CWE-345
DiscouragedInsufficient Verification of Data Authenticity
Abstraction: Class · Status: Draft
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
933 vulnerabilities reference this CWE, most recent first.
GHSA-X9MP-JM4H-JJF8
Vulnerability from github – Published: 2023-09-20 15:30 – Updated: 2026-02-04 23:14Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-wc42-fcjp-v8vq. This link is maintained to preserve external references.
Original Description
In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing the encrypted data located in the vault.
As per the “measured boot” design, the PCR values calculated at different stages of the boot process will change if any of their respective parts are changed.
This includes, among other things, the configuration of the bios, grub, the kernel cmdline, initrd, and more.
However, this mechanism does not validate the entire rootfs, so an attacker can edit the filesystem and gain control over the system.
As the default filesystem used by EVE OS is squashfs, this is somewhat harder than an ext4, which is easily changeable.
This will not stop an attacker, as an attacker can repackage the squashfs with their changes in it and replace the partition altogether.
This can also be done directly on the device, as the “003-storage-init” container contains the “mksquashfs” and “unsquashfs” binaries (with the corresponding libs).
An attacker can gain full control over the device without changing the PCR values, thus not triggering the “measured boot” mechanism, and having full access to the vault.
Note:
This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13:
• aa3501d6c57206ced222c33aea15a9169d629141
• 5fef4d92e75838cc78010edaed5247dfbdae1889.
This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/eve/pkg/grub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220708121648-5fef4d92e758"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T23:14:16Z",
"nvd_published_at": "2023-09-20T15:15:12Z",
"severity": "HIGH"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-wc42-fcjp-v8vq. This link is maintained to preserve external references.\n\n### Original Description\nIn EVE OS, the \u201cmeasured boot\u201d mechanism prevents a compromised device from accessing\nthe encrypted data located in the vault.\n\nAs per the \u201cmeasured boot\u201d design, the PCR values calculated at different stages of the boot\nprocess will change if any of their respective parts are changed.\n\nThis includes, among other things, the configuration of the bios, grub, the kernel cmdline,\ninitrd, and more.\n\nHowever, this mechanism does not validate the entire rootfs, so an attacker can edit the\nfilesystem and gain control over the system.\n\nAs the default filesystem used by EVE OS is squashfs, this is somewhat harder than an ext4,\nwhich is easily changeable.\n\nThis will not stop an attacker, as an attacker can repackage the squashfs with their changes\nin it and replace the partition altogether.\n\nThis can also be done directly on the device, as the \u201c003-storage-init\u201d container contains the\n\u201cmksquashfs\u201d and \u201cunsquashfs\u201d binaries (with the corresponding libs).\n\n\n\n\n\n\n\nAn attacker can gain full control over the device without changing the PCR values, thus not\ntriggering the \u201cmeasured boot\u201d mechanism, and having full access to the vault.\n\n\n\nNote:\n\nThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\npartition measurement was added to PCR13:\n\n\u2022 aa3501d6c57206ced222c33aea15a9169d629141\n\n\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\n\nThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.",
"id": "GHSA-x9mp-jm4h-jjf8",
"modified": "2026-02-04T23:14:16Z",
"published": "2023-09-20T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43636"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/19274"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/cve-2023-43636"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: EVE Doesn\u0027t Protect Rootfs",
"withdrawn": "2026-02-04T23:14:16Z"
}
GHSA-XC7C-C2G3-58V4
Vulnerability from github – Published: 2022-12-26 06:30 – Updated: 2024-02-15 03:30Emerson DeltaV Distributed Control System (DCS) has insufficient verification of firmware integrity (an inadequate checksum approach, and no signature). This affects versions before 14.3 of DeltaV M-series, DeltaV S-series, DeltaV P-series, DeltaV SIS, and DeltaV CIOC/EIOC/WIOC IO cards.
{
"affected": [],
"aliases": [
"CVE-2022-30260"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-26T06:15:00Z",
"severity": "HIGH"
},
"details": "Emerson DeltaV Distributed Control System (DCS) has insufficient verification of firmware integrity (an inadequate checksum approach, and no signature). This affects versions before 14.3 of DeltaV M-series, DeltaV S-series, DeltaV P-series, DeltaV SIS, and DeltaV CIOC/EIOC/WIOC IO cards.",
"id": "GHSA-xc7c-c2g3-58v4",
"modified": "2024-02-15T03:30:19Z",
"published": "2022-12-26T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30260"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-181-03"
},
{
"type": "WEB",
"url": "https://www.forescout.com/blog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XFF3-5C9P-2MR4
Vulnerability from github – Published: 2026-04-24 15:43 – Updated: 2026-05-13 13:37Summary
A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. The vulnerability stems from three compounding flaws:
- The Stripe webhook endpoint does not reject requests when
StripeWebhookSecretis empty (the default). - When the HMAC secret is empty, any attacker can compute valid webhook signatures, effectively bypassing signature verification entirely.
- The
Rechargefunction does not validate that the order'sPaymentMethodmatches the callback source, enabling cross-gateway exploitation — an order created via any payment method (e.g., Epay) can be fulfilled through a forged Stripe webhook.
