目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-287 认证机制不恰当 类漏洞列表 1296

CWE-287 认证机制不恰当 类弱点 1296 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-287 属于身份验证缺陷漏洞,指系统在验证用户身份时未能充分核实其声明的真实性。攻击者常利用此弱点通过暴力破解、凭证填充或会话劫持等手段冒充合法用户,从而获取未授权访问权限。开发者应实施多因素认证、使用强哈希算法存储凭证、设置合理的账户锁定策略,并严格验证每次访问的身份凭证,以确保身份声明得到充分证明。

MITRE CWE 官方描述
CWE:CWE-287 Improper Authentication 英文:当某个actor声称具有某一特定身份时,产品未能证明或未能充分证明该声明是正确的。
常见影响 (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
缓解措施 (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
代码示例 (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE ID标题CVSS风险等级Published
CVE-2017-12337 多款Cisco产品授权问题漏洞 — Cisco Voice Operating System 9.8 -2017-11-16
CVE-2017-12281 Cisco Aironet 1800、2800和3800 Series Access Points 安全漏洞 — Cisco Aironet 1800, 2800, and 3800 Series Access Points 7.5 -2017-11-02
CVE-2017-9946 Siemens APOGEE PXC BACnet Automation Controller和Siemens TALON TC BACnet Automation Controller 安全漏洞 — APOGEE PXC and TALON TC BACnet Automation Controllers All versions <V3.5 7.5 -2017-10-23
CVE-2017-9625 Envitech EnviDAS Ultimate 授权问题漏洞 — Envitech Ltd. EnviDAS Ultimate 8.2 -2017-10-17
CVE-2017-13995 iniNet Solutions iniNet Webserver 授权问题漏洞 — iniNet Solutions GmbH SCADA Webserver 10.0 -2017-10-04
CVE-2017-14000 Ctek SkyRouter Series 4200和4400 授权问题漏洞 — Ctek, Inc. SkyRouter 9.4 -2017-10-04
CVE-2017-12229 Cisco IOS XE 授权问题漏洞 — Cisco IOS XE 9.8 -2017-09-28
CVE-2017-12236 Cisco IOS XE 授权问题漏洞 — Cisco IOS XE 9.8 -2017-09-28
CVE-2017-12213 Cisco Catalyst 4000 Series Switches IOS XE Software 安全漏洞 — Cisco Catalyst 4000 Series Switches 6.5 -2017-09-07
CVE-2017-12225 Cisco Prime LAN Management Solution 安全漏洞 — Cisco Prime LAN Management Solution 9.4 -2017-09-07
CVE-2017-12698 Advantech WebAccess 授权问题漏洞 — Advantech WebAccess 9.8 -2017-08-30
CVE-2017-7930 OSIsoft PI Server 2017 PI Data Archive PI Network Manager 授权问题漏洞 — OSIsoft PI Server 2017 7.4 -2017-08-25
CVE-2017-7934 OSIsoft PI Server 2017 PI Data Archive PI Network Manager 授权问题漏洞 — OSIsoft PI Server 2017 5.9 -2017-08-25
CVE-2017-7557 dnsdist 安全漏洞 — dnsdist 8.8 -2017-08-22
CVE-2017-7420 Micro Focus Enterprise Developer和Enterprise Server ESMAC 权限许可和访问控制漏洞 — Micro Focus Enterprise Developer, Micro Focus Enterprise Server 9.1 -2017-08-21
CVE-2017-7546 PostgreSQL 安全漏洞 — postgresql 9.8 -2017-08-16
CVE-2017-11151 Synology Photo Station 安全漏洞 — Synology Photo Station 9.8 -2017-08-08
CVE-2017-6869 Siemens ViewPort for Web Office Portal 安全漏洞 — ViewPort for Web Office Portal before revision number 1453 9.8 -2017-08-08
CVE-2017-9939 Siemens SiPass integrated 授权问题漏洞 — SiPass integrated All versions before V2.70 9.8 -2017-08-08
CVE-2017-7920 ABB VSN300 WiFi Logger Card和VSN300 WiFi Logger Card for React 安全漏洞 — ABB VSN300 WiFi Logger Card 7.5 -2017-08-07
CVE-2017-9630 多款PDQ产品安全漏洞 — PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch 9.8 -2017-08-07
CVE-2017-6747 多款Cisco产品authentication模块授权问题漏洞 — Cisco Identity Services Engine 9.8 -2017-08-07
CVE-2017-6868 Siemens SIMATIC CP 44x-1 RNA 授权问题漏洞 — Siemens SIMATIC CP 44x-1 Redundant Network Access Modules 8.1 -2017-07-07
CVE-2017-6711 Cisco Ultra Services Framework 授权问题漏洞 — Cisco Ultra Services Framework 8.2 -2017-07-06
CVE-2017-7919 Newport XPS-Cx和XPS-Qx 授权问题漏洞 — Newport XPS-Cx, XPS-Qx 9.8 -2017-07-03
CVE-2017-3167 Apache httpd 安全漏洞 — Apache HTTP Server 9.8 -2017-06-20
CVE-2017-7937 Phoenix Contact GmbH mGuard 授权问题漏洞 — Phoenix Contact GmbH mGuard 8.9 -2017-05-19
CVE-2017-7921 多款Hikvision产品安全漏洞 — Hikvision Cameras 10.0 -2017-05-06
CVE-2017-6617 Cisco Integrated Management Controller 安全漏洞 — Cisco Integrated Management Controller 5.4 -2017-04-20
CVE-2017-3791 Cisco Prime Home 安全漏洞 — Cisco Prime Home versions from 6.3.0.0 to the first fixed release 6.5.0.1 9.8 -2017-02-01

CWE-287(认证机制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 1296 条 CVE 漏洞。