VYPR

CWE-345

Insufficient Verification of Data Authenticity

ClassDraft

Description

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-148 · CAPEC-218 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-665 · CAPEC-701

CVEs mapped to this weakness (306)

page 15 of 16
  • CVE-2020-16250Aug 26, 2020
    risk 0.00cvss epss 0.01

    HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

  • CVE-2020-15899Jul 28, 2020
    risk 0.00cvss epss 0.01

    Grin 3.0.0 before 4.0.0 has insufficient validation of data related to Mimblewimble.

  • CVE-2019-17636Mar 10, 2020
    risk 0.00cvss epss 0.01

    In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's…

  • CVE-2013-2167Dec 10, 2019
    risk 0.00cvss epss 0.02

    python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass

  • CVE-2019-8124Nov 5, 2019
    risk 0.00cvss epss 0.01

    An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks.

  • CVE-2019-8112Nov 5, 2019
    risk 0.00cvss epss 0.01

    A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new…

  • CVE-2019-13483Jul 25, 2019
    risk 0.00cvss epss 0.01

    Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signature of an Access Token before processing. This allows attackers to forge tokens and bypass authentication and authorization mechanisms.

  • CVE-2019-3875Jun 12, 2019
    risk 0.00cvss epss 0.00

    A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The…

  • CVE-2019-10157Jun 12, 2019
    risk 0.00cvss epss 0.00

    It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could…

  • CVE-2019-1000013Feb 4, 2019
    risk 0.00cvss epss 0.01

    Hex package manager hex_core version 0.3.0 and earlier contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from…

  • CVE-2018-16486Feb 1, 2019
    risk 0.00cvss epss 0.01

    A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.

  • CVE-2018-15801Dec 19, 2018
    risk 0.00cvss epss 0.01

    Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could…

  • CVE-2017-1000424MedJan 2, 2018
    risk 0.00cvss 4.3epss 0.01

    Github Electron version 1.6.4 - 1.6.11 and 1.7.0 - 1.7.5 is vulnerable to a URL Spoofing problem when opening PDFs in PDFium resulting loading arbitrary PDFs that a hacker can control.

  • CVE-2015-2908Aug 23, 2015
    risk 0.00cvss epss 0.02

    Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server.

  • CVE-2015-3908Aug 12, 2015
    risk 0.00cvss epss 0.01

    Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

  • CVE-2015-4674Aug 7, 2015
    risk 0.00cvss epss 0.01

    The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows relies on unsigned installer files that are retrieved without use of SSL, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted file.

  • CVE-2014-5406Jul 6, 2015
    risk 0.00cvss epss 0.01

    The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET,…

  • CVE-2013-7398Jun 24, 2015
    risk 0.00cvss epss 0.01

    main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an…

  • CVE-2013-7397Jun 24, 2015
    risk 0.00cvss epss 0.01

    Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate…

  • CVE-2015-0259Apr 1, 2015
    risk 0.00cvss epss 0.01

    OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.