CWE-305
AllowedAuthentication Bypass by Primary Weakness
Abstraction: Base · Status: Draft
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
281 vulnerabilities reference this CWE, most recent first.
GHSA-C5G3-M8P9-M3GH
Vulnerability from github – Published: 2026-05-20 12:30 – Updated: 2026-06-05 12:31In src/havegecmd.c, the socket_handler function performs a credential check on the abstract UNIX socket (\0/sys/entropy/haveged). However, while it detects if the connecting user is not root (cred.uid != 0) and prepares a negative acknowledgement (ASCII_NAK), it fails to stop execution. The code proceeds to the switch statement, allowing any local unprivileged user to execute privileged commands such as MAGIC_CHROOT.
{
"affected": [],
"aliases": [
"CVE-2026-41054"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T10:16:26Z",
"severity": "HIGH"
},
"details": "In `src/havegecmd.c`, the `socket_handler` function performs a credential check on the abstract UNIX socket (`\\0/sys/entropy/haveged`). However, while it detects if the connecting user is not root (`cred.uid != 0`) and prepares a negative acknowledgement (`ASCII_NAK`), it **fails to stop execution**. The code proceeds to the `switch` statement, allowing any local unprivileged user to execute privileged commands such as `MAGIC_CHROOT`.",
"id": "GHSA-c5g3-m8p9-m3gh",
"modified": "2026-06-05T12:31:45Z",
"published": "2026-05-20T12:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41054"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-41054"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00005.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/19/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/19/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/19/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/20/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/17"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/22/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CGJ3-CVG6-PCVH
Vulnerability from github – Published: 2023-03-30 21:30 – Updated: 2024-03-27 15:30An authentication bypass vulnerability exists in libcurl v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.
{
"affected": [],
"aliases": [
"CVE-2023-27538"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-30T20:15:00Z",
"severity": "MODERATE"
},
"details": "An authentication bypass vulnerability exists in libcurl v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.",
"id": "GHSA-cgj3-cvg6-pcvh",
"modified": "2024-03-27T15:30:36Z",
"published": "2023-03-30T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27538"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1898475"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2023-27538.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202310-12"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230420-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJ3P-4JRQ-MG7X
Vulnerability from github – Published: 2024-10-17 15:31 – Updated: 2024-12-03 18:31A vulnerability was found in Quay, which allows successful authentication even when a truncated password version is provided. This flaw affects the authentication mechanism, reducing the overall security of password enforcement. While the risk is relatively low due to the typical length of the passwords used (73 characters), this vulnerability can still be exploited to reduce the complexity of brute-force or password-guessing attacks. The truncation of passwords weakens the overall authentication process, thereby reducing the effectiveness of password policies and potentially increasing the risk of unauthorized access in the future.
{
"affected": [],
"aliases": [
"CVE-2024-9683"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-17T15:15:13Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Quay, which allows successful authentication even when a truncated password version is provided. This flaw affects the authentication mechanism, reducing the overall security of password enforcement.\u00a0 While the risk is relatively low due to the typical length of the passwords used (73 characters), this vulnerability can still be exploited to reduce the complexity of brute-force or password-guessing attacks. The truncation of passwords weakens the overall authentication process, thereby reducing the effectiveness of password policies and potentially increasing the risk of unauthorized access in the future.",
"id": "GHSA-cj3p-4jrq-mg7x",
"modified": "2024-12-03T18:31:02Z",
"published": "2024-10-17T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9683"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-9683"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317559"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CQQ6-V7J5-VR3P
Vulnerability from github – Published: 2023-03-31 09:30 – Updated: 2023-04-06 18:30Panasonic AiSEG2 versions 2.00J through 2.93A allows adjacent attackers bypass authentication due to mishandling of X-Forwarded-For headers.
{
"affected": [],
"aliases": [
"CVE-2023-28727"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-31T07:15:00Z",
"severity": "HIGH"
},
"details": "Panasonic AiSEG2 versions 2.00J through 2.93A allows adjacent attackers bypass authentication due to mishandling of X-Forwarded-For headers.",
"id": "GHSA-cqq6-v7j5-vr3p",
"modified": "2023-04-06T18:30:15Z",
"published": "2023-03-31T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28727"
},
{
"type": "WEB",
"url": "https://www2.panasonic.biz/jp/densetsu/aiseg/firmup_info.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CXQ4-8FF4-35JM
Vulnerability from github – Published: 2023-12-30 21:30 – Updated: 2024-10-10 18:31Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0.