Affected Components
controller/topup_stripe.go—StripeWebhook(),sessionCompleted()model/topup.go—Recharge(),RechargeCreem(),RechargeWaffo()controller/topup.go—EpayNotify()controller/topup_creem.go—CreemAdaptor.RequestPay()(missingPaymentMethodfield)router/api-router.go— webhook route registered without any guard
CWE Classification
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-1188: Initialization with an Insecure Default (empty webhook secret)
- CWE-863: Incorrect Authorization (cross-gateway order fulfillment)
Vulnerability Details
Flaw 1: Empty Webhook Secret Bypasses Signature Verification
The StripeWebhookSecret setting defaults to an empty string "". The Stripe Go SDK (webhook.ConstructEventWithOptions) does not reject empty secrets — it computes HMAC-SHA256 with an empty key, producing a deterministic and publicly computable signature.
Vulnerable code (controller/topup_stripe.go):
func StripeWebhook(c *gin.Context) {
// No check for empty StripeWebhookSecret
payload, _ := io.ReadAll(c.Request.Body)
signature := c.GetHeader("Stripe-Signature")
endpointSecret := setting.StripeWebhookSecret // defaults to ""
event, err := webhook.ConstructEventWithOptions(payload, signature, endpointSecret, ...)
// When secret is "", attacker can compute valid HMAC with the same empty key
}
The webhook route is unconditionally registered with no authentication middleware and no rate limiting:
apiRouter.POST("/stripe/webhook", controller.StripeWebhook)
Flaw 2: Missing payment_status Verification
The sessionCompleted handler only checks status == "complete" but does not verify payment_status == "paid". Stripe's checkout.session.completed event can fire with payment_status = "unpaid" for delayed payment methods (bank transfer, SEPA, Boleto, etc.) or payment_status = "no_payment_required" for 100% discount coupons.
Additionally, checkout.session.async_payment_succeeded and checkout.session.async_payment_failed events are not handled, so delayed payments that ultimately fail are never rolled back.
Flaw 3: Cross-Gateway Order Fulfillment (No PaymentMethod Validation)
The model.Recharge() function (called by the Stripe webhook) looks up orders solely by trade_no and does not validate that the order's PaymentMethod is "stripe":
func Recharge(referenceId string, customerId string) (err error) {
// Finds ANY pending order by trade_no, regardless of PaymentMethod
tx.Where("trade_no = ?", referenceId).First(topUp)
if topUp.Status != "pending" { return }
// Credits quota without checking topUp.PaymentMethod
quota = topUp.Money * QuotaPerUnit
tx.Model(&User{}).Update("quota", gorm.Expr("quota + ?", quota))
}
This allows an attacker to create orders through any configured payment gateway (Epay, Creem, Waffo) and then complete them via a forged Stripe webhook — even if Stripe itself was never configured.
Attack Scenario
Prerequisites: Any payment method is configured (e.g., Epay) + StripeWebhookSecret is empty (default).
- Attacker registers a user account.
- Attacker calls
POST /api/user/payto create an Epay top-up order (e.g.,amount=10000). The order is stored withstatus=pending. - Attacker queries
GET /api/user/topup/selfto retrieve thetrade_noof the pending order. - Attacker computes
HMAC-SHA256with an empty key over a craftedcheckout.session.completedpayload containing the stolentrade_noasclient_reference_id. - Attacker sends
POST /api/stripe/webhookwith the forged payload and signature header. - The server verifies the signature (passes because the secret is empty), calls
Recharge(), which finds the Epay order bytrade_no, marks it assuccess, and credits the full quota. - Attacker repeats steps 2–6 indefinitely for unlimited credits.
Proof of concept (pseudocode):
import hmac, hashlib, time, json, requests
timestamp = int(time.time())
payload = json.dumps({
"type": "checkout.session.completed",
"data": {
"object": {
"client_reference_id": "<trade_no from step 3>",
"status": "complete",
"payment_status": "paid",
"customer": "cus_fake",
"amount_total": "0",
"currency": "usd"
}
}
})
# Empty secret = publicly computable signature
sig = hmac.new(b"", f"{timestamp}.{payload}".encode(), hashlib.sha256).hexdigest()
header = f"t={timestamp},v1={sig}"
requests.post("https://target/api/stripe/webhook",
data=payload,
headers={"Stripe-Signature": header, "Content-Type": "application/json"})
Remediation
Fix 1: Reject webhooks when secret is empty
func StripeWebhook(c *gin.Context) {
if setting.StripeWebhookSecret == "" {
c.AbortWithStatus(http.StatusForbidden)
return
}
// ... existing logic
}
Fix 2: Verify payment_status and handle async payment events
func sessionCompleted(event stripe.Event) {
// ... existing status check ...
paymentStatus := event.GetObjectValue("payment_status")
if paymentStatus != "paid" {
return // Wait for async_payment_succeeded event
}
fulfillOrder(event, referenceId, customerId)
}
Add handlers for checkout.session.async_payment_succeeded and checkout.session.async_payment_failed.
