Common Weakness Enumeration

CWE-290

Allowed

Authentication Bypass by Spoofing

Abstraction: Base · Status: Incomplete

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

928 vulnerabilities reference this CWE, most recent first.

GHSA-6XWX-7GHH-J6W4

Vulnerability from github – Published: 2026-06-01 21:30 – Updated: 2026-06-01 21:30
VLAI
Details

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-01T19:16:55Z",
    "severity": "CRITICAL"
  },
  "details": "IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing.",
  "id": "GHSA-6xwx-7ghh-j6w4",
  "modified": "2026-06-01T21:30:44Z",
  "published": "2026-06-01T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8644"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7274740"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7232-97C6-J525

Vulnerability from github – Published: 2025-10-02 21:20 – Updated: 2025-11-05 22:04
VLAI
Summary
Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server
Details

Impact

In LXD's devLXD server, the source container identification process uses process cmdline (command line) information, allowing attackers to impersonate other containers by spoofing process names.

The core issue lies in the findContainerForPID function in lxd/api_devlxd.go. This function identifies senders through two steps as shown below:

  1. cmdline-based identification: Check while tracing back through parent processes, and if it starts with [lxc monitor], extract the project name and container name from that process name in the format projectName_containerName.
  2. PID namespace-based identification: If not found in Step 1, check against all containers' PID namespaces.

https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/api_devlxd.go#L166-L276

Attackers can exploit Step 1 processing to impersonate arbitrary containers across projects by spoofing process names.

Reproduction Steps

  1. Access devLXD server from a normal container (e.g., EEEE):
root@EEEE:~# curl --unix-socket /dev/lxd/sock http://lxd-host/1.0/meta-data
instance-id: 9f928574-2561-4eff-af82-a68e57d3c68b
local-hostname: EEEE
  1. Use exec -a to spoof process name and impersonate another container (DDDD):
root@EEEE:~# bash -c "exec -a '[lxc monitor]' curl --unix-socket /dev/lxd/sock http://lxd-host/1.0/meta-data -x 'test-project_DDDD'"
instance-id: 1bb2f1c3-3ad2-4cd6-9965-67b14c3582cc
local-hostname: DDDD

This attack successfully obtains metadata (instance-id, local-hostname) of another container DDDD from within container EEEE.

Risk

This vulnerability allows attackers to perform the following actions:

  1. Theft of other containers' metadata information Obtaining other containers' information via devLXD API's /1.0/meta-data endpoint: https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/devlxd.go#L295-L304

  2. Obtaining other containers' configuration information via devLXD API's /1.0/config and /1.0/config/{key} endpoints: https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/devlxd.go#L175-L221 https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/devlxd.go#L228-L267

  3. Obtaining other containers' device information via devLXD API's /1.0/devices endpoint: https://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/devlxd.go#L377-L395 Particularly in environments where multiple projects run containers on the same LXD host, inter-project information leakage may occur. The attack prerequisite is root privileges within any container.

Countermeasures

While containers basically run in separate PID namespaces, based on investigation, the [lxc monitor] process runs in the same PID namespace as the LXD execution process. Therefore, the problem can be resolved by modifying the implementation to use cmdline information only when the PID namespace of the target process matches the PID namespace of the process running LXD.

Patches

LXD Series Status
6 Fixed in LXD 6.5
5.21 Fixed in LXD 5.21.4
5.0 Ignored - Not critical
4.0 Ignored - EOL and not critical

