CWE-306
AllowedMissing Authentication for Critical Function
Abstraction: Base · Status: Draft
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
3446 vulnerabilities reference this CWE, most recent first.
GHSA-W7VR-JMCF-CX4M
Vulnerability from github – Published: 2024-01-30 09:30 – Updated: 2024-01-30 09:30Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 and later, FR Configurator2 all versions, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GX Works2 versions 1.11M and later, GX Works3 all versions, MELSOFT Navigator versions 1.04E and later, MT Works2 all versions, MX Component versions 4.00A and later and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to bypass authentication by sending specially crafted packets and connect to the products illegally.
{
"affected": [],
"aliases": [
"CVE-2023-6942"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-30T09:15:47Z",
"severity": "HIGH"
},
"details": "Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 and later, FR Configurator2 all versions, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GX Works2 versions 1.11M and later, GX Works3 all versions, MELSOFT Navigator versions 1.04E and later, MT Works2 all versions, MX Component versions 4.00A and later and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to bypass authentication by sending specially crafted packets and connect to the products illegally.",
"id": "GHSA-w7vr-jmcf-cx4m",
"modified": "2024-01-30T09:30:34Z",
"published": "2024-01-30T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6942"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU95103362"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-020_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W7W8-PMXH-5JHC
Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2025-11-12 09:30A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions < V2.6.6), SICAM GridEdge Essential Intel (All versions < V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions < V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions < V2.6.6). The affected software does not require authenticated access for privileged functions. This could allow an unauthenticated attacker to change data of an user, such as credentials, in case that user's id is known.
{
"affected": [],
"aliases": [
"CVE-2022-30229"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-14T10:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions \u003c V2.6.6), SICAM GridEdge Essential Intel (All versions \u003c V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions \u003c V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions \u003c V2.6.6). The affected software does not require authenticated access for privileged functions. This could allow an unauthenticated attacker to change data of an user, such as credentials, in case that user\u0027s id is known.",
"id": "GHSA-w7w8-pmxh-5jhc",
"modified": "2025-11-12T09:30:25Z",
"published": "2022-06-15T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30229"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-631336.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-631336.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W7XG-P523-GCW4
Vulnerability from github – Published: 2026-06-03 18:33 – Updated: 2026-06-05 03:31Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary port forwarding rules and access WAN traffic statistics.
{
"affected": [],
"aliases": [
"CVE-2026-36603"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-03T18:16:21Z",
"severity": "HIGH"
},
"details": "Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary port forwarding rules and access WAN traffic statistics.",
"id": "GHSA-w7xg-p523-gcw4",
"modified": "2026-06-05T03:31:30Z",
"published": "2026-06-03T18:33:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-36603"
},
{
"type": "WEB",
"url": "https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36603.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W835-MMVC-QQFV
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-07-30 00:00The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin before 2.3.9.4, Thrive Apprentice WordPress plugin before 2.3.9.4, Thrive Visual Editor WordPress plugin before 2.6.7.4, Thrive Dashboard WordPress plugin before 2.3.9.3, Thrive Ovation WordPress plugin before 2.4.5, Thrive Clever Widgets WordPress plugin before 1.57.1 and Rise by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Squared by Thrive Themes WordPress theme before 2.0.0, Voice WordPress theme before 2.0.0, Performag by Thrive Themes WordPress theme before 2.0.0, Pressive by Thrive Themes WordPress theme before 2.0.0, Storied by Thrive Themes WordPress theme before 2.0.0, Thrive Themes Builder WordPress theme before 2.2.4 register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled. Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.
