Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2024-25699 Portal for ArcGIS has an invalid authentication vulnerability — Portal for ArcGIS 8.5 High2024-04-04
CVE-2024-28012 NEC Corporation Aterm 安全漏洞 — WG1800HP4 9.1AICriticalAI2024-03-28
CVE-2024-28009 NEC Corporation Aterm 安全漏洞 — WG1800HP4 9.1AICriticalAI2024-03-28
CVE-2024-28007 NEC Corporation Aterm 安全漏洞 — WG1800HP4 9.1AICriticalAI2024-03-28
CVE-2024-28006 NEC Corporation Aterm 安全漏洞 — WG1800HP4 9.1AICriticalAI2024-03-28
CVE-2024-2244 Hitachi Energy Asset Suite 安全漏洞 — Asset Suite EAM 5.3 Medium2024-03-27
CVE-2024-2873 User authentication bypass in wolfSSH server — wolfSSH 9.1 Critical2024-03-25
CVE-2024-2862 Password reset vulnerability without authorization on LG LED Assistant — LG LED Assistant 9.1 Critical2024-03-25
CVE-2022-44595 WordPress WP2FA plugin <= 2.2.0 - Broken Authentication vulnerability — WP 2FA 5.3 Medium2024-03-21
CVE-2024-1148 Weak Access Control - Arbitrary file upload — PVCS Version Manager 9.8 Critical2024-03-21
CVE-2024-1147 Weak Access Control - Arbitrary file download — PVCS Version Manager 9.8 Critical2024-03-21
CVE-2024-27767 Unitronics Unistream Unilogic – Versions prior to 1.35.227 CWE-287: Improper Authentication — Unistream Unilogic 10.0 Critical2024-03-18
CVE-2024-28255 Authentication Bypass in OpenMetadata — OpenMetadata 9.8 Critical2024-03-15
CVE-2024-2450 Mattermost 安全漏洞 — Mattermost 8.8 High2024-03-15
CVE-2024-25652 Delinea PAM Secret Server 安全漏洞 — Secret Server 7.6 High2024-03-14
CVE-2023-38534 OpenText Exceed Turbo X 安全漏洞 — Exceed Turbo X 8.6 High2024-03-13
CVE-2024-0799 Authentication Bypass via wizardLogin in Arcserve Unified Data Protection — Unified Data Protection 9.8 Critical2024-03-13
CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability — Windows Server 2019 7.5 High2024-03-12
CVE-2024-21390 Microsoft Authenticator Elevation of Privilege Vulnerability — Microsoft Authenticator 7.1 High2024-03-12
CVE-2023-46717 Fortinet FortiOS 授权问题漏洞 — FortiOS 6.7 High2024-03-12
CVE-2024-21899 QTS, QuTS hero, QuTScloud — QTS 9.8 Critical2024-03-08
CVE-2023-46172 IBM DS8900F security bypass — DS8900F 5.6 Medium2024-03-07
CVE-2023-42662 JFrog Artifactory Improper SSO Mechanism may lead to Exposure of Access Tokens — Artifactory 9.3 Critical2024-03-07
CVE-2024-27923 Remote Code Execution by uploading a phar file using frontmatter — grav 8.8 High2024-03-06
CVE-2023-48703 SAML authentication bypass vulnerability in RobotsAndPencils/go-saml — go-saml 7.5 High2024-03-06
CVE-2024-20301 Cisco Duo 安全漏洞 — Cisco Duo 6.2 Medium2024-03-06
CVE-2023-38372 IBM Watson IoT Platform information disclosure — Watson IoT Platform 5.9 Medium2024-02-29
CVE-2024-25128 Flask-AppBuilder incorrect authentication when using auth type OpenID — Flask-AppBuilder 9.1 Critical2024-02-28
CVE-2024-22395 SonicWALL SMA100 授权问题漏洞 — SMA100 6.3 Medium2024-02-23
CVE-2024-1817 Demososo DM Enterprise Website Building System Cookie indexDM_load.php dmlogin improper authentication — DM Enterprise Website Building System 7.3 High2024-02-23

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.