References

Reported by GMO Flatt Security Inc.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/canonical/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0"
            },
            {
              "fixed": "5.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/canonical/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0"
            },
            {
              "fixed": "6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/canonical/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20200331193331-03aab09f5b5c"
            },
            {
              "fixed": "0.0.0-20250827065555-0494f5d47e41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-02T21:20:25Z",
    "nvd_published_at": "2025-10-02T10:15:38Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIn LXD\u0027s devLXD server, the source container identification process uses process cmdline (command line) information, allowing attackers to impersonate other containers by spoofing process names.\n\nThe core issue lies in the findContainerForPID function in `lxd/api_devlxd.go`. \nThis function identifies senders through two steps as shown below:\n\n1. cmdline-based identification: Check while tracing back through parent processes, and if it starts with `[lxc monitor]`, extract the project name and container name from that process name in the format projectName_containerName.\n2. PID namespace-based identification: If not found in Step 1, check against all containers\u0027 PID namespaces.\n\nhttps://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/api_devlxd.go#L166-L276\n\nAttackers can exploit Step 1 processing to impersonate arbitrary containers across projects by spoofing process names.\n\n### Reproduction Steps\n1. Access devLXD server from a normal container (e.g., EEEE):\n\n```\nroot@EEEE:~# curl --unix-socket /dev/lxd/sock http://lxd-host/1.0/meta-data\ninstance-id: 9f928574-2561-4eff-af82-a68e57d3c68b\nlocal-hostname: EEEE\n```\n\n2. Use exec -a to spoof process name and impersonate another container (DDDD):\n\n```\nroot@EEEE:~# bash -c \"exec -a \u0027[lxc monitor]\u0027 curl --unix-socket /dev/lxd/sock http://lxd-host/1.0/meta-data -x \u0027test-project_DDDD\u0027\"\ninstance-id: 1bb2f1c3-3ad2-4cd6-9965-67b14c3582cc\nlocal-hostname: DDDD\n```\n\nThis attack successfully obtains metadata (instance-id, local-hostname) of another container\nDDDD from within container EEEE.\n\n### Risk\nThis vulnerability allows attackers to perform the following actions:\n\n1. Theft of other containers\u0027 metadata information\nObtaining other containers\u0027 information via devLXD API\u0027s /1.0/meta-data endpoint:\nhttps://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/devlxd.go#L295-L304\n\n2. Obtaining other containers\u0027 configuration information via devLXD API\u0027s /1.0/config and /1.0/config/{key} endpoints:\nhttps://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/devlxd.go#L175-L221\nhttps://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/devlxd.go#L228-L267\n\n4. Obtaining other containers\u0027 device information via devLXD API\u0027s /1.0/devices endpoint:\nhttps://github.com/canonical/lxd/blob/43d5189564d27f6161b430ed258c8b56603c2759/lxd/devlxd.go#L377-L395\nParticularly in environments where multiple projects run containers on the same LXD host,\ninter-project information leakage may occur. The attack prerequisite is root privileges within\nany container.\n\n### Countermeasures\nWhile containers basically run in separate PID namespaces, based on investigation, the `[lxc monitor]` process runs in the same PID namespace as the LXD execution process. Therefore, the problem can be resolved by modifying the implementation to use cmdline information only when the PID namespace of the target process matches the PID namespace of the process running LXD.\n\n### Patches\n\n| LXD Series  | Status |\n| ------------- | ------------- |\n| 6 | Fixed in LXD 6.5  |\n| 5.21 | Fixed in LXD 5.21.4  |\n| 5.0 | Ignored - Not critical  |\n| 4.0  | Ignored - EOL and not critical |\n\n### References\nReported by  GMO Flatt Security Inc.",
  "id": "GHSA-7232-97c6-j525",
  "modified": "2025-11-05T22:04:46Z",
  "published": "2025-10-02T21:20:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/canonical/lxd/security/advisories/GHSA-7232-97c6-j525"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54288"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/canonical/lxd"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-4001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server"
}

GHSA-733X-G8M7-Q4JM

Vulnerability from github – Published: 2023-01-23 15:30 – Updated: 2023-01-31 18:30
VLAI
Details

The FluentAuth WordPress plugin before 1.0.2 prioritizes getting a visitor's IP address from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass the IP-based blocks set by the plugin.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-23T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "The FluentAuth WordPress plugin before 1.0.2 prioritizes getting a visitor\u0027s IP address from certain HTTP headers over PHP\u0027s REMOTE_ADDR, which makes it possible to bypass the IP-based blocks set by the plugin.",
  "id": "GHSA-733x-g8m7-q4jm",
  "modified": "2023-01-31T18:30:24Z",
  "published": "2023-01-23T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4746"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/62e3babc-00c6-4a35-972f-8f03ba70ba32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-735V-X99Q-VQ7W

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

Authentication Bypass by Spoofing vulnerability in ECOS System Management Appliance (aka SMA) 5.2.68 allows a man-in-the-middle attacker to compromise authentication keys and configurations via IP spoofing during "Easy Enrollment."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12331"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-17T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Authentication Bypass by Spoofing vulnerability in ECOS System Management Appliance (aka SMA) 5.2.68 allows a man-in-the-middle attacker to compromise authentication keys and configurations via IP spoofing during \"Easy Enrollment.\"",
  "id": "GHSA-735v-x99q-vq7w",
  "modified": "2022-05-13T01:19:01Z",
  "published": "2022-05-13T01:19:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12331"
    },
    {
      "type": "WEB",
      "url": "https://telematik.prakinf.tu-ilmenau.de/ecos-sbs/advisory.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7365-JMQC-QF8W

Vulnerability from github – Published: 2025-12-19 00:31 – Updated: 2025-12-19 00:31
VLAI
Details

Microsoft Edge (Chromium-based) Spoofing Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T22:16:01Z",
    "severity": "LOW"
  },
  "details": "Microsoft Edge (Chromium-based) Spoofing Vulnerability",
  "id": "GHSA-7365-jmqc-qf8w",
  "modified": "2025-12-19T00:31:42Z",
  "published": "2025-12-19T00:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65046"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-65046"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7446-X75G-7GMF