Fix 3: Validate PaymentMethod in all recharge functions
// In model.Recharge (Stripe):
if topUp.PaymentMethod != "stripe" {
return ErrPaymentMethodMismatch
}
// In model.RechargeCreem:
if topUp.PaymentMethod != "creem" {
return ErrPaymentMethodMismatch
}
// In model.RechargeWaffo:
if topUp.PaymentMethod != "waffo" {
return ErrPaymentMethodMismatch
}
// In controller.EpayNotify:
if topUp.PaymentMethod == "stripe" || topUp.PaymentMethod == "creem" || topUp.PaymentMethod == "waffo" {
return // reject cross-gateway fulfillment
}
Additional fix: Set PaymentMethod on Creem order creation
The Creem order creation was missing the PaymentMethod field entirely:
topUp := &model.TopUp{
// ...
PaymentMethod: "creem", // was missing
}
Patched Versions
- v0.12.10 — includes all three fixes described above.
All users are strongly encouraged to upgrade immediately.
Workaround (for users unable to upgrade immediately)
If users cannot upgrade to v0.12.10 right away, apply all of the following mitigations:
-
Set
StripeWebhookSecretto any non-empty value. Go to the admin panel → Payment → Stripe, and set the Webhook Signing Secret to any random string (e.g.,whsec_placeholder_do_not_leave_empty). It does not need to be a real Stripe secret — any non-empty value will prevent the empty-key HMAC forgery. This is the single most important step — it closes the primary attack vector. If Stripe payments are used in production, replace with the real secret from the project's Stripe Dashboard → Webhooks to ensure legitimate webhooks continue to work. -
If Stripe is not in use, block the webhook endpoint. If users have not configured Stripe payments, use a reverse proxy (Nginx, Caddy, etc.) to deny access to
/api/stripe/webhook:nginx location = /api/stripe/webhook { return 403; }
Note: The workaround only mitigates Flaw 1 (empty secret bypass). Flaws 2 (missing
payment_statuscheck) and 3 (cross-gateway fulfillment) are only fully addressed in v0.12.10. Upgrading is the only complete fix.
Impact
- Financial fraud: Attacker obtains unlimited API quota without payment.
- Operator financial loss: Fraudulent quota is consumed against upstream AI providers (OpenAI, Anthropic, Google, etc.), charged to the operator.
- Silent exploitation: Fraudulent top-ups appear as normal successful transactions in system logs, making detection difficult.
- Wide exposure: The default insecure configuration means virtually all deployments with any payment method enabled are vulnerable.
Timeline
- 2025-04-15: Vulnerability reported by @ChangeYu0229
- 2025-04-15: Vulnerability confirmed and root cause analysis completed
- 2025-04-15: Fix developed and applied
- 2025-04-15: Patched in v0.12.10
Resources
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/QuantumNous/new-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41432"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-345",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T15:43:25Z",
"nvd_published_at": "2026-05-08T23:16:35Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA critical vulnerability exists in the Stripe webhook handler that allows an **unauthenticated attacker to forge webhook events** and credit arbitrary quota to their account without making any payment. The vulnerability stems from three compounding flaws:\n\n1. The Stripe webhook endpoint does not reject requests when `StripeWebhookSecret` is empty (the default).\n2. When the HMAC secret is empty, any attacker can compute valid webhook signatures, effectively **bypassing signature verification entirely**.\n3. The `Recharge` function does not validate that the order\u0027s `PaymentMethod` matches the callback source, enabling **cross-gateway exploitation** \u2014 an order created via any payment method (e.g., Epay) can be fulfilled through a forged Stripe webhook.\n\n## Affected Components\n\n- `controller/topup_stripe.go` \u2014 `StripeWebhook()`, `sessionCompleted()`\n- `model/topup.go` \u2014 `Recharge()`, `RechargeCreem()`, `RechargeWaffo()`\n- `controller/topup.go` \u2014 `EpayNotify()`\n- `controller/topup_creem.go` \u2014 `CreemAdaptor.RequestPay()` (missing `PaymentMethod` field)\n- `router/api-router.go` \u2014 webhook route registered without any guard\n\n## CWE Classification\n\n- **CWE-345**: Insufficient Verification of Data Authenticity\n- **CWE-1188**: Initialization with an Insecure Default (empty webhook secret)\n- **CWE-863**: Incorrect Authorization (cross-gateway order fulfillment)\n\n## Vulnerability Details\n\n### Flaw 1: Empty Webhook Secret Bypasses Signature Verification\n\nThe `StripeWebhookSecret` setting defaults to an empty string `\"\"`. The Stripe Go SDK (`webhook.ConstructEventWithOptions`) does **not** reject empty secrets \u2014 it computes `HMAC-SHA256` with an empty key, producing a deterministic and publicly computable signature.