Common Weakness Enumeration

CWE-304

Allowed

Missing Critical Step in Authentication

Abstraction: Base · Status: Draft

The product implements an authentication technique, but it skips a step that weakens the technique.

60 vulnerabilities reference this CWE, most recent first.

GHSA-5GJG-JGH4-GPPM

Vulnerability from github – Published: 2021-06-23 17:26 – Updated: 2026-01-23 22:35
VLAI
Summary
Websocket requests did not call AuthenticateMethod
Details

Impact

Depending on implementation, a denial-of-service or privilege escalation vulnerability may occur in software that uses the github.com/ecnepsnai/web package with Web Sockets that have an AuthenticateMethod.

The AuthenticateMethod is not called, and UserData will be nil in request methods. Attempts to read the UserData may result in a panic.

This issue only affects web sockets where an AuthenticateMethod is supplied to the handle options. Users who do not use web sockets, or users who do not require authentication are not at risk.

Example

In the example below, one would expect that the AuthenticateMethod function would be called for each request to /example

handleOptions := web.HandleOptions{
    AuthenticateMethod: func(request *http.Request) interface{} {
        // Assume there is logic here to check for an active sessions, look at cookies or headers, etc...
        var session Session{} // Example

        return session
    },
}

server.Socket("/example", handle, handleOptions)

However, the method is not called, and therefor the UserData parameter of the request object in the handle will be nil, when it would have been expected to be the session object we returned.

Patches

Release v1.5.2 fixes this vulnerability. The authenticate method is now called for websocket requests.

All users of the web package should update to v1.5.2 or later.

Workarounds

You may work around this issue by making the authenticate method a named function, then calling that function at the start of the handle method for the websocket. Reject connections when the return value of the method is nil.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ecnepsnai/web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-304",
      "CWE-400",
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-21T17:41:20Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nDepending on implementation, a denial-of-service or privilege escalation vulnerability may occur in software that uses the `github.com/ecnepsnai/web` package with Web Sockets that have an AuthenticateMethod.\n\nThe `AuthenticateMethod` is not called, and `UserData` will be nil in request methods. Attempts to read the `UserData` may result in a panic.\n\nThis issue only affects web sockets where an `AuthenticateMethod` is supplied to the handle options. Users who do not use web sockets, or users who do not require authentication are not at risk.\n\n#### Example\n\nIn the example below, one would expect that the `AuthenticateMethod` function would be called for each request to `/example`\n\n```go\nhandleOptions := web.HandleOptions{\n\tAuthenticateMethod: func(request *http.Request) interface{} {\n\t\t// Assume there is logic here to check for an active sessions, look at cookies or headers, etc...\n\t\tvar session Session{} // Example\n\n\t\treturn session\n\t},\n}\n\nserver.Socket(\"/example\", handle, handleOptions)\n```\n\nHowever, the method is not called, and therefor the `UserData` parameter of the request object in the handle will be nil, when it would have been expected to be the `session` object we returned.\n\n### Patches\n\nRelease v1.5.2 fixes this vulnerability. The authenticate method is now called for websocket requests.\n\nAll users of the web package should update to v1.5.2 or later.\n\n### Workarounds\n\nYou may work around this issue by making the authenticate method a named function, then calling that function at the start of the handle method for the websocket. Reject connections when the return value of the method is nil.",
  "id": "GHSA-5gjg-jgh4-gppm",
  "modified": "2026-01-23T22:35:54Z",
  "published": "2021-06-23T17:26:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ecnepsnai/web/security/advisories/GHSA-5gjg-jgh4-gppm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ecnepsnai/web"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2021-0107"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Websocket requests did not call AuthenticateMethod"
}

GHSA-6W2C-F4VG-J9HV

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-304",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:50Z",
    "severity": "HIGH"
  },
  "details": "A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.",
  "id": "GHSA-6w2c-f4vg-j9hv",
  "modified": "2025-03-20T12:32:51Z",
  "published": "2025-03-20T12:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9919"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/5c00f56b-32a8-4e26-a4e3-de64f139da6b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-76Q6-GFMM-Q894

Vulnerability from github – Published: 2025-03-19 09:30 – Updated: 2026-06-01 15:30
VLAI
Details

Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass.This issue affects ANKA JPD-00028: through 19.03.2025.

NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-304"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-19T09:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass.This issue affects ANKA JPD-00028: through 19.03.2025.\n\nNOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available.",
  "id": "GHSA-76q6-gfmm-q894",
  "modified": "2026-06-01T15:30:32Z",
  "published": "2025-03-19T09:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12136"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0071"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0071"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7895-GFFQ-W6JQ

Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-30 15:30
VLAI
Details

Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-55957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-304"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T21:16:45Z",
    "severity": "HIGH"
  },
  "details": "Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.",
  "id": "GHSA-7895-gffq-w6jq",
  "modified": "2026-06-30T15:30:43Z",
  "published": "2026-06-29T21:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55957"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/7fk339o5jvd4mcgsf0chbrn4o525ccjh"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/29/26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7GWG-2MR3-XHPM

Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2025-04-23 18:30
VLAI
Details

In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-304"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-17T16:16:00Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation",
  "id": "GHSA-7gwg-2mr3-xhpm",
  "modified": "2025-04-23T18:30:56Z",
  "published": "2025-04-17T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43014"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QMP-3HH8-G4VW

Vulnerability from github – Published: 2024-08-01 18:32 – Updated: 2024-08-01 18:32
VLAI
Details

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-304",
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-01T16:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim\u0027s machine.",
  "id": "GHSA-7qmp-3hh8-g4vw",
  "modified": "2024-08-01T18:32:50Z",
  "published": "2024-08-01T18:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6040"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd16acc7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-89PX-WW3J-G2MM

Vulnerability from github – Published: 2019-11-29 17:05 – Updated: 2024-11-19 15:48
VLAI
Summary
2FA bypass in Wagtail through new device path
Details

2FA bypass through new device path

Impact

If someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS.

Patches

This problem has been patched in version 1.3.0.

Workarounds

There is no workaround at the moment.

For more information

If you have any questions or comments about this advisory: * Open an issue in github.com/labd/wagtail-2fa * Email us at security@labdigital.nl

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail-2fa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-304"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:25:10Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## 2FA bypass through new device path\n\n### Impact\nIf someone gains access to someone\u0027s Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS.\n\n### Patches\nThis problem has been patched in version 1.3.0.\n\n### Workarounds\nThere is no workaround at the moment.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/labd/wagtail-2fa](https://github.com/labd/wagtail-2fa)\n* Email us at [security@labdigital.nl](mailto:security@labdigital.nl)",
  "id": "GHSA-89px-ww3j-g2mm",
  "modified": "2024-11-19T15:48:33Z",
  "published": "2019-11-29T17:05:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/labd/wagtail-2fa/security/advisories/GHSA-89px-ww3j-g2mm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/labd/wagtail-2fa/commit/13b12995d35b566df08a17257a23863ab6efb0ca"
    },
    {
      "type": "WEB",
      "url": "https://github.com/labd/wagtail-2fa/commit/a6711b29711729005770ff481b22675b35ff5c81"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/labd/wagtail-2fa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail-2fa/PYSEC-2019-135.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "2FA bypass in Wagtail through new device path"
}

GHSA-97G8-XFVW-Q4HG

Vulnerability from github – Published: 2022-12-13 19:44 – Updated: 2023-09-20 22:30
VLAI
Summary
Keycloak vulnerable to session takeover with OIDC offline refreshtokens
Details

An issue was discovered in Keycloak when using a client with the offline_access scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.

This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the offline_access scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 19.0.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-304",
      "CWE-488",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-13T19:44:33Z",
    "nvd_published_at": "2023-09-20T15:15:11Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.\n\nThis issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.",
  "id": "GHSA-97g8-xfvw-q4hg",
  "modified": "2023-09-20T22:30:19Z",
  "published": "2022-12-13T19:44:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-97g8-xfvw-q4hg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8961"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8962"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8963"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8964"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8965"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:1043"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:1044"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:1045"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:1047"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:1049"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-3916"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak vulnerable to session takeover with OIDC offline refreshtokens"
}

GHSA-FHFG-FRX8-7458

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

In composiohq/composio version 0.5.10, the API does not validate the x-api-key header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the x-api-key header, thereby gaining unauthorized access to the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-304"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:44Z",
    "severity": "CRITICAL"
  },
  "details": "In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header\u0027s value during the authentication step. This vulnerability allows an attacker to bypass authentication by providing any random value in the `x-api-key` header, thereby gaining unauthorized access to the server.",
  "id": "GHSA-fhfg-frx8-7458",
  "modified": "2025-03-20T12:32:49Z",
  "published": "2025-03-20T12:32:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8954"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/f1e0fdce-00d7-4261-a466-923062800b12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FHR7-8JX4-R9CP

Vulnerability from github – Published: 2023-12-30 00:30 – Updated: 2024-11-18 16:26
VLAI
Summary
Infinispan REST Server's bulk read endpoints do not properly evaluate user permissions
Details

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.infinispan:infinispan-server-rest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0.Dev01"
            },
            {
              "fixed": "15.0.0.Dev04"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.infinispan:infinispan-server-rest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.0.18.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-304"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-16T17:19:18Z",
    "nvd_published_at": "2023-12-18T14:15:08Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Infinispan\u0027s REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.",
  "id": "GHSA-fhr7-8jx4-r9cp",
  "modified": "2024-11-18T16:26:34Z",
  "published": "2023-12-30T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3628"
    },
    {
      "type": "WEB",
      "url": "https://github.com/infinispan/infinispan/commit/70a50352d9195753a588d0fba8c2063b99f96263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/infinispan/infinispan/commit/b34488dcab8bdd4258972568b8405ee7111276ec"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:5396"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-3628"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217924"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/infinispan/infinispan"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240125-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Infinispan REST Server\u0027s bulk read endpoints do not properly evaluate user permissions"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.