{
"affected": [],
"aliases": [
"CVE-2021-24219"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin before 2.3.9.4, Thrive Apprentice WordPress plugin before 2.3.9.4, Thrive Visual Editor WordPress plugin before 2.6.7.4, Thrive Dashboard WordPress plugin before 2.3.9.3, Thrive Ovation WordPress plugin before 2.4.5, Thrive Clever Widgets WordPress plugin before 1.57.1 and Rise by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Squared by Thrive Themes WordPress theme before 2.0.0, Voice WordPress theme before 2.0.0, Performag by Thrive Themes WordPress theme before 2.0.0, Pressive by Thrive Themes WordPress theme before 2.0.0, Storied by Thrive Themes WordPress theme before 2.0.0, Thrive Themes Builder WordPress theme before 2.2.4 register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled. Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.",
"id": "GHSA-w835-mmvc-qqfv",
"modified": "2022-07-30T00:00:36Z",
"published": "2022-05-24T17:47:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24219"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/35acd2d8-85fc-4af5-8f6c-224fa7d92900"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-thrive-themes-actively-exploited-in-the-wild"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W83R-98JH-FGQF
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2022-05-24 16:46An issue was discovered in upgrade_htmls.cgi on VStarcam 100T (C7824WIP) KR75.8.53.20 and 200V (C38S) KR203.18.1.20 devices. The web service, network, and account files can be manipulated through a web UI firmware update without any authentication. The attacker can achieve access to the device through a manipulated web UI firmware update.
{
"affected": [],
"aliases": [
"CVE-2019-12288"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-23T18:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in upgrade_htmls.cgi on VStarcam 100T (C7824WIP) KR75.8.53.20 and 200V (C38S) KR203.18.1.20 devices. The web service, network, and account files can be manipulated through a web UI firmware update without any authentication. The attacker can achieve access to the device through a manipulated web UI firmware update.",
"id": "GHSA-w83r-98jh-fgqf",
"modified": "2022-05-24T16:46:25Z",
"published": "2022-05-24T16:46:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12288"
},
{
"type": "WEB",
"url": "http://f1security.co.kr/cve/cve_190314.htm"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W8F6-G5XV-W78J
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-04-04 01:46Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1 only).
{
"affected": [],
"aliases": [
"CVE-2019-14511"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-22T13:15:00Z",
"severity": "HIGH"
},
"details": "Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1 only).",
"id": "GHSA-w8f6-g5xv-w78j",
"modified": "2024-04-04T01:46:24Z",
"published": "2022-05-24T16:54:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14511"
},
{
"type": "WEB",
"url": "https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3FPPNZZMWTZOMFGFETMET6YKIH2DQDKS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XD25JJJVM7FFXAO2L3ZG2KXQ6UMFBIA4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSLPW44RWIGHU5AG3P4U2HPSD3UBG4GJ"
},
{
"type": "WEB",
"url": "https://sphinxsearch.com/blog"
},
{
"type": "WEB",
"url": "http://sphinxsearch.com/docs/sphinx3.html#getting-started-on-linux-and-macos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W8FQ-H7PG-632C
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07A design flaw issue was found in the Red Hat OpenStack Platform director use of TripleO to enable libvirtd based live-migration. Libvirtd is deployed by default (by director) listening on 0.0.0.0 (all interfaces) with no-authentication or encryption. Anyone able to make a TCP connection to any compute host IP address, including 127.0.0.1, other loopback interface addresses, or in some cases possibly addresses that have been exposed beyond the management interface, could use this to open a virsh session to the libvirtd instance and gain control of virtual machine instances or possibly take over the host.
{
"affected": [],
"aliases": [
"CVE-2017-2637"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-26T12:29:00Z",
"severity": "CRITICAL"
},
"details": "A design flaw issue was found in the Red Hat OpenStack Platform director use of TripleO to enable libvirtd based live-migration. Libvirtd is deployed by default (by director) listening on 0.0.0.0 (all interfaces) with no-authentication or encryption. Anyone able to make a TCP connection to any compute host IP address, including 127.0.0.1, other loopback interface addresses, or in some cases possibly addresses that have been exposed beyond the management interface, could use this to open a virsh session to the libvirtd instance and gain control of virtual machine instances or possibly take over the host.",
"id": "GHSA-w8fq-h7pg-632c",
"modified": "2022-05-13T01:07:32Z",
"published": "2022-05-13T01:07:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2637"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1242"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1504"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1537"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1546"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-2637"
},
{
"type": "WEB",
"url": "https://access.redhat.com/solutions/3022771"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428240"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2637"
},
{
"type": "WEB",
"url": "https://wiki.openstack.org/wiki/OSSN/OSSN-0007"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98576"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W8GV-M6Q2-JJ9P
Vulnerability from github – Published: 2025-09-30 12:30 – Updated: 2025-09-30 12:30The attacker may obtain root access by connecting to the UART port and this vulnerability requires the attacker to have the physical access to the device.
