Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2022-32514 Schneider Electric C-Bus多款产品 授权问题漏洞 — C-Bus Network Automation Controller, LSS5500NAC 9.8 Critical2023-01-30
CVE-2022-43978 Limited Authentication bypass due to hardcoded secret — Pandora FMS 5.6 Medium2023-01-27
CVE-2023-23612 Issue with whitespace in JWT roles in OpenSearch — security 4.7 Medium2023-01-24
CVE-2023-0311 Improper Authentication in thorsten/phpmyfaq — thorsten/phpmyfaq 8.8 -2023-01-15
CVE-2023-22497 Netdata is vulnerable to improper authentication — netdata 6.5 Medium2023-01-14
CVE-2023-0036 platform_callback_stub in misc subsystem has an authentication bypass vulnerability which allows an "SA relay attack". — OpenHarmony 6.5 Medium2023-01-09
CVE-2023-0035 softbus_client_stub in communication subsystem has an authentication bypass vulnerability which allows an "SA relay attack". — OpenHarmony 6.5 Medium2023-01-09
CVE-2022-1101 SourceCodester Royale Event Management System userregister.php improper authentication — Royale Event Management System 7.3 High2023-01-07
CVE-2014-125060 holdennb CollabCal calenderServer.cpp handleGet improper authentication — CollabCal 7.3 High2023-01-07
CVE-2022-39042 aEnrich a+HRD - Improper Authentication — a+HRD 9.8 Critical2023-01-03
CVE-2022-23554 Authentication bypass in Alpine — alpine 6.5 Medium2022-12-28
CVE-2022-23555 authentik vulnerable to Improper Authentication via invitation URL token reuse — authentik 9.4 Critical2022-12-28
CVE-2022-3156 Rockwell Automation Studio 5000 Logix Emulate Vulnerable to a Remote Code Execution Vulnerability — Studio 5000 Logix Emulate 7.8 High2022-12-27
CVE-2022-35646 IBM Security Verify Governance, Identity Manager security bypass — Security Verify Governance, Identity Manager 5.9 Medium2022-12-22
CVE-2022-46170 CodeIgniter is vulnerable to improper authentication via Session Handlers — CodeIgniter4 8.6 High2022-12-22
CVE-2022-23540 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() — node-jsonwebtoken 6.4 Medium2022-12-22
CVE-2022-23541 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC — node-jsonwebtoken 5.0 Medium2022-12-22
CVE-2022-23501 TYPO3 vulnerable to Improper Authentication in Frontend Login — typo3 5.9 Medium2022-12-14
CVE-2022-2757 Kingspan TMS 300 CS 授权问题漏洞 — TMS300 CS 9.8 Critical2022-12-13
CVE-2022-23505 Passport-wsfed-saml2 vulnerable to Authentication Bypass for WSFed authentication — passport-wsfed-saml2 5.3 Medium2022-12-13
CVE-2022-2752 Potential vulnerabilities in GM login process — GateManager 5.5 Medium2022-12-09
CVE-2022-29838 Authentication issue with the encrypted volumes and auto mount feature in My Cloud devices — My Cloud 4.3 Medium2022-12-09
CVE-2022-46829 JetBrains Gateway 授权问题漏洞 — JetBrains Gateway 7.1 High2022-12-08
CVE-2022-39899 SAMSUNG Mobile devices 授权问题漏洞 — Samsung Mobile Devices 5.7 Medium2022-12-08
CVE-2022-39901 SAMSUNG Mobile devices 授权问题漏洞 — Samsung Mobile Devices 6.5 Medium2022-12-08
CVE-2022-45118 Telephony in communication subsystem sends public events with personal data, but the permission is not set. — OpenHarmony 6.2 Medium2022-12-08
CVE-2022-45877 PIN code is transmitted to the peer device in plain text during cross-device authentication, which reduces the difficulty of man-in-the-middle attacks. — OpenHarmony 8.3 High2022-12-08
CVE-2022-43549 Veeam Backup for Google Cloud 授权问题漏洞 — Veeam Backup for Google Cloud 9.8 -2022-12-05
CVE-2022-46145 authentik vulnerable to unauthorized user creation and potential account takeover — authentik 8.1 High2022-12-02
CVE-2022-43900 IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps security bypass — WebSphere Automation for IBM Cloud Pak for Watson AIOps 5.3 Medium2022-12-01

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.