目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-289 使用候选名称进行的认证绕过 类漏洞列表 21

CWE-289 使用候选名称进行的认证绕过 类弱点 21 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-289 是一种身份验证绕过漏洞,源于系统仅依据资源或访问者的特定名称进行认证,却未全面校验该实体的所有可能别名。攻击者利用此缺陷,通过构造未经验证的替代名称来伪装身份,从而非法获取访问权限。开发者应确保认证机制覆盖所有可能的标识符变体,实施严格的别名映射与统一校验逻辑,以消除因名称识别不全导致的安全盲区。

MITRE CWE 官方描述
CWE:CWE-289 通过备用名称绕过身份验证 (Authentication Bypass by Alternate Name) 英文:该产品基于正在访问的资源名称或执行访问的操作者名称进行身份验证,但未正确检查该资源或操作者的所有可能名称。
常见影响 (1)
Access ControlBypass Protection Mechanism
缓解措施 (3)
Architecture and DesignAvoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE ID标题CVSS风险等级Published
CVE-2026-3184 util-linux 安全漏洞 — Red Hat Hardened Images 3.7 Low2026-04-03
CVE-2026-32036 OpenClaw 安全漏洞 — OpenClaw 6.5 Medium2026-03-19
CVE-2026-23903 Apache Shiro 安全漏洞 — Apache Shiro 7.5 -2026-02-09
CVE-2026-24058 Soft Serve 安全漏洞 — soft-serve 8.1AIHighAI2026-01-22
CVE-2025-14777 Keycloak 安全漏洞 — Red Hat build of Keycloak 26.4 6.0 Medium2025-12-16
CVE-2025-13613 WordPress plugin Elated Membership 安全漏洞 — Elated Membership 9.8 Critical2025-12-10
CVE-2025-64521 authentik 安全漏洞 — authentik 4.8 Medium2025-11-19
CVE-2025-64343 Conda Constructor 安全漏洞 — constructor 7.8 High2025-11-07
CVE-2025-8415 Cryostat 安全漏洞 — Cryostat 5.9 Medium2025-08-20
CVE-2025-29266 Unraid 安全漏洞 — Unraid 9.6 Critical2025-03-31
CVE-2024-11283 WordPress plugin WP JobHunt 安全漏洞 — WP JobHunt 7.5 High2025-03-14
CVE-2024-56511 DataEase 安全漏洞 — dataease 9.1 -2025-01-10
CVE-2024-2098 WordPress plugin Download Manager 安全漏洞 — Download Manager 7.5 High2024-06-13
CVE-2023-51663 Hail 安全漏洞 — hail 5.3 Medium2023-12-29
CVE-2023-41890 SAML 安全漏洞 — Saml2 7.5 High2023-09-19
CVE-2023-3263 Dataprobe 授权问题漏洞 — iBoot PDU 7.5 High2023-08-14
CVE-2023-38487 HedgeDoc 安全漏洞 — hedgedoc 6.5 Medium2023-08-04
CVE-2023-20046 Cisco StarOS 安全漏洞 — Cisco ASR 5000 Series Software 8.8 High2023-05-09
CVE-2023-1803 Redline Router 授权问题漏洞 — Redline Router 9.8 Critical2023-04-14
CVE-2021-34746 Cisco Enterprise NFV Infrastructure Software 授权问题漏洞 — Cisco Enterprise NFV Infrastructure Software 9.8 Critical2021-09-02
CVE-2017-16590 Netgain Enterprise Manager 安全漏洞 — NetGain Systems Enterprise Manager 8.8 -2018-01-23

CWE-289(使用候选名称进行的认证绕过) 是常见的弱点类别,本平台收录该类弱点关联的 21 条 CVE 漏洞。