This issue affects Tapo D230S1 V1.20: before 1.2.2 Build 20250907.
{
"affected": [],
"aliases": [
"CVE-2025-10991"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T11:37:38Z",
"severity": "HIGH"
},
"details": "The attacker may obtain root access by connecting to the UART port and this vulnerability requires the attacker to have the physical access to the device.\n\nThis issue affects Tapo D230S1 V1.20: before 1.2.2 Build 20250907.",
"id": "GHSA-w8gv-m6q2-jj9p",
"modified": "2025-09-30T12:30:51Z",
"published": "2025-09-30T12:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10991"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/en/support/faq/4693"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W8GX-HHCX-PX6W
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2023-10-10 15:43A resource-permission flaw was found in the tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. This has been patched in versions 7.0.6 and 8.0.0.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tripleo-heat-templates"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-12155"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-26T19:02:59Z",
"nvd_published_at": "2017-12-12T20:29:00Z",
"severity": "MODERATE"
},
"details": "A resource-permission flaw was found in the `tripleo-heat-templates` package where `ceph.client.openstack.keyring` is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. This has been patched in versions [7.0.6](https://github.com/openstack/tripleo-heat-templates/commit/a18fd59077d97de83496c85c017b9d256a3eddd4) and [8.0.0](https://github.com/openstack/tripleo-heat-templates/commit/ce7b65f443d38a6627631f53cb22336338e97d30).",
"id": "GHSA-w8gx-hhcx-px6w",
"modified": "2023-10-10T15:43:09Z",
"published": "2022-05-13T01:42:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12155"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0602"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1593"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1627"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/tripleo/+bug/1720787"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1489360"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/tripleo-heat-templates"
},
{
"type": "WEB",
"url": "https://opendev.org/openstack/tripleo-heat-templates/commit/a18fd59077d97de83496c85c017b9d256a3eddd4"
},
{
"type": "WEB",
"url": "https://opendev.org/openstack/tripleo-heat-templates/commit/ce7b65f443d38a6627631f53cb22336338e97d30"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Openstack tripleo-heat-templates unauthenticated file access"
}
GHSA-W8V6-GXPJ-3QP5
Vulnerability from github – Published: 2023-04-18 21:30 – Updated: 2024-04-04 03:32Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
{
"affected": [],
"aliases": [
"CVE-2023-21931"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-18T20:15:13Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
"id": "GHSA-w8v6-gxpj-3qp5",
"modified": "2024-04-04T03:32:56Z",
"published": "2023-04-18T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21931"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2023.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/172882/Oracle-Weblogic-PreAuth-Remote-Command-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability.
- Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port.
- In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
- Where possible, avoid implementing custom, "grow-your-own" authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment. These capabilities may avoid common weaknesses that are unique to authentication; support automatic auditing and tracking; and make it easier to provide a clear separation between authentication tasks and authorization tasks.
- In environments such as the World Wide Web, the line between authentication and authorization is sometimes blurred. If custom authentication routines are required instead of those provided by the server, then these routines must be applied to every single page, since these pages could be requested directly.
Mitigation MIT-4.5
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator [REF-45].
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].
CAPEC-12: Choosing Message Identifier
This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.
CAPEC-166: Force the System to Reset Values
An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.
CAPEC-216: Communication Channel Manipulation
An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.
CAPEC-36: Using Unpublished Interfaces or Functionality
An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.
CAPEC-62: Cross Site Request Forgery
An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.