CWE-304
AllowedMissing Critical Step in Authentication
Abstraction: Base · Status: Draft
The product implements an authentication technique, but it skips a step that weakens the technique.
60 vulnerabilities reference this CWE, most recent first.
GHSA-5GJG-JGH4-GPPM
Vulnerability from github – Published: 2021-06-23 17:26 – Updated: 2026-01-23 22:35Impact
Depending on implementation, a denial-of-service or privilege escalation vulnerability may occur in software that uses the github.com/ecnepsnai/web package with Web Sockets that have an AuthenticateMethod.
The AuthenticateMethod is not called, and UserData will be nil in request methods. Attempts to read the UserData may result in a panic.
This issue only affects web sockets where an AuthenticateMethod is supplied to the handle options. Users who do not use web sockets, or users who do not require authentication are not at risk.
Example
In the example below, one would expect that the AuthenticateMethod function would be called for each request to /example
handleOptions := web.HandleOptions{
AuthenticateMethod: func(request *http.Request) interface{} {
// Assume there is logic here to check for an active sessions, look at cookies or headers, etc...
var session Session{} // Example
return session
},
}
server.Socket("/example", handle, handleOptions)
However, the method is not called, and therefor the UserData parameter of the request object in the handle will be nil, when it would have been expected to be the session object we returned.
Patches
Release v1.5.2 fixes this vulnerability. The authenticate method is now called for websocket requests.
All users of the web package should update to v1.5.2 or later.
Workarounds
You may work around this issue by making the authenticate method a named function, then calling that function at the start of the handle method for the websocket. Reject connections when the return value of the method is nil.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ecnepsnai/web"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4236"
],
"database_specific": {
"cwe_ids": [
"CWE-304",
"CWE-400",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T17:41:20Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\n\nDepending on implementation, a denial-of-service or privilege escalation vulnerability may occur in software that uses the `github.com/ecnepsnai/web` package with Web Sockets that have an AuthenticateMethod.\n\nThe `AuthenticateMethod` is not called, and `UserData` will be nil in request methods. Attempts to read the `UserData` may result in a panic.\n\nThis issue only affects web sockets where an `AuthenticateMethod` is supplied to the handle options. Users who do not use web sockets, or users who do not require authentication are not at risk.\n\n#### Example\n\nIn the example below, one would expect that the `AuthenticateMethod` function would be called for each request to `/example`\n\n```go\nhandleOptions := web.HandleOptions{\n\tAuthenticateMethod: func(request *http.Request) interface{} {\n\t\t// Assume there is logic here to check for an active sessions, look at cookies or headers, etc...\n\t\tvar session Session{} // Example\n\n\t\treturn session\n\t},\n}\n\nserver.Socket(\"/example\", handle, handleOptions)\n```\n\nHowever, the method is not called, and therefor the `UserData` parameter of the request object in the handle will be nil, when it would have been expected to be the `session` object we returned.\n\n### Patches\n\nRelease v1.5.2 fixes this vulnerability. The authenticate method is now called for websocket requests.\n\nAll users of the web package should update to v1.5.2 or later.\n\n### Workarounds\n\nYou may work around this issue by making the authenticate method a named function, then calling that function at the start of the handle method for the websocket. Reject connections when the return value of the method is nil.",
"id": "GHSA-5gjg-jgh4-gppm",
"modified": "2026-01-23T22:35:54Z",
"published": "2021-06-23T17:26:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ecnepsnai/web/security/advisories/GHSA-5gjg-jgh4-gppm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4236"
},
{
"type": "WEB",
"url": "https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f"
},
{
"type": "PACKAGE",
"url": "https://github.com/ecnepsnai/web"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0107"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Websocket requests did not call AuthenticateMethod"
}
GHSA-6W2C-F4VG-J9HV
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.
{
"affected": [],
"aliases": [
"CVE-2024-9919"
],
"database_specific": {
"cwe_ids": [
"CWE-304",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:50Z",
"severity": "HIGH"
},
"details": "A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.",
"id": "GHSA-6w2c-f4vg-j9hv",
"modified": "2025-03-20T12:32:51Z",
"published": "2025-03-20T12:32:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9919"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/5c00f56b-32a8-4e26-a4e3-de64f139da6b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76Q6-GFMM-Q894
Vulnerability from github – Published: 2025-03-19 09:30 – Updated: 2026-06-01 15:30Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass.This issue affects ANKA JPD-00028: through 19.03.2025.
NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.
{
"affected": [],
"aliases": [
"CVE-2024-12136"
],
"database_specific": {
"cwe_ids": [
"CWE-304"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-19T09:15:12Z",
"severity": "MODERATE"
},
"details": "Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass.This issue affects ANKA JPD-00028: through 19.03.2025.\n\nNOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.",
"id": "GHSA-76q6-gfmm-q894",
"modified": "2026-06-01T15:30:32Z",
"published": "2025-03-19T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12136"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0071"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0071"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7895-GFFQ-W6JQ
Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-30 15:30Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-55957"
],
"database_specific": {
"cwe_ids": [
"CWE-304"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T21:16:45Z",
"severity": "HIGH"
},
"details": "Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.",
"id": "GHSA-7895-gffq-w6jq",
"modified": "2026-06-30T15:30:43Z",
"published": "2026-06-29T21:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55957"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/7fk339o5jvd4mcgsf0chbrn4o525ccjh"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/29/26"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7GWG-2MR3-XHPM
Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2025-04-23 18:30In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation
{
"affected": [],
"aliases": [
"CVE-2025-43014"
],
"database_specific": {
"cwe_ids": [
"CWE-304"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-17T16:16:00Z",
"severity": "MODERATE"
},
"details": "In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation",
"id": "GHSA-7gwg-2mr3-xhpm",
"modified": "2025-04-23T18:30:56Z",
"published": "2025-04-17T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43014"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7QMP-3HH8-G4VW
Vulnerability from github – Published: 2024-08-01 18:32 – Updated: 2024-08-01 18:32In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.
