目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-288 使用候选路径或通道进行的认证绕过 类漏洞列表 439

CWE-288 使用候选路径或通道进行的认证绕过 类弱点 439 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-288 指认证绕过漏洞,即系统虽设有认证机制,却存在无需验证的备用路径或通道。攻击者常利用该缺陷,通过未受保护的接口或隐藏入口直接访问受限资源,从而规避身份校验。开发者应确保所有访问入口均强制实施统一且严格的认证策略,全面审查系统架构,消除任何未授权访问的潜在路径,以保障系统安全性。

MITRE CWE 官方描述
CWE:CWE-288 通过备用路径或通道绕过身份验证 (Authentication Bypass Using an Alternate Path or Channel) 英文:产品需要身份验证,但产品存在一个不需要身份验证的备用路径或通道。
常见影响 (1)
Access ControlBypass Protection Mechanism
缓解措施 (1)
Architecture and DesignFunnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
代码示例 (1)
Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not. Access control is implemented using an allowlist (as indicated by a…
module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); output [31:0] data_out; input [31:0] data_in, incoming_id, address; input clk, rst_n; wire write_auth, addr_auth; reg [31:0] data_out, acl_oh_allowlist, q; assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; always @* acl_oh_allowlist <= 32'h8312; assign addr_auth = (address == 32'hF00) ? 1: 0; always @ (posedge clk or negedge rst_n) if (!rst_n) begin q <= 32'h0; data_out <= 32'h0; end else begin q <= (addr_auth & write_auth) ? data_in: q; data_out <= q; end end endmodule
Informative · Verilog
assign addr_auth = (address == 32'hF00) ? 1: 0;
Bad · Verilog
CVE ID标题CVSS风险等级Published
CVE-2026-41308 Password Pusher p.json文件上传别名绕过身份验证漏洞 — PasswordPusher 6.5 Medium2026-05-08
CVE-2026-7458 PickPlugins User Verification ≤2.0.46 OTP认证绕过漏洞 — User Verification by PickPlugins 9.8 Critical2026-05-02
CVE-2026-7567 Temporary Login 1.0.0 认证绕过致账户接管漏洞 — Temporary Login 9.8 Critical2026-05-01
CVE-2026-40022 Apache Camel 安全漏洞 — Apache Camel Platform HTTP Main 9.8AICriticalAI2026-04-27
CVE-2026-40630 SenseLive X3050 安全漏洞 — X3050 9.8 Critical2026-04-23
CVE-2026-41059 OAuth2 Proxy 安全漏洞 — oauth2-proxy 8.2 High2026-04-21
CVE-2026-40582 ChurchCRM 安全漏洞 — CRM 9.8AICriticalAI2026-04-17
CVE-2026-3605 HashiCorp Vault和HashiCorp Vault Enterprise 安全漏洞 — Vault 8.1 High2026-04-17
CVE-2026-3324 ZOHO ManageEngine Log360 安全漏洞 — ManageEngine Log360 8.2 High2026-04-16
CVE-2026-3461 WordPress plugin Visa Acceptance Solutions 安全漏洞 — Visa Acceptance Solutions 9.8 Critical2026-04-15
CVE-2026-35664 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-10
CVE-2026-35661 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-10
CVE-2026-35654 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-10
CVE-2026-35647 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-10
CVE-2026-35642 OpenClaw 安全漏洞 — OpenClaw 4.3 Medium2026-04-09
CVE-2026-35634 OpenClaw 安全漏洞 — OpenClaw 5.1 Medium2026-04-09
CVE-2026-5557 OSS Weekend 安全漏洞 — pi-mono 6.3 Medium2026-04-05
CVE-2026-34581 goshs 安全漏洞 — goshs 8.1 High2026-04-02
CVE-2026-29139 SEPPmail Secure Email Gateway 安全漏洞 — Secure Email Gateway 9.8AICriticalAI2026-04-02
CVE-2026-34372 Sulu 安全漏洞 — sulu 4.3 -2026-03-31
CVE-2026-34040 Moby 安全漏洞 — moby 8.8 High2026-03-31
CVE-2026-32678 BUFFALO Wi-Fi router 安全漏洞 — BUFFALO Wi-Fi router products 8.8 -2026-03-27
CVE-2026-3531 Drupal OpenID Connect / OAuth client 安全漏洞 — OpenID Connect / OAuth client 9.8AICriticalAI2026-03-26
CVE-2026-2745 GitLab 安全漏洞 — GitLab 6.8 Medium2026-03-25
CVE-2026-27049 WordPress plugin Jobica Core 安全漏洞 — Jobica Core 9.8 Critical2026-03-25
CVE-2026-25406 WordPress plugin Tutor LMS Pro 安全漏洞 — Tutor LMS Pro 8.1 High2026-03-25
CVE-2026-25357 WordPress plugin Ultimate Membership Pro 安全漏洞 — Ultimate Membership Pro 8.1 High2026-03-25
CVE-2026-25035 WordPress plugin Contest Gallery 安全漏洞 — Contest Gallery 9.8 Critical2026-03-25
CVE-2026-25002 WordPress plugin LearnPress – Sepay Payment 安全漏洞 — LearnPress – Sepay Payment 7.5 High2026-03-25
CVE-2026-24359 WordPress plugin Dokan 安全漏洞 — Dokan 8.8 High2026-03-25

CWE-288(使用候选路径或通道进行的认证绕过) 是常见的弱点类别,本平台收录该类弱点关联的 439 条 CVE 漏洞。