:52Z",
  "published": "2025-09-23T12:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9965"
    },
    {
      "type": "WEB",
      "url": "https://cyberdanube.com/security-research/multiple-vulnerabilities-in-novakon-hmi-series"
    },
    {
      "type": "WEB",
      "url": "https://www.novakon.com.tw/common/frontend/download?path=/uploads/images/support/download/NOVAKON_P-Series-HMI_Security-Advisory_CVE-2025-9962-9966_Rev2_0.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.novakon.com.tw/en/news/detail/Security_Advisory__Firmware_Update_Available_for_NOVAKON_P_Series_HMI_Products"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Sep/70"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V98J-7CRC-WVRJ

Vulnerability from github – Published: 2022-02-09 22:03 – Updated: 2022-02-09 22:03
VLAI
Summary
Authentication bypass in Apache Shiro
Details

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shiro:shiro-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shiro:shiro-spring"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shiro:shiro-spring-boot-starter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-17523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-05T21:20:26Z",
    "nvd_published_at": "2021-02-03T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.",
  "id": "GHSA-v98j-7crc-wvrj",
  "modified": "2022-02-09T22:03:57Z",
  "published": "2022-02-09T22:03:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17523"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/shiro/pull/263"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/SHIRO-797"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235@%3Cgitbox.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196@%3Cdev.shiro.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6@%3Cissues.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://shiro.apache.org/download.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authentication bypass in Apache Shiro"
}

GHSA-V9F9-QWJ8-VJFF

Vulnerability from github – Published: 2022-04-30 18:19 – Updated: 2022-04-30 18:19
VLAI
Details

An interaction between Microsoft Outlook Web Access (OWA) with RSA SecurID allows local users to bypass the SecurID authentication for a previous user via several submissions of an OWA Authentication request with the proper OWA password for the previous user, which is eventually accepted by OWA.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2002-0507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2002-08-12T04:00:00Z",
    "severity": "LOW"
  },
  "details": "An interaction between Microsoft Outlook Web Access (OWA) with RSA SecurID allows local users to bypass the SecurID authentication for a previous user via several submissions of an OWA Authentication request with the proper OWA password for the previous user, which is eventually accepted by OWA.",
  "id": "GHSA-v9f9-qwj8-vjff",
  "modified": "2022-04-30T18:19:22Z",
  "published": "2022-04-30T18:19:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0507"
    },
    {
      "type": "WEB",
      "url": "http://online.securityfocus.com/archive/1/264705"
    },
    {
      "type": "WEB",
      "url": "http://www.iss.net/security_center/static/8681.php"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/4390"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.