In the Secure File System in all Android releases from CAF using the Linux kernel, a capture-replay vulnerability could potentially exist.
The time-based one-time-password (TOTP) function in the application logic of the Green Electronics RainMachine Mini-8 (2nd generation) uses the administrator's password hash to generate a 6-digit temporary passcode that can be used for remote and local access, aka a "Use of Password Hash Instead of Password for Authentication" issue. This is exploitable by an attacker who discovers a hash value in the rainmachine-settings.sqlite file.
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and consequently gain SYSTEM privileges via vectors involving CORBA calls, aka SAP Note 2039905.
EMC RSA Identity Management and Governance (IMG) 6.5.x before 6.5.1 P11, 6.5.2 before P02HF01, and 6.8.x before 6.8.1 P07, when Novell Identity Manager (aka NovellIM) is used, allows remote attackers to bypass authentication via an arbitrary valid username.
The rsync daemon in F5 BIG-IP 11.6 before 11.6.0, 11.5.1 before HF3, 11.5.0 before HF4, 11.4.1 before HF4, 11.4.0 before HF7, 11.3.0 before HF9, and 11.2.1 before HF11 and Enterprise Manager 3.x before 3.1.1 HF2, when configured in failover mode, does not require authentication, which allows remote attackers to read or write to arbitrary files via a cmi request to the ConfigSync IP address.
The ActiveMQ admin user interface in IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 allows remote attackers to bypass authentication by leveraging knowledge of the port number and webapp path. IBM X-Force ID: 92259.
An insecure SSHD configuration in Juniper Device Manager (JDM) and host OS on Juniper NFX Series devices may allow remote unauthenticated access if any of the passwords on the system are empty. The affected SSHD configuration has the PermitEmptyPasswords option set to "yes". Affected releases are Juniper Networks Junos OS: 18.1 versions prior to 18.1R4 on NFX Series.
An issue was discovered in SMA Solar Technology products. The SMAdata2+ communication protocol does not properly use authentication with encryption: it is vulnerable to man in the middle, packet injection, and replay attacks. Any setting change, authentication packet, scouting packet, etc. can be replayed, injected, or used for a man in the middle session. All functionalities available in Sunny Explorer can effectively be done from anywhere within the network as long as an attacker gets the packet setup correctly. This includes the authentication process for all (including hidden) access levels and the changing of settings in accordance with the gained access rights. Furthermore, because the SMAdata2+ communication channel is unencrypted, an attacker capable of understanding the protocol can eavesdrop on communications. NOTE: the vendor's position is that authentication with encryption is not required on an isolated subnetwork. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected
Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password.
IBM API Connect 5.0.0.0-5.0.8.3 Developer Portal does not enforce Two Factor Authentication (TFA) while resetting a user password but enforces it for all other login scenarios. IBM X-Force ID: 144483.
The Horde_Ldap library before 2.0.6 for Horde allows remote attackers to bypass authentication by leveraging knowledge of the LDAP bind user DN.
Admin.php in Olate Download (od) 3.4.1 uses an MD5 hash of the admin username, user id, and group id, to compose the OD3_AutoLogin authentication cookie, which makes it easier for remote attackers to guess the cookie and access the Admin area.
An issue was discovered in myStrom WiFi Switch V1 before 2.66, WiFi Switch V2 before 3.80, WiFi Switch EU before 3.80, WiFi Bulb before 2.58, WiFi LED Strip before 3.80, WiFi Button before 2.73, and WiFi Button Plus before 2.73. The process of registering a device with a cloud account was based on an activation code derived from the device MAC address. By guessing valid MAC addresses or using MAC addresses printed on devices in shops and reverse engineering the protocol, an attacker would have been able to register previously unregistered devices to their account. When the rightful owner would have connected them after purchase to their WiFi network, the devices would not have registered with their account, would subsequently not have been controllable from the owner's mobile app, and would not have been visible in the owner's account. Instead, they would have been under control of the attacker.
If RSH service is enabled on Junos OS and if the PAM authentication is disabled, a remote unauthenticated attacker can obtain root access to the device. RSH service is disabled by default on Junos. There is no documented CLI command to enable this service. However, an undocumented CLI command allows a privileged Junos user to enable RSH service and disable PAM, and hence expose the system to unauthenticated root access. When RSH is enabled, the device is listing to RSH connections on port 514. This issue is not exploitable on platforms where Junos release is based on FreeBSD 10+. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D77 on SRX Series; 12.3 versions prior to 12.3R12-S10; 12.3X48 versions prior to 12.3X48-D75 on SRX Series; 14.1X53 versions prior to 14.1X53-D47 on QFX/EX Series; 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140 on SRX Series; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series; 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX Series; 16.1 versions prior to 16.1R3-S9, 16.1R4-S9, 16.1R5-S4, 16.1R6-S4, 16.1R7; 16.2 versions prior to 16.2R2-S5; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; 17.2X75 versions prior to 17.2X75-D110, 17.2X75-D91; 17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3; 17.4 versions prior to 17.4R1-S3, 17.4R2; 18.2X75 versions prior to 18.2X75-D5.
An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element.
In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion provide an undocumented access method involving the FTP protocol, which could allow a remote attacker to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability.
IBM LoopBack (IBM API Connect 2018.1, 2018.4.1, 5.0.8.0, and 5.0.8.4) could allow an attacker to bypass authentication if the AccessToken Model is exposed over a REST API, it is then possible for anyone to create an AccessToken for any User provided they know the userId and can hence get access to the other user’s data / access to their privileges (if the user happens to be an Admin for example). IBM X-Force ID: 148801.
Intelbras NPLUG 1.0.0.14 wireless repeater devices have a critical vulnerability that allows an attacker to authenticate in the web interface just by using "admin:" as the name of a cookie.
Session fixation vulnerability in Mambo 4.6.2 CMS allows remote attackers to hijack web sessions by setting the Cookie parameter.
BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI.
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.
A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.
D-Link DIR-601 A1 1.02NA devices do not require the old password for a password change, which occurs in cleartext.
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001.
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0.3 did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances.
Lack of authentication and authorization of cluster messages in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to intercept, inject or disrupt Junos Space cluster operations between two nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1.
A vulnerability in the Kerberos authentication feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to impersonate the Kerberos key distribution center (KDC) and bypass authentication on an affected device that is configured to perform Kerberos authentication for VPN or local device access. The vulnerability is due to insufficient identity verification of the KDC when a successful authentication response is received. An attacker could exploit this vulnerability by spoofing the KDC server response to the ASA device. This malicious response would not have been authenticated by the KDC. A successful attack could allow an attacker to bypass Kerberos authentication.