CWE-303
AllowedIncorrect Implementation of Authentication Algorithm
Abstraction: Base · Status: Draft
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
153 vulnerabilities reference this CWE, most recent first.
GHSA-9475-XG6M-J7PW
Vulnerability from github – Published: 2020-04-22 20:59 – Updated: 2021-01-08 20:21Impact
Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved. The Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a tocken to create a log in session.
Patches
Version 1.0.2 and 2.7.0 are patched.
Workarounds
Ensure that any IdentityProvider trusted by the Sustainsys.Saml2 SP only issues bearer tokens if the audience matches the Sustainsys.Saml2 SP.
For more information
If you have any questions or comments about this advisory: * Comment on #103 * Email us at security@sustainsys.com if you think that there are further security issues.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Sustainsys.Saml2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Sustainsys.Saml2"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5268"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2020-04-21T18:41:43Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nSaml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a private key must be proved.\nThe Sustainsys.Saml2 library incorrectly treats all incoming tokens as bearer tokens, even though they have another subject confirmation method specified. This could be used by an attacker that could get access to Saml2 tokens with another subject confirmation method than bearer. The attacker could then use such a tocken to create a log in session.\n\n### Patches\nVersion 1.0.2 and 2.7.0 are patched.\n\n### Workarounds\nEnsure that any IdentityProvider trusted by the Sustainsys.Saml2 SP only issues bearer tokens if the audience matches the Sustainsys.Saml2 SP.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Comment on #103\n* Email us at security@sustainsys.com if you think that there are further security issues.",
"id": "GHSA-9475-xg6m-j7pw",
"modified": "2021-01-08T20:21:35Z",
"published": "2020-04-22T20:59:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-9475-xg6m-j7pw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5268"
},
{
"type": "WEB",
"url": "https://github.com/Sustainsys/Saml2/issues/712"
},
{
"type": "WEB",
"url": "https://github.com/Sustainsys/Saml2/commit/e58e0a1aff2b1ead6aca080b7cdced55ee6d5241"
},
{
"type": "WEB",
"url": "https://www.nuget.org/packages/Sustainsys.Saml2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Subject Confirmation Method not validated in Saml2 Authentication Services for ASP.NET"
}
GHSA-9MRV-8PVF-HF4M
Vulnerability from github – Published: 2026-06-12 12:31 – Updated: 2026-07-10 12:31The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
{
"affected": [],
"aliases": [
"CVE-2026-50627"
],
"database_specific": {
"cwe_ids": [
"CWE-289",
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T10:16:22Z",
"severity": "CRITICAL"
},
"details": "The JwtAccessTokenValidator class in Apache CXF fails to validate the \u0027aud\u0027 (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.",
"id": "GHSA-9mrv-8pvf-hf4m",
"modified": "2026-07-10T12:31:37Z",
"published": "2026-06-12T12:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50627"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37390"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-50627"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488298"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/0jfzz9q992957b99tw7hodcqjfyxwb1m"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50627.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/11/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C3RR-7229-8P7F
Vulnerability from github – Published: 2024-11-20 09:32 – Updated: 2026-02-23 12:31Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.
{
"affected": [],
"aliases": [
"CVE-2024-10127"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-20T09:15:04Z",
"severity": "CRITICAL"
},
"details": "Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.",
"id": "GHSA-c3rr-7229-8p7f",
"modified": "2026-02-23T12:31:29Z",
"published": "2024-11-20T09:32:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10127"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2024-10127"
},
{
"type": "WEB",
"url": "https://product.m-files.com/security-advisories/CVE-2024-10127"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C4FM-X36H-PWF6
Vulnerability from github – Published: 2025-08-13 03:30 – Updated: 2025-08-13 21:30Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2025-8881"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T03:15:38Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-c4fm-x36h-pwf6",
"modified": "2025-08-13T21:30:27Z",
"published": "2025-08-13T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8881"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop_12.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/433800617"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CF66-C678-24R2
Vulnerability from github – Published: 2026-06-22 18:34 – Updated: 2026-07-08 09:31Incorrect caching of authentication between different users of the qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.
