Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2021-43834 Incorrect Authentication in elabftw — elabftw 9.1 Critical2021-12-15
CVE-2021-43833 Account takeover in eLabFTW — elabftw 8.1 High2021-12-15
CVE-2021-4073 RegistrationMagic <= 5.0.1.7 Authentication Bypass — RegistrationMagic 9.8 Critical2021-12-14
CVE-2021-41265 Improper Authentication in Flask-AppBuilder — Flask-AppBuilder 8.1 High2021-12-09
CVE-2021-41311 Atlassian Jira 授权问题漏洞 — Jira Server 4.9 -2021-12-08
CVE-2021-41309 Atlassian Jira授权问题漏洞 — Jira Server 4.3 -2021-12-08
CVE-2021-43786 API token verification can be bypassed — NodeBB 9.8 Critical2021-11-29
CVE-2021-38686 Improper Authentication Vulnerability in VioStor — QVR 8.8 High2021-11-26
CVE-2021-36306 Dell Networking OS10 授权问题漏洞 — Networking OS 8.1 High2021-11-20
CVE-2021-37580 Apache ShenYu Admin bypass JWT authentication — Apache ShenYu Admin 9.8 -2021-11-16
CVE-2021-3519 ThinkStation 授权问题漏洞 — Desktop BIOS 6.4 Medium2021-11-12
CVE-2021-24647 Pie Register < 3.7.1.6 - Unauthenticated Arbitrary Login — Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes 8.1 -2021-11-08
CVE-2021-25506 Samsung Health 授权问题漏洞 — Samsung Health 4.0 Medium2021-11-05
CVE-2021-25505 Samsung Pass 授权问题漏洞 — Samsung Pass 3.3 Low2021-11-05
CVE-2021-38161 Not validating origin TLS certificate — Apache Traffic Server 7.7 -2021-11-03
CVE-2021-41312 Atlassian Jira 授权问题漏洞 — Jira Server 6.5 -2021-11-03
CVE-2021-32951 Advantech WebAccess/NMS Improper Authentication — WebAccess/NMS 5.3 Medium2021-10-27
CVE-2021-41157 FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default — freeswitch 5.3 Medium2021-10-26
CVE-2021-37624 FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing — freeswitch 7.5 High2021-10-25
CVE-2021-31349 Session Smart Router: Authentication Bypass Vulnerability — 128 Technology Session Smart Router 9.8 Critical2021-10-19
CVE-2021-41126 Deleted Admin Can Sign In to Admin Interface — october 7.2 High2021-10-06
CVE-2021-25490 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 6.0 Medium2021-10-06
CVE-2021-25484 Samsung SMR 授权问题漏洞 — Samsung Mobile Devices 4.0 Medium2021-10-06
CVE-2021-39226 Snapshot authentication bypass in grafana — grafana 9.8 Critical2021-10-05
CVE-2021-31917 Red Hat Infinispan授权问题漏洞 — Red Hat DataGrid and Infinispan 9.8 -2021-09-21
CVE-2021-38412 Digi PortServer TS 16 Improper Authentication — PortServer TS 16 9.6 Critical2021-09-17
CVE-2021-41303 Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass — Apache Shiro 9.8 -2021-09-17
CVE-2021-39215 Authentication Bypass: Forged Tokens Allow Access to Arbitrary Rooms — jitsi-meet 7.5 High2021-09-15
CVE-2021-25466 Samsung Internet 授权问题漏洞 — Samsung Internet 6.5 Medium2021-09-09
CVE-2021-25451 Samsung SMR 授权问题漏洞 — Samsung Mobile Devices 3.3 Low2021-09-09

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.