CVEbaza.plSłownik CWECWE-441
Common Weakness Enumeration

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

Kategoria: ClassCVE: 95
Opis

Produkt otrzymuje żądanie, komunikat lub dyrektywę od składnika nadrzędnego, ale nie zachowuje wystarczająco informacji o oryginalnym źródle żądania przed przekazaniem go zewnętrznemu uczestnikowi poza kontrolą produktu. Powoduje to, że produkt wydaje się działać w imieniu lub z autoryzacją podmiotu, który faktycznie tego żądania nie wysłał.

Description (EN)

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Podatności CVE z CWE-441 (95)
9.9
CVSS
CRITICAL
CVE-2025-68667

Podatność w serwerze czatu Conduit i jego pochodnych (continuwuity, Grapevine, tuwunel) umożliwia zdalnemu, nieuwierzytelnionemu atakującemu zmuszenie serwera do kryptograficznego podpisania dowolnych zdarzeń członkostwa w pokojach Matrix. Jest to krytyczna luka, gdyż pozwala na podszywanie się pod użytkowników, usuwanie ich z pokojów oraz uzyskiwanie nieautoryzowanego dostępu do prywatnych konwersacji.

pub. 2025-12-23
9.8
CVSS
CRITICAL
CVE-2021-20042

An unauthenticated remote attacker can use SMA 100 as an unintended proxy or intermediary undetectable proxy to bypass firewall rules. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.

pub. 2021-12-08
9.4
CVSS
CRITICAL
CVE-2025-64125

Podatność w usłudze Nuvation Energy nCloud VPN Service umożliwiała tzw. Network Boundary Bridging, czyli nieautoryzowane przekraczanie granic segmentacji sieci. Jest to podatność krytyczna (CVSS 9.4) mogąca prowadzić do naruszenia izolacji między segmentami sieciowymi.

pub. 2026-01-03
9.3
CVSS
CRITICAL
CVE-2026-23751

Kofax Capture (obecnie Tungsten Capture) w wersji 6.0.0.0 udostępnia niezabezpieczony, przestarzały kanał .NET Remoting HTTP na porcie 2424, dostępny bez uwierzytelniania. Podatność umożliwia nieuwierzytelnionemu atakującemu zdalne wykonanie kodu, odczyt i zapis dowolnych plików oraz przechwycenie danych uwierzytelniających NTLMv2.

pub. 2026-04-23
9.3
CVSS
CRITICAL
CVE-2026-24471

Podatność w serwerze Matrix continuwuity (oraz pochodnych Conduit) pozwala złośliwemu zdalnemu serwerowi nakłonić serwer ofiary do podpisania dowolnego zdarzenia podczas standardowych interakcji użytkownika. Jest to podatność krytyczna, ponieważ umożliwia fałszowanie podpisanych zdarzeń w federowanej sieci Matrix pod tożsamością serwera ofiary.

pub. 2026-02-02
9.3
CVSS
CRITICAL
CVE-2025-25306

Platforma Misskey nie weryfikuje poprawnie relacji między polami `id` i `url` obiektów ActivityPub, co pozwala atakującemu na sfałszowanie autorytetu w polu `url`. Jest to obejście wcześniejszego patcha dla CVE-2024-52591 i może prowadzić do manipulacji danymi federacyjnymi z krytycznym wpływem na integralność.

pub. 2025-03-10
9.1
CVSS
CRITICAL
CVE-2026-7381

Podatność w module Plack::Middleware::XSendfile (wersje do 1.0053) dla Perl umożliwia złośliwemu klientowi manipulację nagłówkami HTTP w celu wymuszenia odczytu dowolnych plików z serwera. Ze względu na krytyczny wynik CVSS 9.1 i brak wymaganych uprawnień, podatność stanowi poważne zagrożenie dla serwisów działających za odwrotnym proxy nginx.

pub. 2026-04-29
9.1
CVSS
CRITICAL
CVE-2015-2947

KanColleViewer versions 3.8.1 and earlier operates as an open proxy which allows remote attackers to trigger outbound network traffic.

pub. 2017-04-13
8.8
CVSS
HIGH
CVE-2026-36608

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request.

pub. 2026-06-03
8.8
CVSS
HIGH
CVE-2022-39361

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 (Sample Database) could allow Remote Code Execution (RCE), which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer allows DDL statements in H2 native queries.

pub. 2022-10-26
8.7
CVSS
HIGH
CVE-2026-44494

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

pub. 2026-06-11
8.7
CVSS
HIGH
CVE-2025-11393

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.

pub. 2025-12-15
8.6
CVSS
HIGH
CVE-2024-30128

HCL Nomad server on Domino is affected by an open proxy vulnerability in which an unauthenticated attacker can mask their original source IP address. This may enable an attacker to trick the user into exposing sensitive information.

pub. 2024-09-25
8.5
CVSS
HIGH
CVE-2021-32783

Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely (a denial of service), or to expose the existence of any Secret that Envoy is using for its configuration, including most notably TLS Keypairs. However, it *cannot* be used to get the *content* of those secrets. Since this attack allows access to the administration interface, a variety of administration options are available, such as shutting down the Envoy or draining traffic. In general, the Envoy admin interface cannot easily be used for making changes to the cluster, in-flight requests, or backend services, but it could be used to shut down or drain Envoy, change traffic routing, or to retrieve secret metadata, as mentioned above. The issue will be addressed in Contour v1.18.0 and a cherry-picked patch release, v1.17.1, has been released to cover users who cannot upgrade at this time. For more details refer to the linked GitHub Security Advisory.

pub. 2021-07-23
8.4
CVSS
HIGH
CVE-2026-0107

In gmc_ddr_handle_mba_mr_req of gmc_mba_ddr.c, there is a possible escalation of privileges due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

pub. 2026-03-10
8.4
CVSS
HIGH
CVE-2025-48579

In multiple functions of MediaProvider.java, there is a possible external storage write permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

pub. 2026-03-02
8.4
CVSS
HIGH
CVE-2026-0008

In multiple locations, there is a possible privilege escalation due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

pub. 2026-03-02
8.4
CVSS
HIGH
CVE-2026-0013

In setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

pub. 2026-03-02
8.4
CVSS
HIGH
CVE-2026-0021

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

pub. 2026-03-02
8.3
CVSS
HIGH
CVE-2026-42313

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") — which protect the proxy credentials — but it does not include ("proxy", "enabled"), ("proxy", "host"), ("proxy", "port"), or ("proxy", "type"). Any authenticated user with the non-admin SETTINGS permission can enable proxying and point pyload at any host they control. From that point, every outbound download, captcha fetch, update check, and plugin HTTP call is transparently routed through the attacker. This is a direct continuation of the fix family CVE-2026-33509 / CVE-2026-35463 / CVE-2026-35464 / CVE-2026-35586, each of which patched a different missed option in the same allowlist. This vulnerability is fixed in 0.5.0b3.dev100.

pub. 2026-05-11
Pokazano 20 z 95 podatności
Informacje
ID: CWE-441
Typ: Class
Podatności: 95
MITRE CWE ↗
← Słownik CWE
CWE-441 — Niezamierzony Pośrednik lub Intermediariusz ('Zdezorientowany Zastępca') | Słownik CWE | CVEbaza.pl