\n\n**Vulnerable code** (`controller/topup_stripe.go`):\n```go\nfunc StripeWebhook(c *gin.Context) {\n // No check for empty StripeWebhookSecret\n payload, _ := io.ReadAll(c.Request.Body)\n signature := c.GetHeader(\"Stripe-Signature\")\n endpointSecret := setting.StripeWebhookSecret // defaults to \"\"\n event, err := webhook.ConstructEventWithOptions(payload, signature, endpointSecret, ...)\n // When secret is \"\", attacker can compute valid HMAC with the same empty key\n}\n```\n\nThe webhook route is unconditionally registered with **no authentication middleware and no rate limiting**:\n```go\napiRouter.POST(\"/stripe/webhook\", controller.StripeWebhook)\n```\n\n### Flaw 2: Missing `payment_status` Verification\n\nThe `sessionCompleted` handler only checks `status == \"complete\"` but does **not** verify `payment_status == \"paid\"`. Stripe\u0027s `checkout.session.completed` event can fire with `payment_status = \"unpaid\"` for delayed payment methods (bank transfer, SEPA, Boleto, etc.) or `payment_status = \"no_payment_required\"` for 100% discount coupons.\n\nAdditionally, `checkout.session.async_payment_succeeded` and `checkout.session.async_payment_failed` events are not handled, so delayed payments that ultimately fail are never rolled back.\n\n### Flaw 3: Cross-Gateway Order Fulfillment (No PaymentMethod Validation)\n\nThe `model.Recharge()` function (called by the Stripe webhook) looks up orders solely by `trade_no` and does **not** validate that the order\u0027s `PaymentMethod` is `\"stripe\"`:\n\n```go\nfunc Recharge(referenceId string, customerId string) (err error) {\n // Finds ANY pending order by trade_no, regardless of PaymentMethod\n tx.Where(\"trade_no = ?\", referenceId).First(topUp)\n if topUp.Status != \"pending\" { return }\n // Credits quota without checking topUp.PaymentMethod\n quota = topUp.Money * QuotaPerUnit\n tx.Model(\u0026User{}).Update(\"quota\", gorm.Expr(\"quota + ?\", quota))\n}\n```\n\nThis allows an attacker to create orders through **any** configured payment gateway (Epay, Creem, Waffo) and then complete them via a forged Stripe webhook \u2014 even if Stripe itself was never configured.\n\n## Attack Scenario\n\n**Prerequisites**: Any payment method is configured (e.g., Epay) + `StripeWebhookSecret` is empty (default).\n\n1. Attacker registers a user account.\n2. Attacker calls `POST /api/user/pay` to create an Epay top-up order (e.g., `amount=10000`). The order is stored with `status=pending`.\n3. Attacker queries `GET /api/user/topup/self` to retrieve the `trade_no` of the pending order.\n4. Attacker computes `HMAC-SHA256` with an empty key over a crafted `checkout.session.completed` payload containing the stolen `trade_no` as `client_reference_id`.\n5. Attacker sends `POST /api/stripe/webhook` with the forged payload and signature header.\n6. The server verifies the signature (passes because the secret is empty), calls `Recharge()`, which finds the Epay order by `trade_no`, marks it as `success`, and credits the full quota.\n7. Attacker repeats steps 2\u20136 indefinitely for unlimited credits.\n\n**Proof of concept** (pseudocode):\n```python\nimport hmac, hashlib, time, json, requests\n\ntimestamp = int(time.time())\npayload = json.dumps({\n \"type\": \"checkout.session.completed\",\n \"data\": {\n \"object\": {\n \"client_reference_id\": \"\u003ctrade_no from step 3\u003e\",\n \"status\": \"complete\",\n \"payment_status\": \"paid\",\n \"customer\": \"cus_fake\",\n \"amount_total\": \"0\",\n \"currency\": \"usd\"\n }\n }\n})\n# Empty secret = publicly computable signature\nsig = hmac.new(b\"\", f\"{timestamp}.{payload}\".encode(), hashlib.sha256).hexdigest()\nheader = f\"t={timestamp},v1={sig}\"\n\nrequests.post(\"https://target/api/stripe/webhook\",\n data=payload,\n headers={\"Stripe-Signature\": header, \"Content-Type\": \"application/json\"})\n```\n\n## Remediation\n\n### Fix 1: Reject webhooks when secret is empty\n```go\nfunc StripeWebhook(c *gin.Context) {\n if setting.StripeWebhookSecret == \"\" {\n c.AbortWithStatus(http.StatusForbidden)\n return\n }\n // ... existing logic\n}\n```\n\n### Fix 2: Verify `payment_status` and handle async payment events\n```go\nfunc sessionCompleted(event stripe.Event) {\n // ... existing status check ...\n paymentStatus := event.GetObjectValue(\"payment_status\")\n if paymentStatus != \"paid\" {\n return // Wait for async_payment_succeeded event\n }\n fulfillOrder(event, referenceId, customerId)\n}\n```\n\nAdd handlers for `checkout.session.async_payment_succeeded` and `checkout.session.async_payment_failed`.