| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote unauthenticated network based attacker to login as any privileged user. This issue only affects Junos Space Network Management Platform 17.1R1 without Patch v1 and 16.1 releases prior to 16.1R3. This issue was found by an external security researcher. |
| Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins. |
| Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the validateCAS20 function when configured to authenticate against an old CAS server. |
| TestTrack Server versions 1.0 and earlier are vulnerable to an authentication flaw in the split disablement feature resulting in the ability to disable arbitrary running splits and cause denial of service to clients in the field. |
| Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Java Key Store Password Disclosure vulnerability, that makes it possible to provide an unauthenticated attacker plain text password of administrative user and grant access to the web-based administration interface. |
| SYN Flood or FIN Flood attack in ECos 1 and other versions embedded devices results in web Authentication Bypass. "eCos Embedded Web Servers used by Multiple Routers and Home devices, while sending SYN Flood or FIN Flood packets fails to validate and handle the packets and does not ask for any sign of authentication resulting in Authentication Bypass. An attacker can take complete advantage of this bug and take over the device remotely or locally. The bug has been successfully tested and reproduced in some versions of SOHO Routers manufactured by TOTOLINK, GREATEK and others." |
| In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. |
| Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively allow the valid users to log in to the adserver, even while an attack is in progress. |
| Authentication bypass by assumed-immutable data vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to bypass server authentication via a crafted authentication cookie. |
| Authentication bypass by spoofing vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to execute arbitrary code or cause a denial of service via a crafted authentication cookie. |
| Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 do not require authentication for Embedded_Ace_Get_Task.cgi requests. |
| Insufficient authentication vulnerability in Junos Space before 15.2R2 allows remote network based users with access to Junos Space web interface to perform certain administrative tasks without authentication. |
| HAProxy statistics in openstack-tripleo-image-elements are non-authenticated over the network. |
| NetApp SnapCenter Server 1.0 and 1.0P1 allows remote attackers to partially bypass authentication and then list and delete backups via unspecified vectors. |
| Crypto-NAK packets in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to bypass authentication. |
| PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username. |
| ganglia-web before 3.7.1 allows remote attackers to bypass authentication. |
| Soreco Xpert.Line 3.0 allows local users to spoof users and consequently gain privileges by intercepting a Windows API call. |
| The user authentication module in Huawei Campus switches S5700, S5300, S6300, and S6700 with software before V200R001SPH012 and S7700, S9300, and S9700 with software before V200R001SPH015 allows remote attackers to cause a denial of service (device restart) via vectors involving authentication, which trigger an array access violation. |
| The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination. |
