Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CWE-290 (使用欺骗进行的认证绕过) — Vulnerability Class 252

252 vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过). AI Chinese analysis included.

CWE-290 represents a critical authentication weakness where systems fail to properly validate the origin of identity claims, allowing attackers to bypass security controls through spoofing. This vulnerability typically arises when authentication mechanisms rely on easily forged data, such as IP addresses or HTTP headers, without implementing robust verification. Attackers exploit this by injecting malicious or manipulated credentials that mimic legitimate users, thereby gaining unauthorized access to sensitive resources or administrative functions. To mitigate this risk, developers must implement multi-factor authentication and ensure that identity verification relies on cryptographically secure tokens rather than easily spoofable network identifiers. Additionally, rigorous input validation and strict adherence to secure authentication protocols, such as OAuth or OpenID Connect, help prevent attackers from impersonating valid entities, ensuring that only genuinely authenticated users can access protected systems.

MITRE CWE Description
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication.
Examples (2)
The following code authenticates users.
String sourceIP = request.getRemoteAddr(); if (sourceIP != null && sourceIP.equals(APPROVED_IP)) { authenticated = true; }
Bad · Java
Both of these examples check if a request is from a trusted address before responding to the request.
sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) { n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); } }
Bad · C
while(true) { DatagramPacket rp=new DatagramPacket(rData,rData.length); outSock.receive(rp); String in = new String(p.getData(),0, rp.getLength()); InetAddress clientIPAddress = rp.getAddress(); int port = rp.getPort(); if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) { out = secret.getBytes(); DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp); } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-20297 Cisco Adaptive Security Appliance and Firepower Threat Defense AnyConnect Access Control List Bypass Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 5.8 Medium2024-10-23
CVE-2024-10125 Lack of JWT issuer and signer validation — Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware 7.5 High2024-10-21
CVE-2024-8901 Lack of JWT issuer and signer validation — AWS ALB Route Directive Adapter For Istio 7.5 High2024-10-21
CVE-2024-45453 WordPress Maintenance Redirect plugin <= 2.0.1 - IP Bypass vulnerability — Maintenance Redirect 3.7 Low2024-09-23
CVE-2024-6678 Authentication Bypass by Spoofing in GitLab — GitLab 9.9 Critical2024-09-12
CVE-2024-44104 Ivanti Workspace Control 安全漏洞 — Workspace Control 8.8 High2024-09-10
CVE-2024-43944 WordPress Maintenance & Coming Soon Redirect Animation plugin <= 2.3.3 - Bypass Vulnerability vulnerability — Maintenance & Coming Soon Redirect Animation 3.7 Low2024-08-29
CVE-2023-48396 Apache SeaTunnel Web: Authentication bypass — Apache SeaTunnel Web 9.8AICriticalAI2024-07-30
CVE-2024-41107 Apache CloudStack: SAML Signature Exclusion — Apache CloudStack 9.8 -2024-07-19
CVE-2023-40356 PingOne MFA Integration Kit MFA bypass — PingOne MFA Integration Kit for PingFederate 5.3AIMediumAI2024-07-09
CVE-2023-40702 PingOne MFA Integration Kit MFA bypass — PingOne MFA Integration Kit for PingFederate 8.1AIHighAI2024-07-09
CVE-2024-37430 WordPress Patreon WordPress plugin <= 1.9.0 - Image Protection Bypass vulnerability — Patreon WordPress 5.3 Medium2024-07-09
CVE-2024-6163 local IP restriction of internal HTTP endpoints — Checkmk 5.3 Medium2024-07-08
CVE-2024-37082 Cloud Foundry 安全漏洞 — haproxy-boshrelease 9.1 Critical2024-07-03
CVE-2024-39350 Synology Camera Firmware 安全漏洞 — Camera Firmware 7.5 High2024-06-28
CVE-2024-5812 Smart Rule Overwrite Bypass in BeyondInsight PasswordSafe — BeyondInsight PasswordSafe 3.3 Low2024-06-11
CVE-2024-35749 WordPress Under Construction / Maintenance Mode from Acurax plugin <= 2.6 - IP Bypass vulnerability — Under Construction / Maintenance Mode from Acurax 3.7 Low2024-06-10
CVE-2024-5037 Openshift/telemeter: iss check during jwt authentication can be bypassed 7.5 High2024-06-05
CVE-2023-52176 WordPress Malware Scanner plugin <= 4.7.1 - IP Restriction Bypass vulnerability — Malware Scanner 5.3 Medium2024-06-04
CVE-2023-51667 WordPress Rate my Post – WP Rating System plugin <= 3.4.2 - Broken Access Control vulnerability — Rate my Post – WP Rating System 5.3 Medium2024-06-04
CVE-2023-51543 WordPress RegistrationMagic plugin <= 5.2.5.0 - IP Limit Bypass vulnerability — RegistrationMagic 5.3 Medium2024-06-04
CVE-2023-51542 WordPress Branda plugin <= 3.4.14 - IP Restriction Bypass vulnerability — Branda 5.3 Medium2024-06-04
CVE-2023-49741 WordPress Coming soon and Maintenance mode plugin <= 3.7.3 - IP Filtering Bypass vulnerability — Coming soon and Maintenance mode 3.7 Low2024-06-04
CVE-2023-48753 WordPress Restricted Site Access plugin <= 7.4.1 - IP Restriction Bypass vulnerability — Restricted Site Access 5.3 Medium2024-06-04
CVE-2023-48271 WordPress Maspik – Spam Blacklist plugin <= 0.10.3 - IP Filtering Bypass vulnerability — Maspik – Spam blacklist 5.3 Medium2024-06-04
CVE-2023-47769 WordPress WP Maintenance plugin <= 6.1.3 - IP Filtering Bypass vulnerability — WP Maintenance 3.7 Low2024-06-04
CVE-2023-41134 WordPress Antispam Bee plugin <= 2.11.3 - Country IP Restriction Bypass vulnerability — Antispam Bee 5.3 Medium2024-06-04
CVE-2023-37865 WordPress IP2Location Country Blocker plugin <= 2.29.1 - IP Bypass Vulnerability vulnerability — Download IP2Location Country Blocker 5.3 Medium2024-06-04
CVE-2024-4358 Registration Authentication Bypass Vulnerability — Telerik Report Server 9.8 Critical2024-05-29
CVE-2024-20363 Cisco 多款产品安全漏洞 — Cisco Firepower Threat Defense Software 5.8 Medium2024-05-22

Vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过) represent 252 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.