{
"affected": [],
"aliases": [
"CVE-2024-6040"
],
"database_specific": {
"cwe_ids": [
"CWE-304",
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-01T16:15:06Z",
"severity": "MODERATE"
},
"details": "In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim\u0027s machine.",
"id": "GHSA-7qmp-3hh8-g4vw",
"modified": "2024-08-01T18:32:50Z",
"published": "2024-08-01T18:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6040"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd16acc7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-89PX-WW3J-G2MM
Vulnerability from github – Published: 2019-11-29 17:05 – Updated: 2024-11-19 15:482FA bypass through new device path
Impact
If someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS.
Patches
This problem has been patched in version 1.3.0.
Workarounds
There is no workaround at the moment.
For more information
If you have any questions or comments about this advisory: * Open an issue in github.com/labd/wagtail-2fa * Email us at security@labdigital.nl
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail-2fa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16766"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-304"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:25:10Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## 2FA bypass through new device path\n\n### Impact\nIf someone gains access to someone\u0027s Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS.\n\n### Patches\nThis problem has been patched in version 1.3.0.\n\n### Workarounds\nThere is no workaround at the moment.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/labd/wagtail-2fa](https://github.com/labd/wagtail-2fa)\n* Email us at [security@labdigital.nl](mailto:security@labdigital.nl)",
"id": "GHSA-89px-ww3j-g2mm",
"modified": "2024-11-19T15:48:33Z",
"published": "2019-11-29T17:05:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/labd/wagtail-2fa/security/advisories/GHSA-89px-ww3j-g2mm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16766"
},
{
"type": "WEB",
"url": "https://github.com/labd/wagtail-2fa/commit/13b12995d35b566df08a17257a23863ab6efb0ca"
},
{
"type": "WEB",
"url": "https://github.com/labd/wagtail-2fa/commit/a6711b29711729005770ff481b22675b35ff5c81"
},
{
"type": "PACKAGE",
"url": "https://github.com/labd/wagtail-2fa"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail-2fa/PYSEC-2019-135.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "2FA bypass in Wagtail through new device path"
}
GHSA-97G8-XFVW-Q4HG
Vulnerability from github – Published: 2022-12-13 19:44 – Updated: 2023-09-20 22:30An issue was discovered in Keycloak when using a client with the offline_access scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.
This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the offline_access scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 19.0.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3916"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-304",
"CWE-488",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-13T19:44:33Z",
"nvd_published_at": "2023-09-20T15:15:11Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.\n\nThis issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.",
"id": "GHSA-97g8-xfvw-q4hg",
"modified": "2023-09-20T22:30:19Z",
"published": "2022-12-13T19:44:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-97g8-xfvw-q4hg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8961"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8962"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8963"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8964"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8965"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak vulnerable to session takeover with OIDC offline refreshtokens"
}
GHSA-FHFG-FRX8-7458
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32In composiohq/composio version 0.5.10, the API does not validate the x-api-key header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the x-api-key header, thereby gaining unauthorized access to the server.
{
"affected": [],
"aliases": [
"CVE-2024-8954"
],
"database_specific": {
"cwe_ids": [
"CWE-304"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:44Z",
"severity": "CRITICAL"
},
"details": "In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header\u0027s value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the `x-api-key` header, thereby gaining unauthorized access to the server.",
"id": "GHSA-fhfg-frx8-7458",
"modified": "2025-03-20T12:32:49Z",
"published": "2025-03-20T12:32:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8954"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/f1e0fdce-00d7-4261-a466-923062800b12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FHR7-8JX4-R9CP
Vulnerability from github – Published: 2023-12-30 00:30 – Updated: 2024-11-18 16:26A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.infinispan:infinispan-server-rest"
},
"ranges": [
{
"events": [
{
"introduced": "15.0.0.Dev01"
},
{
"fixed": "15.0.0.Dev04"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.infinispan:infinispan-server-rest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.0.18.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-3628"
],
"database_specific": {
"cwe_ids": [
"CWE-304"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-16T17:19:18Z",
"nvd_published_at": "2023-12-18T14:15:08Z",
"severity": "HIGH"
},
"details": "A flaw was found in Infinispan\u0027s REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.",
"id": "GHSA-fhr7-8jx4-r9cp",
"modified": "2024-11-18T16:26:34Z",
"published": "2023-12-30T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3628"
},
{
"type": "WEB",
"url": "https://github.com/infinispan/infinispan/commit/70a50352d9195753a588d0fba8c2063b99f96263"
},
{
"type": "WEB",
"url": "https://github.com/infinispan/infinispan/commit/b34488dcab8bdd4258972568b8405ee7111276ec"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-3628"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217924"
},
{
"type": "PACKAGE",
"url": "https://github.com/infinispan/infinispan"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240125-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Infinispan REST Server\u0027s bulk read endpoints do not properly evaluate user permissions"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.