{
"affected": [],
"aliases": [
"CVE-2026-41049"
],
"database_specific": {
"cwe_ids": [
"CWE-303",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T16:16:35Z",
"severity": "HIGH"
},
"details": "Incorrect caching of authentication between different users of the\u00a0 qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them.",
"id": "GHSA-cf66-c678-24r2",
"modified": "2026-07-08T09:31:46Z",
"published": "2026-06-22T18:34:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41049"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1262218"
},
{
"type": "WEB",
"url": "https://github.com/presire/qSnapper/releases/tag/v1.3.3"
},
{
"type": "WEB",
"url": "https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-auth-caching"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CMP6-J4F4-VM9F
Vulnerability from github – Published: 2025-12-03 15:30 – Updated: 2025-12-03 18:30The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.
{
"affected": [],
"aliases": [
"CVE-2025-13390"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-03T14:15:48Z",
"severity": "CRITICAL"
},
"details": "The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the \"wdk_generate_auto_login_link\" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token.",
"id": "GHSA-cmp6-j4f4-vm9f",
"modified": "2025-12-03T18:30:24Z",
"published": "2025-12-03T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13390"
},
{
"type": "WEB",
"url": "https://github.com/d0n601/CVE-2025-13390"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit"
},
{
"type": "WEB",
"url": "https://ryankozak.com/posts/cve-2025-13390"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FG35-5RF6-QG3G
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-31 05:19Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow. Mattermost Advisory ID: MMSA-2026-00590
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.4.0-rc1"
},
{
"fixed": "11.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.3.0-rc1"
},
{
"fixed": "11.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.2.0-rc1"
},
{
"fixed": "11.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 10.11.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0-rc1"
},
{
"fixed": "10.11.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0-20260105080200-d27a2195068d"
},
{
"fixed": "8.0.0-20260217110922-b7d4a1f1f59b"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27656"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-31T05:19:17Z",
"nvd_published_at": "2026-03-25T17:16:56Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.4.x \u003c= 11.4.0, 11.3.x \u003c= 11.3.1, 11.2.x \u003c= 11.2.3, 10.11.x \u003c= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow. Mattermost Advisory ID: MMSA-2026-00590",
"id": "GHSA-fg35-5rf6-qg3g",
"modified": "2026-03-31T05:19:17Z",
"published": "2026-03-25T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27656"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw"
}
GHSA-FGQ7-V63G-3F6X
Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.
{
"affected": [],
"aliases": [
"CVE-2024-9999"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T17:15:12Z",
"severity": "MODERATE"
},
"details": "In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only.",
"id": "GHSA-fgq7-v63g-3f6x",
"modified": "2024-11-12T18:30:57Z",
"published": "2024-11-12T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9999"
},
{
"type": "WEB",
"url": "https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2024"
},
{
"type": "WEB",
"url": "https://www.progress.com/ftp-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FRC2-W2CC-X794
Vulnerability from github – Published: 2024-04-09 12:30 – Updated: 2024-04-15 20:19In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.
This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1].
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.kura:org.eclipse.kura.web2"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.600"
},
{
"last_affected": "2.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-3046"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-09T18:53:17Z",
"nvd_published_at": "2024-04-09T10:15:08Z",
"severity": "HIGH"
},
"details": "In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs.\n\nThis issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1].",
"id": "GHSA-frc2-w2cc-x794",
"modified": "2024-04-15T20:19:17Z",
"published": "2024-04-09T12:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3046"
},
{
"type": "PACKAGE",
"url": "https://github.com/eclipse/kura"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Eclipse Kura LogServlet vulnerability"
}
GHSA-FWV7-JRXJ-Q9QV
Vulnerability from github – Published: 2023-06-13 09:30 – Updated: 2024-04-04 04:45A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.3 < V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.1 < V3.6.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.6.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0). The affected versions of the module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.
This CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration.
{
"affected": [],
"aliases": [
"CVE-2023-29129"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-13T09:15:16Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.17.3 \u003c V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.16.4 \u003c V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.2.0 \u003c V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.6.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.6.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.3.0). The affected versions of the module insufficiently verifies the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.\n\nThis CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration.",
"id": "GHSA-fwv7-jrxj-q9qv",
"modified": "2024-04-04T04:45:46Z",
"published": "2023-06-13T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29129"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-90: Reflection Attack in Authentication Protocol
An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.