\n\n### Fix 3: Validate PaymentMethod in all recharge functions\n```go\n// In model.Recharge (Stripe):\nif topUp.PaymentMethod != \"stripe\" {\n return ErrPaymentMethodMismatch\n}\n\n// In model.RechargeCreem:\nif topUp.PaymentMethod != \"creem\" {\n return ErrPaymentMethodMismatch\n}\n\n// In model.RechargeWaffo:\nif topUp.PaymentMethod != \"waffo\" {\n return ErrPaymentMethodMismatch\n}\n\n// In controller.EpayNotify:\nif topUp.PaymentMethod == \"stripe\" || topUp.PaymentMethod == \"creem\" || topUp.PaymentMethod == \"waffo\" {\n return // reject cross-gateway fulfillment\n}\n```\n\n### Additional fix: Set PaymentMethod on Creem order creation\nThe Creem order creation was missing the `PaymentMethod` field entirely:\n```go\ntopUp := \u0026model.TopUp{\n // ...\n PaymentMethod: \"creem\", // was missing\n}\n```\n\n## Patched Versions\n\n- **v0.12.10** \u2014 includes all three fixes described above.\n\nAll users are strongly encouraged to upgrade immediately.\n\n## Workaround (for users unable to upgrade immediately)\n\nIf users cannot upgrade to v0.12.10 right away, apply **all** of the following mitigations:\n\n1. **Set `StripeWebhookSecret` to any non-empty value.** Go to the admin panel \u2192 Payment \u2192 Stripe, and set the Webhook Signing Secret to **any random string** (e.g., `whsec_placeholder_do_not_leave_empty`). It does **not** need to be a real Stripe secret \u2014 any non-empty value will prevent the empty-key HMAC forgery. **This is the single most important step** \u2014 it closes the primary attack vector. If Stripe payments are used in production, replace with the real secret from the project\u0027s [Stripe Dashboard \u2192 Webhooks](https://dashboard.stripe.com/webhooks) to ensure legitimate webhooks continue to work.\n\n2. **If Stripe is not in use, block the webhook endpoint.** If users have not configured Stripe payments, use a reverse proxy (Nginx, Caddy, etc.) to deny access to `/api/stripe/webhook`:\n ```nginx\n location = /api/stripe/webhook {\n return 403;\n }\n ```\n\n\u003e **Note**: The workaround only mitigates Flaw 1 (empty secret bypass). Flaws 2 (missing `payment_status` check) and 3 (cross-gateway fulfillment) are only fully addressed in v0.12.10. **Upgrading is the only complete fix.**\n\n## Impact\n\n- **Financial fraud**: Attacker obtains unlimited API quota without payment.\n- **Operator financial loss**: Fraudulent quota is consumed against upstream AI providers (OpenAI, Anthropic, Google, etc.), charged to the operator.\n- **Silent exploitation**: Fraudulent top-ups appear as normal successful transactions in system logs, making detection difficult.\n- **Wide exposure**: The default insecure configuration means virtually all deployments with any payment method enabled are vulnerable.\n\n## Timeline\n\n- **2025-04-15**: Vulnerability reported by [@ChangeYu0229](https://github.com/ChangeYu0229)\n- **2025-04-15**: Vulnerability confirmed and root cause analysis completed\n- **2025-04-15**: Fix developed and applied\n- **2025-04-15**: Patched in v0.12.10\n\n## Resources\n\n- [Stripe Webhook Signature Verification Docs](https://docs.stripe.com/webhooks#verify-official-libraries)\n- [Stripe Checkout Fulfillment Guide \u2014 Handle async payment methods](https://docs.stripe.com/checkout/fulfillment#async-payment-methods)\n- [CWE-345: Insufficient Verification of Data Authenticity](https://cwe.mitre.org/data/definitions/345.html)\n- [CWE-1188: Initialization with an Insecure Default](https://cwe.mitre.org/data/definitions/1188.html)",
"id": "GHSA-xff3-5c9p-2mr4",
"modified": "2026-05-13T13:37:29Z",
"published": "2026-04-24T15:43:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41432"
},
{
"type": "WEB",
"url": "https://docs.stripe.com/checkout/fulfillment#async-payment-methods"
},
{
"type": "WEB",
"url": "https://docs.stripe.com/webhooks#verify-official-libraries"
},
{
"type": "PACKAGE",
"url": "https://github.com/QuantumNous/new-api"
},
{
"type": "WEB",
"url": "https://github.com/QuantumNous/new-api/releases/tag/v0.12.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud"
}
GHSA-XGJW-PM74-86Q4
Vulnerability from github – Published: 2026-07-01 19:57 – Updated: 2026-07-01 19:57sigstore-js derives a transparency-log timestamp from tlogEntries[].integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only (no signed inclusionPromise/set), and the inclusion proof path does not cryptographically bind integratedTime. As a result, an attacker who can supply an untrusted bundle can influence time-based verification decisions by choosing integratedTime.
impact
If a consumer accepts attacker-provided bundle v0.2 inputs and relies on tlog-derived timestamps for certificate validity checks, verification can be influenced by an unauthenticated timestamp value. This is a trust gap: integratedTime is treated as a trusted observer timestamp under inclusionProof-only mode even though only the signed inclusionPromise/set path binds it.