{
"affected": [],
"aliases": [
"CVE-2023-6998"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-30T19:15:08Z",
"severity": "HIGH"
},
"details": "Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0.\n\n",
"id": "GHSA-cxq4-8ff4-35jm",
"modified": "2024-10-10T18:31:07Z",
"published": "2023-12-30T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6998"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2023/12/CVE-2023-6998"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2023/12/CVE-2023-6998"
},
{
"type": "WEB",
"url": "https://ewelink.cc/app"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F24P-XRCJ-VXHH
Vulnerability from github – Published: 2024-03-27 15:30 – Updated: 2026-05-20 12:30Authentication Bypass by Primary Weakness vulnerability in TeoSOFT Software TeoBASE allows Authentication Bypass.This issue affects TeoBASE: through 20240327. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2023-6153"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-27T13:15:46Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass by Primary Weakness vulnerability in TeoSOFT Software TeoBASE allows Authentication Bypass.This issue affects TeoBASE: through 20240327.\u00a0NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-f24p-xrcj-vxhh",
"modified": "2026-05-20T12:30:35Z",
"published": "2024-03-27T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6153"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0238"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-0238"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FC7V-6H7H-M2W9
Vulnerability from github – Published: 2024-03-21 03:36 – Updated: 2026-06-03 18:33Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1.
NOTE: The vendor was contacted and it was learned that the product is not supported.
{
"affected": [],
"aliases": [
"CVE-2024-1202"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-21T02:51:38Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1.\u00a0\n\nNOTE:\u00a0The vendor was contacted and it was learned that the product is not supported.",
"id": "GHSA-fc7v-6h7h-m2w9",
"modified": "2026-06-03T18:33:04Z",
"published": "2024-03-21T03:36:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1202"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0174"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-0174"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FF32-CMVQ-X6C5
Vulnerability from github – Published: 2025-01-09 09:31 – Updated: 2025-01-09 15:31SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.
{
"affected": [],
"aliases": [
"CVE-2024-12802"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T09:15:06Z",
"severity": "CRITICAL"
},
"details": "SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.",
"id": "GHSA-ff32-cmvq-x6c5",
"modified": "2025-01-09T15:31:51Z",
"published": "2025-01-09T09:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12802"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FM3M-JRGM-5PPG
Vulnerability from github – Published: 2025-08-04 20:46 – Updated: 2025-08-06 14:12Summary
- When an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands or take over hosts managed by the panel without logging in.
- In addition to this remote code execution (RCE) vulnerability, the flawed code also leads to unauthorized access.
Details
In Go, r.URL.Path retrieves the part of the URL that comes after the port and before the query parameters or anchor symbols. For example, in the URL http://localhost:8080/api/ws/ssh?id=1, the retrieved path would be /api/ws/ssh.
However, if the request is made to http://localhost:8080//api/ws/ssh?id=1, the parsed r.URL.Path would be //api/ws/ssh.
RatPanel uses the CleanPath middleware provided by github.com/go-chi/chi package to clean URLs, The route path inside the chi router will be cleaned to /api/ws/ssh, but this middleware does not process r.URL.Path, so the path is still //api/ws/ssh.
In the must_login middleware, RatPanel uses r.URL.Path to match the hard-coded prefix whitelist, because /api/ws does not match //api/ws. The must_login middleware will allow the request, but //api/ws has been cleaned to /api/ws in the chi router. This inconsistency leads to authentication bypass and accessing the dangerous interfaces such as /api/ws/exec and /api/ws/ssh.
But there are some limitations. Before exploiting this interface, the attacker must first identify the correct backend address of ratpanel to activate session legitimacy—specifically, to ensure sess.Put("verify_entrance", true). That said, accessing /api/ws only requires activating the session and does not require completing further authentication or login steps. Therefore, this is assessed to be a remotely exploitable command execution vulnerability with moderate severity.
