CWE-306
Missing Authentication for Critical Function
Description
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-12 · CAPEC-166 · CAPEC-216 · CAPEC-36 · CAPEC-62
CVEs mapped to this weakness (964)
page 47 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-43644 | 0.00 | — | 0.01 | Sep 25, 2023 | Sing-box is an open source proxy system. Affected versions are subject to an authentication bypass when specially crafted requests are sent to sing-box. This affects all SOCKS5 inbounds with user authentication and an attacker may be able to bypass authentication. Users are… | |||
| CVE-2023-4815 | — | 0.00 | — | 0.01 | Sep 7, 2023 | Missing Authentication for Critical Function in GitHub repository answerdev/answer prior to v1.1.3. | ||
| CVE-2023-40170 | 0.00 | — | 0.01 | Aug 28, 2023 | jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in… | |||
| CVE-2023-37265 | — | 0.00 | — | 0.06 | Jul 17, 2023 | CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This… | ||
| CVE-2023-31143 | 0.00 | — | 0.01 | May 9, 2023 | mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed… | |||
| CVE-2023-28326 | 0.00 | — | 0.01 | Mar 28, 2023 | Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room | |||
| CVE-2023-25570 | 0.00 | — | 0.01 | Feb 20, 2023 | Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service.… | |||
| CVE-2023-25014 | — | 0.00 | — | 0.01 | Feb 2, 2023 | An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users. | ||
| CVE-2023-25013 | — | 0.00 | — | 0.01 | Feb 2, 2023 | An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users. | ||
| CVE-2020-23256 | 0.00 | — | 0.01 | Jan 20, 2023 | An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request to electerms service. | |||
| CVE-2022-4018 | — | 0.00 | — | 0.01 | Nov 16, 2022 | Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6. | ||
| CVE-2022-45378 | 0.00 | — | 0.02 | Nov 14, 2022 | In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even… | |||
| CVE-2022-3327 | — | 0.00 | — | 0.01 | Oct 19, 2022 | Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6. | ||
| CVE-2022-36884 | 0.00 | — | 0.01 | Jul 27, 2022 | The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository. | |||
| CVE-2021-34538 | 0.00 | — | 0.01 | Jul 16, 2022 | Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized… | |||
| CVE-2022-31022 | 0.00 | — | 0.00 | Jun 1, 2022 | Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP… | |||
| CVE-2022-24820 | 0.00 | — | 0.01 | Apr 8, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions… | |||
| CVE-2021-3589 | 0.00 | — | 0.01 | Mar 23, 2022 | An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and integrity as well as system… | |||
| CVE-2022-25508 | — | 0.00 | — | 0.01 | Mar 10, 2022 | An access control issue in the component /ManageRoute/postRoute of FreeTAKServer v1.9.8 allows unauthenticated attackers to cause a Denial of Service (DoS) via an unusually large amount of created routes, or create unsafe or false routes for legitimate users. | ||
| CVE-2022-23945 | 0.00 | — | 0.04 | Jan 25, 2022 | Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. |
- CVE-2023-43644Sep 25, 2023risk 0.00cvss —epss 0.01
Sing-box is an open source proxy system. Affected versions are subject to an authentication bypass when specially crafted requests are sent to sing-box. This affects all SOCKS5 inbounds with user authentication and an attacker may be able to bypass authentication. Users are…
- CVE-2023-4815Sep 7, 2023risk 0.00cvss —epss 0.01
Missing Authentication for Critical Function in GitHub repository answerdev/answer prior to v1.1.3.
- CVE-2023-40170Aug 28, 2023risk 0.00cvss —epss 0.01
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in…
- CVE-2023-37265Jul 17, 2023risk 0.00cvss —epss 0.06
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This…
- CVE-2023-31143May 9, 2023risk 0.00cvss —epss 0.01
mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed…
- CVE-2023-28326Mar 28, 2023risk 0.00cvss —epss 0.01
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room
- CVE-2023-25570Feb 20, 2023risk 0.00cvss —epss 0.01
Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service.…
- CVE-2023-25014Feb 2, 2023risk 0.00cvss —epss 0.01
An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to delete all frontend users.
- CVE-2023-25013Feb 2, 2023risk 0.00cvss —epss 0.01
An issue was discovered in the femanager extension before 5.5.3, 6.x before 6.3.4, and 7.x before 7.1.0 for TYPO3. Missing access checks in the InvitationController allow an unauthenticated user to set the password of all frontend users.
- CVE-2020-23256Jan 20, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request to electerms service.
- CVE-2022-4018Nov 16, 2022risk 0.00cvss —epss 0.01
Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6.
- CVE-2022-45378Nov 14, 2022risk 0.00cvss —epss 0.02
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even…
- CVE-2022-3327Oct 19, 2022risk 0.00cvss —epss 0.01
Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6.
- CVE-2022-36884Jul 27, 2022risk 0.00cvss —epss 0.01
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.
- CVE-2021-34538Jul 16, 2022risk 0.00cvss —epss 0.01
Apache Hive before 3.1.3 "CREATE" and "DROP" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized…
- CVE-2022-31022Jun 1, 2022risk 0.00cvss —epss 0.00
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP…
- CVE-2022-24820Apr 8, 2022risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions…
- CVE-2021-3589Mar 23, 2022risk 0.00cvss —epss 0.01
An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and integrity as well as system…
- CVE-2022-25508Mar 10, 2022risk 0.00cvss —epss 0.01
An access control issue in the component /ManageRoute/postRoute of FreeTAKServer v1.9.8 allows unauthenticated attackers to cause a Denial of Service (DoS) via an unusually large amount of created routes, or create unsafe or false routes for legitimate users.
- CVE-2022-23945Jan 25, 2022risk 0.00cvss —epss 0.04
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.