affected code
packages/verify/src/bundle/index.ts(adds a transparency-log timestamp wheneverintegratedTime != 0)packages/verify/src/timestamp/index.ts(convertsintegratedTimeto aDate)packages/verify/src/verifier.ts(verifies timestamps before verifying tlog inclusion)packages/verify/src/tlog/index.ts+packages/verify/src/tlog/set.ts(only the inclusionPromise/set path bindsintegratedTime)
proof of concept
The attached poc.zip contains a self-contained harness that reproduces the behavior on the pinned commit and includes both a canonical test and a negative control.
repro:
1) extract poc.zip into a fresh directory and run the make targets:
unzip poc.zip -d poc
cd poc/poc-F-SIG-JS-TLOGTIME-001
make canonical
make control
2) confirm canonical.log includes:
[CALLSITE_HIT]:
[PROOF_MARKER]:
3) confirm control.log includes:
[NC_MARKER]:
suggested fix
Only treat integratedTime as a trusted timestamp when it is cryptographically bound (for example, via a verified signed inclusionPromise/set). For inclusionProof-only entries, do not count integratedTime toward timestampThreshold, and do not use it for certificate validity decisions unless there is another signed time source (for example, an rfc3161 timestamp).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sigstore/verify"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.1.0"
]
}
],
"aliases": [
"CVE-2026-48816"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T19:57:45Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "sigstore-js derives a transparency-log timestamp from `tlogEntries[].integratedTime` and uses it to validate certificate validity windows and satisfy `timestampThreshold`. For bundle v0.2, a tlog entry can be inclusionProof-only (no signed inclusionPromise/set), and the inclusion proof path does not cryptographically bind `integratedTime`. As a result, an attacker who can supply an untrusted bundle can influence time-based verification decisions by choosing `integratedTime`.\n\n## impact\nIf a consumer accepts attacker-provided bundle v0.2 inputs and relies on tlog-derived timestamps for certificate validity checks, verification can be influenced by an unauthenticated timestamp value. This is a trust gap: `integratedTime` is treated as a trusted observer timestamp under inclusionProof-only mode even though only the signed inclusionPromise/set path binds it.\n\n## affected code\n- `packages/verify/src/bundle/index.ts` (adds a transparency-log timestamp whenever `integratedTime != 0`)\n- `packages/verify/src/timestamp/index.ts` (converts `integratedTime` to a `Date`)\n- `packages/verify/src/verifier.ts` (verifies timestamps before verifying tlog inclusion)\n- `packages/verify/src/tlog/index.ts` + `packages/verify/src/tlog/set.ts` (only the inclusionPromise/set path binds `integratedTime`)\n\n## proof of concept\nThe attached `poc.zip` contains a self-contained harness that reproduces the behavior on the pinned commit and includes both a canonical test and a negative control.\n\nrepro:\n1) extract `poc.zip` into a fresh directory and run the make targets:\n\n```bash\nunzip poc.zip -d poc\ncd poc/poc-F-SIG-JS-TLOGTIME-001\nmake canonical\nmake control\n```\n\n2) confirm `canonical.log` includes:\n\n```\n[CALLSITE_HIT]:\n[PROOF_MARKER]:\n```\n\n3) confirm `control.log` includes:\n\n```\n[NC_MARKER]:\n```\n\n## suggested fix\nOnly treat `integratedTime` as a trusted timestamp when it is cryptographically bound (for example, via a verified signed inclusionPromise/set). For inclusionProof-only entries, do not count `integratedTime` toward `timestampThreshold`, and do not use it for certificate validity decisions unless there is another signed time source (for example, an rfc3161 timestamp).\n\n[poc.zip](https://github.com/user-attachments/files/25643656/poc.zip)\n[PR_DESCRIPTION.md](https://github.com/user-attachments/files/25643660/PR_DESCRIPTION.md)\n[SUBMISSION.md](https://github.com/user-attachments/files/25643662/SUBMISSION.md)",
"id": "GHSA-xgjw-pm74-86q4",
"modified": "2026-07-01T19:57:45Z",
"published": "2026-07-01T19:57:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-xgjw-pm74-86q4"
},
{
"type": "PACKAGE",
"url": "https://github.com/sigstore/sigstore-js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "sigstore-js has Insufficient Verification of Data Authenticity"
}
GHSA-XH5J-XJFQ-QVVX
Vulnerability from github – Published: 2026-05-29 22:14 – Updated: 2026-05-29 22:14Impact
A mismatch in federation peer-token timestamp handling could cause valid peer tokens to be treated as expired. Impacted deployments are Stigmem nodes using federation peer authentication paths from affected versions. The primary impact is availability and reliability of authenticated federation flows.
Patches
Patched in 0.9.0a2. Federation peer-token timestamp handling now uses the canonical millisecond-based validation path and is covered by regression tests.
Workarounds
Before upgrading, avoid mixed peer-token minting paths and restrict federation use to tightly controlled peers.