PoC
I first carried session=......, accessed the backend login page normally(without completing the authentication process), activated the session, and then used the _wsdump.py script provided by the Python websocket-client library to complete the authentication and exploit the vulnerability.
Because of the authorization code
// internal/http/middleware/must_login.go
if slices.Contains(whiteList, r.URL.Path) || !strings.HasPrefix(r.URL.Path, "/api") {
next.ServeHTTP(w, r)
return
}
This vulnerability affects the authorization mechanism across all APIs, for example
This authentication vulnerability appears to affect versions v2.3.19 to v2.5.5.
Data packet
GET //api/...... HTTP/2
Host: IP:PORT
Cookie: session=XXXXXX
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
Connection: close
python _wsdump.py wss://ip:port//api/ws/exec --headers "Cookie: session=xxxxxx" -n
Impact
Users running Ratpanel versions v2.3.19 to v2.5.5—especially those who have exposed their admin panel login URL or use weak login URL paths—are vulnerable to unauthorized access. Additionally, versions v2.5.1 to v2.5.5 are susceptible to server and hosted machine takeover.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/tnborg/panel"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.19"
},
{
"fixed": "2.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/tnborg/panel"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-20241111062800-91ecd04c2700"
},
{
"fixed": "0.0.0-20250707071915-4985eb2e1f38"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53534"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-305",
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-04T20:46:32Z",
"nvd_published_at": "2025-08-05T21:15:38Z",
"severity": "HIGH"
},
"details": "### Summary\n\n* When an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands or take over hosts managed by the panel **without logging in**.\n* In addition to this **remote code execution (RCE) vulnerability**, the flawed code also leads to **unauthorized access**.\n\n### Details\n\nIn Go, `r.URL.Path` retrieves the part of the URL that comes after the port and before the query parameters or anchor symbols. For example, in the URL `http://localhost:8080/api/ws/ssh?id=1`, the retrieved path would be `/api/ws/ssh`.\n\nHowever, if the request is made to `http://localhost:8080//api/ws/ssh?id=1`, the parsed `r.URL.Path` would be `//api/ws/ssh`. \n\nRatPanel uses the `CleanPath` middleware provided by `github.com/go-chi/chi` package to clean URLs, The route path inside the chi router will be cleaned to `/api/ws/ssh`, but this middleware does not process `r.URL.Path`, so the path is still `//api/ws/ssh`.\n\n\n\nIn the `must_login` middleware, RatPanel uses `r.URL.Path` to match the hard-coded prefix whitelist, because `/api/ws` does not match `//api/ws`. The `must_login` middleware will allow the request, but `//api/ws` has been cleaned to `/api/ws` in the chi router. This inconsistency leads to authentication bypass and accessing the dangerous interfaces such as `/api/ws/exec` and `/api/ws/ssh`.\n\n\n\nBut there are some limitations. Before exploiting this interface, the attacker must first identify the correct backend address of ratpanel to activate session legitimacy\u2014specifically, to ensure `sess.Put(\"verify_entrance\", true)`. That said, accessing `/api/ws` only requires activating the session and does not require completing further authentication or login steps. Therefore, this is assessed to be a remotely exploitable command execution vulnerability with moderate severity.\n\n\n### PoC\n\nI first carried `session=......`, accessed the backend login page normally` (without completing the authentication process)`, activated the session, and then used the [_wsdump.py](https://github.com/websocket-client/websocket-client/blob/master/websocket/_wsdump.py) script provided by the Python websocket-client library to complete the authentication and exploit the vulnerability.\n\n\n\n\n\nBecause of the authorization code\n\n```golang\n// internal/http/middleware/must_login.go\nif slices.Contains(whiteList, r.URL.Path) || !strings.HasPrefix(r.URL.Path, \"/api\") {\n next.ServeHTTP(w, r)\n return\n}\n```\n\nThis vulnerability affects the authorization mechanism across all APIs, for example\n\n\n\n\nThis authentication vulnerability appears to affect versions **v2.3.19 to v2.5.5**.\n\n---\n\nData packet\n\n```text\nGET //api/...... HTTP/2\nHost: IP:PORT\nCookie: session=XXXXXX\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: application/json; charset=UTF-8\nConnection: close\n\n\n```\n\n```cmd\npython _wsdump.py wss://ip:port//api/ws/exec --headers \"Cookie: session=xxxxxx\" -n\n```\n\n### Impact\n\nUsers running Ratpanel versions v2.3.19 to v2.5.5\u2014especially those who have exposed their admin panel login URL or use weak login URL paths\u2014are vulnerable to unauthorized access. Additionally, versions v2.5.1 to v2.5.5 are susceptible to server and hosted machine takeover.",
