Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2022-3681 Motorola MR2600 授权问题漏洞 — MR2600 Router 6.5 Medium2023-10-27
CVE-2022-34887 Lenovo printers 授权问题漏洞 — Printer GM265DN (production date June 2022 and before) 4.3 Medium2023-10-27
CVE-2023-46290 Rockwell Automation FactoryTalk Services Platform Elevated Privileges Vulnerability — FactoryTalk® Services Platform 8.1 High2023-10-27
CVE-2023-37283 Authentication Bypass via HTML Form & Identifier First Adapter — PingFederate 8.1 High2023-10-25
CVE-2023-38735 IBM Cognos Dashboards improper authentication — Cognos Dashboards on Cloud Pak for Data 5.7 Medium2023-10-22
CVE-2023-41089 Improper Authentication in DEXMA DEXGate — DexGate 8.0 High2023-10-19
CVE-2023-45669 Improper signature counter value handling in webauthn4j-spring-security — webauthn4j-spring-security 4.8 Medium2023-10-16
CVE-2023-4562 Information Disclosure, Information Tampering and Authentication Bypass Vulnerability in MELSEC-F Series main module — MELSEC-F Series FX3U-16MT/ES 9.1 Critical2023-10-13
CVE-2023-44096 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.5 -2023-10-11
CVE-2023-36724 Windows Power Management Service Information Disclosure Vulnerability — Windows 10 Version 1809 5.5 Medium2023-10-10
CVE-2023-43809 Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled — soft-serve 7.5 High2023-10-04
CVE-2023-43805 Nexkey allows users to bypass authentication of Bull dashboard — nexkey 7.5 High2023-10-04
CVE-2023-43793 Misskey allows users to bypass authentication of Bull dashboard — misskey 7.5 High2023-10-04
CVE-2021-3784 Garuda Linux Improper Authorization — Garuda Linux 5.3 Medium2023-10-04
CVE-2023-28540 Improper Authentication in Data Modem — Snapdragon 9.1 Critical2023-10-03
CVE-2023-26150 asyncua 授权问题漏洞 — asyncua 6.5 Medium2023-10-03
CVE-2023-5329 Field Logic DataCube4 Web API improper authentication — DataCube4 4.3 Medium2023-10-02
CVE-2023-5328 SATO CL4NX-J Plus Cookie improper authentication — CL4NX-J Plus 6.3 Medium2023-10-01
CVE-2023-5326 SATO CL4NX-J Plus WebConfig improper authentication — CL4NX-J Plus 6.3 Medium2023-10-01
CVE-2023-43660 SSH key password bypassed in warpgate — warpgate 4.8 Medium2023-09-27
CVE-2023-42818 SSH public key login without private key challenge if mfa is enabled in jumpserver — jumpserver 5.4 Medium2023-09-27
CVE-2023-31015 NVIDIA DGX 授权问题漏洞 — DGX H100 BMC 6.6 Medium2023-09-20
CVE-2023-0773 Unauthorized Access Control Vulnerability in Uniview IP Camera — Uniview IP Camera IPC322LB-SF28-A 9.1 Critical2023-09-19
CVE-2023-42442 JumpServer session replays download without authentication — jumpserver 8.2 High2023-09-15
CVE-2023-4985 Supcon InPlant SCADA Project.xml improper authentication — InPlant SCADA 5.9 Medium2023-09-15
CVE-2023-4568 PaperCut NG Unauthenticated XMLRPC — PaperCut NG 6.5 Medium2023-09-13
CVE-2023-4501 Authentication bypass in OpenText (Micro Focus) Enterprise Server — Visual COBOL, COBOL Server, Enterprise Developer, Enterprise Server 9.8 Critical2023-09-12
CVE-2023-29463 Pavilion8 Security Misconfiguration Vulnerability — Pavilion8 8.8 High2023-09-12
CVE-2023-4816 Hitachi Energy Asset Suite 授权问题漏洞 — Asset Suite 9 6.9 Medium2023-09-11
CVE-2023-20238 Cisco BroadWorks Application 安全漏洞 — Cisco BroadWorks 10.0 Critical2023-09-06

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.