Upgrade
Upgrade to the patched release:
pip install --upgrade --pre stigmem-node
If developers install through the Stigmem meta-package instead, they should use the matching extra for deployments, for example:
pip install --upgrade --pre 'stigmem[node]'
Resources
- Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
- Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
- Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "stigmem-node"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0a2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T22:14:34Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nA mismatch in federation peer-token timestamp handling could cause valid peer tokens to be treated as expired. Impacted deployments are Stigmem nodes using federation peer authentication paths from affected versions. The primary impact is availability and reliability of authenticated federation flows.\n\n### Patches\nPatched in 0.9.0a2. Federation peer-token timestamp handling now uses the canonical millisecond-based validation path and is covered by regression tests.\n\n### Workarounds\nBefore upgrading, avoid mixed peer-token minting paths and restrict federation use to tightly controlled peers.\n\n### Upgrade\nUpgrade to the patched release:\n\n```bash\npip install --upgrade --pre stigmem-node\n```\n\nIf developers install through the Stigmem meta-package instead, they should use the matching extra for deployments, for example:\n\n```bash\npip install --upgrade --pre \u0027stigmem[node]\u0027\n```\n\n### Resources\n- Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2\n- Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35\n- Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md",
"id": "GHSA-xh5j-xjfq-qvvx",
"modified": "2026-05-29T22:14:34Z",
"published": "2026-05-29T22:14:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/eidetic-labs/stigmem/security/advisories/GHSA-xh5j-xjfq-qvvx"
},
{
"type": "PACKAGE",
"url": "https://github.com/eidetic-labs/stigmem"
},
{
"type": "WEB",
"url": "https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35"
},
{
"type": "WEB",
"url": "https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md"
},
{
"type": "WEB",
"url": "https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "stigmem-node\u0027s federation peer token timestamp validation may reject valid peer tokens"
}
GHSA-XH87-MX6M-69F3
Vulnerability from github – Published: 2026-02-25 18:02 – Updated: 2026-02-27 20:55Summary
When using the AWS Lambda adapter (hono/aws-lambda) behind an Application Load Balancer (ALB), the getConnInfo() function incorrectly selected the first value from the X-Forwarded-For header.
Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first value can be attacker-controlled.
This could allow IP-based access control mechanisms (such as the ipRestriction middleware) to be bypassed.
Details
In ALB environments, AWS appends the actual client IP address to the end of any existing X-Forwarded-For header value. However, the previous implementation of getConnInfo() extracted the leftmost IP address:
address = xff.split(',')[0].trim()
If a client sent:
X-Forwarded-For: <spoofed-ip>
ALB would forward:
X-Forwarded-For: <spoofed-ip>, <real-client-ip>
Since the implementation selected the first value, the spoofed IP address was trusted. This affected applications using:
ipRestriction(getConnInfo, { allowList: [...] })
or any custom middleware relying on getConnInfo(c).remote.address for authorization decisions.
The issue only affects deployments using the AWS Lambda adapter behind an ALB. API Gateway (v1/v2) and Lambda Function URLs are not affected, as they use AWS-provided source IP values from requestContext.
Impact
An unauthenticated remote attacker could bypass IP-based access restrictions by supplying a crafted X-Forwarded-For header. This may allow access to resources that were intended to be restricted by IP address.
Only applications deployed behind an ALB and relying on getConnInfo() for IP-based authorization are affected.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hono"
},
"ranges": [
{
"events": [
{
"introduced": "4.12.0"
},
{
"fixed": "4.12.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27700"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T18:02:19Z",
"nvd_published_at": "2026-02-25T16:23:26Z",
"severity": "HIGH"
},
"details": "## Summary\n\nWhen using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwarded-For` header.\n\nBecause AWS ALB appends the real client IP address to the end of the `X-Forwarded-For` header, the first value can be attacker-controlled.\n\nThis could allow IP-based access control mechanisms (such as the `ipRestriction` middleware) to be bypassed.\n\n## Details\n\nIn ALB environments, AWS appends the actual client IP address to the end of any existing `X-Forwarded-For` header value. However, the previous implementation of `getConnInfo()` extracted the leftmost IP address:\n\n```ts\naddress = xff.split(\u0027,\u0027)[0].trim()\n```\n\nIf a client sent:\n\n```\nX-Forwarded-For: \u003cspoofed-ip\u003e\n```\n\nALB would forward:\n\n```\nX-Forwarded-For: \u003cspoofed-ip\u003e, \u003creal-client-ip\u003e\n```\n\nSince the implementation selected the first value, the spoofed IP address was trusted. This affected applications using:\n\n```ts\nipRestriction(getConnInfo, { allowList: [...] })\n```\n\nor any custom middleware relying on `getConnInfo(c).remote.address` for authorization decisions.\n\nThe issue only affects deployments using the AWS Lambda adapter behind an ALB. API Gateway (v1/v2) and Lambda Function URLs are not affected, as they use AWS-provided source IP values from `requestContext`.\n\n## Impact\n\nAn unauthenticated remote attacker could bypass IP-based access restrictions by supplying a crafted `X-Forwarded-For` header. This may allow access to resources that were intended to be restricted by IP address.\n\nOnly applications deployed behind an ALB and relying on `getConnInfo()` for IP-based authorization are affected.",
"id": "GHSA-xh87-mx6m-69f3",
"modified": "2026-02-27T20:55:22Z",
"published": "2026-02-25T18:02:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/honojs/hono/security/advisories/GHSA-xh87-mx6m-69f3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27700"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/commit/41adbf56e252c04611f8972364ac0887ae07a4c7"
},
{
"type": "PACKAGE",
"url": "https://github.com/honojs/hono"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/releases/tag/v4.12.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo"
}
GHSA-XJ5X-M3F3-5X3H
Vulnerability from github – Published: 2026-04-03 02:44 – Updated: 2026-04-06 23:11Impact
A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.
Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.
Workarounds
Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "38.8.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "39.0.0-alpha.1"
},
{
"fixed": "39.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "40.0.0-alpha.1"
},
{
"fixed": "40.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "electron"
},
"ranges": [
{
"events": [
{
"introduced": "41.0.0-alpha.1"
},
{
"fixed": "41.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34778"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T02:44:59Z",
"nvd_published_at": "2026-04-04T00:16:19Z",
"severity": "MODERATE"
},
"details": "### Impact\nA service worker running in a session could spoof reply messages on the internal IPC channel used by `webContents.executeJavaScript()` and related methods, causing the main-process promise to resolve with attacker-controlled data.\n\nApps are only affected if they have service workers registered and use the result of `webContents.executeJavaScript()` (or `webFrameMain.executeJavaScript()`) in security-sensitive decisions.\n\n### Workarounds\nDo not trust the return value of `webContents.executeJavaScript()` for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.1`\n* `39.8.1`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)",
"id": "GHSA-xj5x-m3f3-5x3h",
"modified": "2026-04-06T23:11:12Z",
"published": "2026-04-03T02:44:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/electron/security/advisories/GHSA-xj5x-m3f3-5x3h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34778"
},
{
"type": "PACKAGE",
"url": "https://github.com/electron/electron"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Electron: Service worker can spoof executeJavaScript IPC replies"
}
GHSA-XJQG-WXV8-WVG6
Vulnerability from github – Published: 2023-08-11 21:30 – Updated: 2024-04-04 06:53An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. The validation of firmware images only consists of simple checksum checks for different firmware components. Thus, by knowing how to calculate and where to store the required checksums for the flasher tool, an attacker is able to store malicious firmware.
{
"affected": [],
"aliases": [
"CVE-2023-22955"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-11T20:15:14Z",
"severity": "HIGH"
},
"details": "An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. The validation of firmware images only consists of simple checksum checks for different firmware components. Thus, by knowing how to calculate and where to store the required checksums for the flasher tool, an attacker is able to store malicious firmware.",
"id": "GHSA-xjqg-wxv8-wvg6",
"modified": "2024-04-04T06:53:33Z",
"published": "2023-08-11T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22955"
},
{
"type": "WEB",
"url": "https://syss.de"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/174214/AudioCodes-VoIP-Phones-Insufficient-Firmware-Validation.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Aug/17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQR8-7JWR-RHP7
Vulnerability from github – Published: 2023-07-25 14:43 – Updated: 2025-02-12 21:33Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store.
e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "certifi"
},
"ranges": [
{
"events": [
{
"introduced": "2015.4.28"
},
{
"fixed": "2023.7.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-37920"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-25T14:43:53Z",
"nvd_published_at": "2023-07-25T21:15:10Z",
"severity": "HIGH"
},
"details": "Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store. These are in the process of being removed from Mozilla\u0027s trust store.\n\n e-Tugra\u0027s root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla\u0027s investigation can be found [here](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A).",
"id": "GHSA-xqr8-7jwr-rhp7",
"modified": "2025-02-12T21:33:44Z",
"published": "2023-07-25T14:43:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37920"
},
{
"type": "WEB",
"url": "https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909"
},
{
"type": "PACKAGE",
"url": "https://github.com/certifi/python-certifi"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2023-135.yaml"
},
{
"type": "WEB",
"url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240912-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Removal of e-Tugra root certificate"
}
GHSA-XR6M-H5M8-P48R
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:04Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.
{
"affected": [],
"aliases": [
"CVE-2019-3786"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-345"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-24T16:29:00Z",
"severity": "HIGH"
},
"details": "Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.",
"id": "GHSA-xr6m-h5m8-p48r",
"modified": "2024-04-04T00:04:54Z",
"published": "2022-05-24T16:44:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3786"
},
{
"type": "WEB",
"url": "https://www.cloudfoundry.org/blog/cve-2019-3786"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-148: Content Spoofing
An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.
CAPEC-218: Spoofing of UDDI/ebXML Messages
An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.
CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.
CAPEC-385: Transaction or Event Tampering via Application API Manipulation
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.
CAPEC-386: Application API Navigation Remapping
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.
CAPEC-387: Navigation Remapping To Propagate Malicious Content
An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.
CAPEC-388: Application API Button Hijacking
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.
CAPEC-701: Browser in the Middle (BiTM)
An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.