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14
VLAI
Details

Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27970"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-13T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar",
  "id": "GHSA-7446-x75g-7gmf",
  "modified": "2022-05-24T19:14:21Z",
  "published": "2022-05-24T19:14:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27970"
    },
    {
      "type": "WEB",
      "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-75HV-856G-Q3WX

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:32
VLAI
Details

A CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause legitimate users to be locked out of devices or facilitate backdoor account creation by spoofing a device on the local network. Affected Products: EcoStruxure™ Cybersecurity Admin Expert (CAE) (Versions prior to 2.2)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-30T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause legitimate users to be locked out of devices or facilitate backdoor account creation by spoofing a device on the local network. Affected Products: EcoStruxure\u2122 Cybersecurity Admin Expert (CAE) (Versions prior to 2.2)",
  "id": "GHSA-75hv-856g-q3wx",
  "modified": "2024-04-04T05:32:06Z",
  "published": "2023-07-06T19:24:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32747"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-165-08_Cybersecurity_Admin_Expert_Security_Notification.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7654-7H8M-J5FF

Vulnerability from github – Published: 2025-12-13 18:30 – Updated: 2026-01-14 18:31
VLAI
Details

The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-13T16:16:54Z",
    "severity": "HIGH"
  },
  "details": "The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device",
  "id": "GHSA-7654-7h8m-j5ff",
  "modified": "2026-01-14T18:31:16Z",
  "published": "2025-12-13T18:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36753"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/CVE-2025-36753"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-77F9-JV8V-XRJP

Vulnerability from github – Published: 2022-07-30 00:00 – Updated: 2022-08-06 00:00
VLAI
Details

Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-29T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2.",
  "id": "GHSA-77f9-jv8v-xrjp",
  "modified": "2022-08-06T00:00:50Z",
  "published": "2022-07-30T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35629"
    },
    {
      "type": "WEB",
      "url": "https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77FW-RF4V-VFP9

Vulnerability from github – Published: 2023-06-21 22:00 – Updated: 2023-06-21 22:00
VLAI
Summary
passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token
Details

Information

Please note that this is not a new disclosure, and is previously reported in our SECURITY-NOTICE.md which we removed in favor of github advisory.

Overview

This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider:

  • signs SAML response and signs assertion

  • does not sign SAML response and signs assertion

Am I affected?

You may be affected if you use SAML2 protocol with passport-wsfed-saml2 versions below 3.0.5 and your SAML identity Provider: 1. signs SAML response and signs assertion; or 2. does not sign SAML response and signs assertion

How do I fix it?

You may fix this vulnerability by upgrading your library to version 3.0.5 or above.

Will the fix impact my users?

This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "passport-wsfed-saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-16897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-21T22:00:18Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Information\nPlease note that this is not a new disclosure, and is previously reported in our [SECURITY-NOTICE.md](https://github.com/auth0/passport-wsfed-saml2/commit/520b9fc0bb4249ce83bec47e30153419f086ab70\n) which we removed in favor of github advisory. \n\n# Overview \n This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider:\n\n- signs SAML response and signs assertion\n\n- does not sign SAML response and signs assertion\n\n# Am I affected?\n\nYou may be affected if you use SAML2 protocol with passport-wsfed-saml2 versions below 3.0.5 and your SAML identity Provider: \n1. signs SAML response and signs assertion; or \n2. does not sign SAML response and signs assertion\n\n# How do I fix it?\n\nYou may fix this vulnerability by upgrading your library to version 3.0.5 or above. \n\n# Will the fix impact my users?\nThis fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.",
  "id": "GHSA-77fw-rf4v-vfp9",
  "modified": "2023-06-21T22:00:18Z",
  "published": "2023-06-21T22:00:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/passport-wsfed-saml2/security/advisories/GHSA-77fw-rf4v-vfp9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/passport-wsfed-saml2/commit/520b9fc0bb4249ce83bec47e30153419f086ab70"
    },
    {
      "type": "WEB",
      "url": "https://auth0.com/docs/security/bulletins/cve-2017-16897"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/auth0/passport-wsfed-saml2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token"
}

No mitigation information available for this CWE.

CAPEC-21: Exploitation of Trusted Identifiers

An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-459: Creating a Rogue Certification Authority Certificate

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness

An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.

CAPEC-473: Signature Spoof

An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.

CAPEC-476: Signature Spoofing by Misrepresentation

An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

CAPEC-60: Reusing Session IDs (aka Session Replay)

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

CAPEC-667: Bluetooth Impersonation AttackS (BIAS)

An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.