Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2022-25817 SAMSUNG One UI Home 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-03-08
CVE-2022-25816 Samsung Lock and mask apps setting 授权问题漏洞 — Samsung Mobile Devices 4.1 Medium2022-03-08
CVE-2022-24738 Account compromise in Evmos — evmos 8.1 High2022-03-07
CVE-2022-0492 Linux kernel 授权问题漏洞 — kernel 7.8 -2022-03-03
CVE-2022-0730 Cacti 授权问题漏洞 — Cati 9.8 -2022-03-03
CVE-2022-23635 Unauthenticated control plane denial of service attack in Istio — istio 7.5 High2022-02-22
CVE-2022-23654 Improper write access check in Requarks/wiki — wiki 8.1 High2022-02-22
CVE-2022-23652 Privilege escalation using hop-by-hop Connection header — capsule-proxy 8.8 High2022-02-22
CVE-2016-2124 Samba 授权问题漏洞 — samba 5.9 -2022-02-18
CVE-2020-25719 Samba 竞争条件问题漏洞 — samba 8.8 -2022-02-18
CVE-2021-22796 Schneider Electric 多款产品授权问题漏洞 — C-Bus Toolkit (V1.15.9 and prior), C-Gate Server (V2.11.7 and prior) 8.4 -2022-02-11
CVE-2021-38679 Improper Authentication in Kazoo Server — Kazoo Server 6.5 Medium2022-02-11
CVE-2022-23600 Limited ability to spoof SAML authentication with missing audience verification — fleet 5.3 Medium2022-02-04
CVE-2021-36346 Dell EMC iDRAC 安全漏洞 — Integrated Dell Remote Access Controller (iDRAC) 5.3 -2022-01-25
CVE-2021-34865 NETGEAR 授权问题漏洞 — Multiple Routers 8.8 -2022-01-25
CVE-2022-21692 Improper Access Control in Onionshare — onionshare 4.3 Medium2022-01-18
CVE-2022-21695 Improper Access Control in Onionshare — onionshare 4.3 Medium2022-01-18
CVE-2021-25036 All In One SEO < 4.1.5.3 - Authenticated Privilege Escalation — All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic 8.8 -2022-01-17
CVE-2021-34993 Commvault CommCell 授权问题漏洞 — CommCell 9.8 -2022-01-13
CVE-2022-21684 User can bypass approval when invited to Discourse — discourse 4.3 Medium2022-01-13
CVE-2022-22990 Limited authentication bypass vulnerability on Western Digital My Cloud devices — My Cloud 7.8 High2022-01-13
CVE-2021-43999 Improper validation of SAML responses — Apache Guacamole 8.8 -2022-01-11
CVE-2021-44458 Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website — Lens 8.3 High2022-01-10
CVE-2022-22289 Samsung S Assistant 授权问题漏洞 — S Assistant 5.3 Medium2022-01-07
CVE-2022-22283 Samsung Health 代码问题漏洞 — Samsung Health 2.8 Low2022-01-07
CVE-2022-22284 Samsung Internet 授权问题漏洞 — Samsung Internet 5.7 Medium2022-01-07
CVE-2021-45917 SUN & MOON RISE CO., LTD. Shockwall - Improper Authentication — Shockwall 8.0 High2022-01-03
CVE-2021-38688 Improper Authentication in Qfile — Qfile 7.1 High2021-12-29
CVE-2021-27451 Mesa Labs AmegaView improper authentication — AmegaView 7.3 High2021-12-21
CVE-2021-40851 TCMAN GIM SQL injection vulnerability — GIM 7.5 High2021-12-17

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.