CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-306

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-45232 306 Bypass 2021-12-27 2022-01-07
7.5
None Remote Low Not required Partial Partial Partial
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
2 CVE-2021-43832 306 2022-01-04 2022-01-14
7.5
None Remote Low Not required Partial Partial Partial
Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users haven't setup Role-based access control (RBAC) with-in spinnaker, this enables remote execution and access to deploy almost any resources on any account. Patches are available on the latest releases of the supported branches and users are advised to upgrade as soon as possible. Users unable to upgrade should enable RBAC on ALL accounts and applications. This mitigates the ability of a pipeline to affect any accounts. Block application access unless permission are enabled. Users should make sure ALL application creation is restricted via appropriate wildcards.
3 CVE-2021-42783 306 2021-11-23 2021-11-29
10.0
None Remote Low Not required Complete Complete Complete
Missing Authentication for Critical Function vulnerability in debug_post_set.cgi of D-Link DWR-932C E1 firmware allows an unauthenticated attacker to execute administrative actions.
4 CVE-2021-42539 306 2021-10-22 2021-10-27
6.5
None Remote Low ??? Partial Partial Partial
The affected product is vulnerable to a missing permission validation on system backup restore, which could lead to account take over and unapproved settings change.
5 CVE-2021-41266 306 Bypass 2021-11-15 2021-11-19
6.8
None Remote Medium Not required Partial Partial Partial
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.
6 CVE-2021-38540 306 DoS Exec Code 2021-09-09 2021-09-21
7.5
None Remote Low Not required Partial Partial Partial
The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.
7 CVE-2021-37843 306 2021-08-02 2021-08-11
7.5
None Remote Low Not required Partial Partial Partial
The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is known (i.e., no other authentication is provided). The fixed versions are for Jira: 3.6.6.1, 4.0.12, 5.0.5; for Confluence 3.6.6, 4.0.12, 5.0.5; for Bitbucket 2.5.9, 3.6.6, 4.0.12, 5.0.5; for Bamboo 2.5.9, 3.6.6, 4.0.12, 5.0.5; and for Fisheye 2.5.9.
8 CVE-2021-33221 306 2021-07-07 2021-07-09
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Unauthenticated API Endpoints.
9 CVE-2021-32930 306 Exec Code 2021-06-11 2021-06-23
7.5
None Remote Low Not required Partial Partial Partial
The affected product’s configuration is vulnerable due to missing authentication, which may allow an attacker to change configurations and execute arbitrary code on the iView (versions prior to v5.7.03.6182).
10 CVE-2021-32800 306 Bypass 2021-09-07 2021-09-14
6.4
None Remote Low Not required Partial Partial None
Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability.
11 CVE-2021-31337 306 2021-06-28 2021-07-02
6.8
None Remote Medium Not required Partial Partial Partial
The Telnet service of the SIMATIC HMI Comfort Panels system component in affected products does not require authentication, which may allow a remote attacker to gain access to the device if the service is enabled. Telnet is disabled by default on the SINAMICS Medium Voltage Products (SINAMICS SL150: All versions, SINAMICS SM150: All versions, SINAMICS SM150i: All versions).
12 CVE-2021-28913 306 2021-09-09 2021-09-20
10.0
None Remote Low Not required Complete Complete Complete
BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /webif/SecurityModule to validate the so called and hard coded unique 'eibPort String' which acts as the root SSH key passphrase. This is usable and part of an attack chain to gain SSH root access.
13 CVE-2021-27255 306 Exec Code 2021-03-05 2021-03-16
8.3
None Local Network Low Not required Complete Complete Complete
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the refresh_status.aspx endpoint. The issue results from a lack of authentication required to start a service on the server. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-12360.
14 CVE-2021-26705 306 2021-03-05 2021-03-13
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in SquareBox CatDV Server through 9.2. An attacker can invoke sensitive RMI methods such as getConnections without authentication, the results of which can be used to generate valid authentication tokens. These tokens can then be used to invoke administrative tasks within the application, such as disclosing password hashes.
15 CVE-2021-25312 306 2021-01-27 2021-02-04
6.5
None Remote Low ??? Partial Partial Partial
HTCondor before 8.9.11 allows a user to submit a job as another user on the system, because of a flaw in the IDTOKENS authentication method.