"id": "GHSA-fm3m-jrgm-5ppg",
"modified": "2025-08-06T14:12:21Z",
"published": "2025-08-04T20:46:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tnborg/panel/security/advisories/GHSA-fm3m-jrgm-5ppg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53534"
},
{
"type": "WEB",
"url": "https://github.com/tnborg/panel/commit/4985eb2e1f388ecd6faf331941c13cb97368ec1d"
},
{
"type": "WEB",
"url": "https://github.com/tnborg/panel/commit/91ecd04c270061429f9df5ec19cd6b96a9f595f2"
},
{
"type": "WEB",
"url": "https://github.com/tnborg/panel/commit/ed5c74c7534230ba685273504af4c1e1e3598ff1"
},
{
"type": "PACKAGE",
"url": "https://github.com/tnborg/panel"
},
{
"type": "WEB",
"url": "https://github.com/tnborg/panel/releases/tag/v2.5.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "RatPanel can perform remote command execution without authorization"
}
GHSA-FPM5-2WCJ-VFR7
Vulnerability from github – Published: 2024-11-06 15:57 – Updated: 2025-11-15 03:17Summary
Authentication method confusion allows logging in as the built-in root user from an external service. The built-in root user is generated in a weak manner, cannot be disabled, and has universal access.
Details
Until CodeChecker version 6.24.1 there was an auto-generated super-user account that could not be disabled. The attacker needs to know only the username of the root user.
This root user is unconditionally assigned superuser permissions.
Which means that if any user via any service logs in with the root user's username, they will unconditionally have superuser permissions on the CodeChecker instance.
The name of the user name can be found in root.user file in the CodeChecker configuration directory.
You can check if you are impacted by checking the existence of this user in the external authentication services (e.g. LDAP, PAM etc.).
Impact
This vulnerability allows an attacker who can create an account on an enabled external authentication service, to log in as the root user, and access and control everything that can be controlled via the web interface. The attacker needs to acquire the username of the root user to be successful.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.24.1"
},
"package": {
"ecosystem": "PyPI",
"name": "codechecker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.24.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-10082"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-06T15:57:57Z",
"nvd_published_at": "2024-11-06T15:15:11Z",
"severity": "CRITICAL"
},
"details": "### Summary\nAuthentication method confusion allows logging in as the built-in root user from an external service. The built-in root user is generated in a weak manner, cannot be disabled, and has universal access. \n\n### Details\nUntil CodeChecker version 6.24.1 there was an auto-generated super-user account that could not be disabled.\nThe attacker needs to know only the username of the root user.\n\nThis root user is unconditionally assigned superuser permissions.\n\nWhich means that if any user via any service logs in with the root user\u0027s username, they will unconditionally have superuser permissions on the CodeChecker instance.\n\nThe name of the user name can be found in `root.user` file in the CodeChecker configuration directory.\nYou can check if you are impacted by checking the existence of this user in the external authentication services (e.g. LDAP, PAM etc.).\n\n### Impact\nThis vulnerability allows an attacker who can create an account on an enabled external authentication service, to log in as the root user, and access and control everything that can be controlled via the web interface.\nThe attacker needs to acquire the username of the root user to be successful.",
"id": "GHSA-fpm5-2wcj-vfr7",
"modified": "2025-11-15T03:17:21Z",
"published": "2024-11-06T15:57:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-fpm5-2wcj-vfr7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10082"
},
{
"type": "WEB",
"url": "https://github.com/Ericsson/codechecker/commit/866f3796d01f3158c49b87ccae3e09c0807c1c7b"
},
{
"type": "PACKAGE",
"url": "https://github.com/Ericsson/codechecker"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/codechecker/PYSEC-2024-183.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "codechecker authentication method confusion vulnerability allows logging in as the built-in root user from an external service"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.