Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-287 (认证机制不恰当) — Vulnerability Class 1203

1203 vulnerabilities classified as CWE-287 (认证机制不恰当). AI Chinese analysis included.

CWE-287 represents a critical authentication weakness where a system fails to adequately verify the identity of an actor claiming a specific identity. This flaw typically allows attackers to bypass security controls by exploiting insufficient verification mechanisms, enabling unauthorized access through stolen credentials, brute-force attacks, or session hijacking. When authentication logic is flawed, malicious entities can impersonate legitimate users, leading to severe data breaches and privilege escalation. Developers mitigate this risk by implementing robust, multi-factor authentication protocols and ensuring that identity verification processes are rigorous and resistant to common attack vectors. By strictly validating credentials against secure, hashed databases and employing adaptive security measures, organizations can significantly reduce the likelihood of unauthorized access, thereby protecting sensitive information and maintaining system integrity against sophisticated cyber threats.

MITRE CWE Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigations (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
Examples (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE IDTitleCVSSSeverityPublished
CVE-2020-11020 Authentication and extension bypass in Faye — Faye 8.5 High2020-04-29
CVE-2019-19104 ABB/Busch-Jaeger Telephone Gateway TG/S 3.2 Improper Authentication and Access Control — TG/S 3.2 Telephone Gateway 9.1 Critical2020-04-22
CVE-2020-7276 Unrestricted Policy Management using MfeUpgradeTool.exe — McAfee Endpoint Security (ENS) 6.4 Medium2020-04-15
CVE-2020-8148 Ubiquiti Networks UniFi Cloud Key 授权问题漏洞 — UniFi Cloud Key Gen2 5.3 -2020-04-13
CVE-2019-14880 Moodle 授权问题漏洞 — moodle 9.8 -2020-03-31
CVE-2019-15796 python-apt downloads from untrusted sources — Python-apt 4.7 Medium2020-03-26
CVE-2020-10888 TP-Link Archer A7 AC1750 授权问题漏洞 — Archer A7 9.8 -2020-03-25
CVE-2011-2054 Cisco ASA Secondary Authentication Bypass Vulnerability — Cisco ASA 4.3 Medium2020-02-19
CVE-2019-15617 Nextcloud Server 授权问题漏洞 — Nextcloud Server 4.3 -2020-02-04
CVE-2019-15620 Nextcloud Talk 信息泄露漏洞 — Nextcloud Talk 2.7 -2020-02-04
CVE-2019-15585 GitLab 授权问题漏洞 — Gitlab CE/EE 9.8 -2020-01-28
CVE-2020-5224 Session key exposure through session list in Django User Sessions — django-user-sessions 6.5 Medium2020-01-24
CVE-2019-6854 编号重复 — EcoStruxure Geo SCADA Expert (ClearSCADA) with initial releases before 1 January 2019 (see notification for more details) 7.8 -2020-01-06
CVE-2019-18337 Siemens SiNVR 3 Central Control Server和SiNVR 3 Video Server 授权问题漏洞 — Control Center Server (CCS) 9.8 Critical2019-12-12
CVE-2019-18341 Siemens SiNVR 3 Central Control Server和SiNVR 3 Video Server 授权问题漏洞 — Control Center Server (CCS) 5.3 Medium2019-12-12
CVE-2019-18312 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 MS3000 Migration Server 5.3 -2019-12-12
CVE-2019-18314 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 Application Server 9.8 -2019-12-12
CVE-2019-18315 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 Application Server 9.8 -2019-12-12
CVE-2019-18317 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 Application Server 7.5 -2019-12-12
CVE-2019-18318 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 Application Server 7.5 -2019-12-12
CVE-2019-18319 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 Application Server 7.5 -2019-12-12
CVE-2019-18320 Siemens SPPA-T3000 代码问题漏洞 — SPPA-T3000 Application Server 7.5 -2019-12-12
CVE-2019-18321 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 MS3000 Migration Server 9.1 -2019-12-12
CVE-2019-18322 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 MS3000 Migration Server 9.1 -2019-12-12
CVE-2019-18284 Siemens SPPA-T3000 访问控制错误漏洞 — SPPA-T3000 Application Server 9.8 -2019-12-12
CVE-2019-18286 Siemens SPPA-T3000 信息泄露漏洞 — SPPA-T3000 Application Server 5.3 -2019-12-12
CVE-2019-18287 Siemens SPPA-T3000 信息泄露漏洞 — SPPA-T3000 Application Server 5.3 -2019-12-12
CVE-2019-14910 Red Hat Keycloak 授权问题漏洞 — Keycloak 9.8 -2019-12-05
CVE-2019-14909 Red Hat Keycloak 授权问题漏洞 — Keycloak 8.6 -2019-12-04
CVE-2019-14856 Ansible 授权问题漏洞 — ansible 8.1 -2019-11-26

Vulnerabilities classified as CWE-287 (认证机制不恰当) represent 1203 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.