16 CVE-2021-23847 306 2021-06-09 2021-06-22
6.4
None Remote Low Not required Partial Partial None
A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device. Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected.
17 CVE-2021-22772 306 Bypass 2021-07-21 2021-07-28
7.5
None Remote Low Not required Partial Partial Partial
A CWE-306: Missing Authentication for Critical Function vulnerability exists in Easergy T200 ((Modbus) SC2-04MOD-07000100 and earlier), Easergy T200 ((IEC104) SC2-04IEC-07000100 and earlier), and Easergy T200 ((DNP3) SC2-04DNP-07000102 and earlier) that could cause unauthorized operation when authentication is bypassed.
18 CVE-2021-22652 306 Exec Code 2021-02-11 2021-03-26
7.5
None Remote Low Not required Partial Partial Partial
Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution.
19 CVE-2021-22279 306 2021-12-13 2021-12-17
9.3
None Remote Medium Not required Complete Complete Complete
A Missing Authentication vulnerability in RobotWare for the OmniCore robot controller allows an attacker to read and modify files on the robot controller if the attacker has access to the Connected Services Gateway Ethernet port.
20 CVE-2021-20998 306 2021-05-13 2021-05-20
7.5
None Remote Low Not required Partial Partial Partial
In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users.
21 CVE-2021-20697 306 2021-04-26 2021-05-03
7.5
None Remote Low Not required Partial Partial Partial
Missing authentication for critical function in DAP-1880AC firmware version 1.21 and earlier allows a remote attacker to login to the device as an authenticated user without the access privilege via unspecified vectors.
22 CVE-2021-20198 306 Exec Code 2021-02-23 2021-02-27
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in the OpenShift Installer before version v0.9.0-master.0.20210125200451-95101da940b0. During installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned with anonymous authentication enabled on kubelet port 10250. A remote attacker able to reach this port during installation can make unauthenticated `/exec` requests to execute arbitrary commands within running containers. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
23 CVE-2021-1396 306 +Priv 2021-02-24 2021-03-02
6.4
None Remote Low Not required Partial Partial None
Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes. For more information about these vulnerabilities, see the Details section of this advisory.
24 CVE-2021-1393 306 +Priv 2021-02-24 2021-03-02
10.0
None Remote Low Not required Complete Complete Complete
Multiple vulnerabilities in Cisco Application Services Engine could allow an unauthenticated, remote attacker to gain privileged access to host-level operations or to learn device-specific information, create diagnostic files, and make limited configuration changes. For more information about these vulnerabilities, see the Details section of this advisory.
25 CVE-2020-36333 306 2021-05-05 2021-05-11
6.4
None Remote Low Not required None Partial Partial
themegrill-demo-importer before 1.6.2 does not require authentication for wiping the database, because of a reset_wizard_actions hook.
26 CVE-2020-35469 306 2020-12-16 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
The Software AG Terracotta Server OSS Docker image 5.4.1 contains a blank password for the root user. Systems deployed using affected versions of the Terracotta Server OSS container may allow a remote attacker to achieve root access with a blank password.
27 CVE-2020-35468 306 2020-12-16 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
The Appbase streams Docker image 2.1.2 contains a blank password for the root user. Systems deployed using affected versions of the streams container may allow a remote attacker to achieve root access with a blank password.
28 CVE-2020-35467 306 2020-12-15 2020-12-18
10.0
None Remote Low Not required Complete Complete Complete
The Docker Docs Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Docker Docs container may allow a remote attacker to achieve root access with a blank password.
29 CVE-2020-35466 306 2020-12-15 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
The Blackfire Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Blackfire container may allow a remote attacker to achieve root access with a blank password.
30 CVE-2020-35465 306 2020-12-15 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
The FullArmor HAPI File Share Mount Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the FullArmor HAPI File Share Mount container may allow the remote attacker to achieve root access with a blank password.
31 CVE-2020-35464 306 2020-12-15 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
Version 1.3.0 of the Weave Cloud Agent Docker image contains a blank password for the root user. Systems deployed using affected versions of the Weave Cloud Agent container may allow a remote attacker to achieve root access with a blank password.
32 CVE-2020-35463 306 2020-12-15 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
Version 1.0.0 of the Instana Dynamic APM Docker image contains a blank password for the root user. Systems deployed using affected versions of the Instana Dynamic APM container may allow a remote attacker to achieve root access with a blank password.
