Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2024-38124 Windows Netlogon Elevation of Privilege Vulnerability — Windows Server 2019 9.0 Critical2024-10-08
CVE-2024-41798 Siemens SENTRON 7KM PAC3200 授权问题漏洞 — SENTRON 7KM PAC3200 9.8 Critical2024-10-08
CVE-2024-45051 Bypass of email address validation via encoded email addresses in Discourse — discourse 8.2 High2024-10-07
CVE-2024-47768 Lif Authentication Server Has No Auth Check When Updating Password In Account Recovery — Lif-Auth-Server 5.9 -2024-10-04
CVE-2024-47070 authentik vulnerable to password authentication bypass via X-Forwarded-For HTTP header — authentik 9.1 Critical2024-09-27
CVE-2024-47174 Credential leak when credentials are used with `<nix/fetchurl.nix>` — nix 5.9 Medium2024-09-26
CVE-2024-45042 Ory Kratos's `highest_available` setting does not properly respect code + mfa credentials — kratos 4.4 Medium2024-09-26
CVE-2024-47078 Meshtastic firmware Authentication/Authorization Bypass via MQTT — firmware 8.1 High2024-09-25
CVE-2024-0002 FlashArray 安全漏洞 — FlashArray 10.0 Critical2024-09-23
CVE-2022-25768 Improper Access Control in UI upgrade process — Mautic 7.0 High2024-09-18
CVE-2024-45113 ColdFusion | Improper Authentication (CWE-287) — ColdFusion 7.5 High2024-09-13
CVE-2024-45823 FactoryTalk® Batch View™ Authentication Bypass Vulnerability via shared secrets — FactoryTalk® Batch View™ 8.1 High2024-09-12
CVE-2024-38225 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability — Microsoft Dynamics 365 Business Central 2023 Release Wave 1 8.8 High2024-09-10
CVE-2023-45038 Music Station — Music Station 4.3 Medium2024-09-06
CVE-2024-7923 Puppet-pulpcore: an authentication bypass vulnerability exists in pulpcore 9.8AICriticalAI2024-09-04
CVE-2024-7012 Puppet-foreman: an authentication bypass vulnerability exists in foreman 9.8 Critical2024-09-04
CVE-2024-7870 PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 9.7.1 and PixelYourSite PRO <= 10.4.2 - Unauthenticated Information Exposure and Log Deletion — PixelYourSite – Your smart PIXEL (TAG) & API Manager 6.5 Medium2024-09-04
CVE-2024-45346 GetApps application has code execution vulnerability — GetApps application 8.8 High2024-08-28
CVE-2024-45036 Improper Access Control Vulnerability When Accessing a Maliciously Crafted Tophat Link — tophat 7.5AIHighAI2024-08-26
CVE-2024-7401 Client Enrollment Process Bypass — Netskope Client 9.8AICriticalAI2024-08-26
CVE-2024-42336 Servision - CWE-287: Improper Authentication — Servision IVG Webmax 1.0.57 8.2 High2024-08-20
CVE-2024-38810 Missing Authorization When Using @AuthorizeReturnObject — spring security 6.5 Medium2024-08-20
CVE-2024-43240 WordPress Indeed Ultimate Membership Pro plugin <= 12.7 - Unauthenticated Privilege Escalation vulnerability — Ultimate Membership Pro 9.4 Critical2024-08-19
CVE-2024-6078 Rockwell Automation Authentication Bypass Vulnerability in DataMosaix™ — DataMosaix™ 9.1AICriticalAI2024-08-14
CVE-2024-7593 Ivanti Virtual Traffic Manager 安全漏洞 — vTM 9.8 Critical2024-08-13
CVE-2024-42164 Disabling MFA without Authentication — FIWARE Keyrock 4.3 Medium2024-08-12
CVE-2024-42038 Huawei EMUI和Huawei HarmonyOS 安全漏洞 — HarmonyOS 8.8 High2024-08-08
CVE-2024-7395 Insufficient Authentication — JetPort 5601v3 9.8AICriticalAI2024-08-05
CVE-2019-6197 Lenovo PC Manager 安全漏洞 — PC Manager 7.8 High2024-07-31
CVE-2019-6198 Lenovo PC Manager 安全漏洞 — PC Manager 7.8 High2024-07-31

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.