33 CVE-2020-35462 306 2020-12-15 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
Version 3.16.0 of the CoScale agent Docker image contains a blank password for the root user. Systems deployed using affected versions of the CoScale agent container may allow a remote attacker to achieve root access with a blank password.
34 CVE-2020-35197 306 2020-12-17 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official memcached docker images before 1.5.11-alpine (Alpine specific) contain a blank password for a root user. System using the memcached docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
35 CVE-2020-35196 306 2020-12-17 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official rabbitmq docker images before 3.7.13-beta.1-management-alpine (Alpine specific) contain a blank password for a root user. System using the rabbitmq docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
36 CVE-2020-35195 306 2020-12-17 2020-12-21
10.0
None Remote Low Not required Complete Complete Complete
The official haproxy docker images before 1.8.18-alpine (Alpine specific) contain a blank password for a root user. System using the haproxy docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
37 CVE-2020-35193 306 2020-12-16 2020-12-21
10.0
None Remote Low Not required Complete Complete Complete
The official sonarqube docker images before alpine (Alpine specific) contain a blank password for a root user. System using the sonarqube docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
38 CVE-2020-35192 306 2020-12-17 2020-12-18
10.0
None Remote Low Not required Complete Complete Complete
The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
39 CVE-2020-35191 306 2020-12-17 2020-12-18
10.0
None Remote Low Not required Complete Complete Complete
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
40 CVE-2020-35190 306 2020-12-17 2020-12-18
10.0
None Remote Low Not required Complete Complete Complete
The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
41 CVE-2020-35189 306 2020-12-17 2020-12-18
10.0
None Remote Low Not required Complete Complete Complete
The official kong docker images before 1.0.2-alpine (Alpine specific) contain a blank password for a root user. System using the kong docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
42 CVE-2020-35187 306 2020-12-17 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
The official telegraf docker images before 1.9.4-alpine (Alpine specific) contain a blank password for a root user. System using the telegraf docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
43 CVE-2020-35186 306 2020-12-17 2020-12-17
10.0
None Remote Low Not required Complete Complete Complete
The official adminer docker images before 4.7.0-fastcgi contain a blank password for a root user. System using the adminer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
44 CVE-2020-35185 306 2020-12-17 2020-12-18
10.0
None Remote Low Not required Complete Complete Complete
The official ghost docker images before 2.16.1-alpine (Alpine specific) contain a blank password for a root user. System using the ghost docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
45 CVE-2020-35184 306 2020-12-17 2021-07-08
10.0
None Remote Low Not required Complete Complete Complete
The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
46 CVE-2020-29389 306 2020-12-02 2020-12-22
10.0
None Remote Low Not required Complete Complete Complete
The official Crux Linux Docker images 3.0 through 3.4 contain a blank password for a root user. System using the Crux Linux Docker container deployed by affected versions of the Docker image may allow an attacker to achieve root access with a blank password.
47 CVE-2020-28899 306 2021-03-16 2021-03-22
6.4
None Remote Low Not required Partial Partial None
The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does not require authentication, which allows remote unauthenticated attackers (via crafted JSON action data to /cgi-bin/gui.cgi) to use all features provided by the router. Examples: change the router password, retrieve the Wi-Fi passphrase, send an SMS message, or modify the IP forwarding to access the internal network.
48 CVE-2020-27285 306 2021-01-06 2021-01-08
6.4
None Remote Low Not required Partial Partial None
The default configuration of Crimson 3.1 (Build versions prior to 3119.001) allows a user to be able to read and modify the database without authentication.
49 CVE-2020-25563 306 2021-08-11 2021-08-16
7.5
None Remote Low Not required Partial Partial Partial
In SapphireIMS 5.0, it is possible to create local administrator on any client without requiring any credentials by directly accessing RemoteMgmtTaskSave (Automation Tasks) feature and not having a JSESSIONID.
50 CVE-2020-25228 306 2020-12-14 2020-12-16
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). A service available on port 10005/tcp of the affected devices could allow complete access to all services without authorization. An attacker could gain full control over an affected device, if he has access to this service. The system manual recommends to protect access to this port.
Total number of vulnerabilities : 233   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.