CWE-290 使用欺骗进行的认证绕过 类弱点 278 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-290 是一种身份验证绕过漏洞,源于身份验证机制实现不当,易受欺骗攻击。攻击者通常通过伪造或篡改身份标识(如IP地址、证书或令牌),使系统误认其为合法用户从而获取未授权访问权限。开发者应实施强身份验证策略,包括多因素认证、严格的输入验证及防重放机制,并定期审查认证逻辑,确保身份源的可信性与完整性,以有效防御此类欺骗行为。
String sourceIP = request.getRemoteAddr(); if (sourceIP != null && sourceIP.equals(APPROVED_IP)) { authenticated = true; }sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) { n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); } }while(true) { DatagramPacket rp=new DatagramPacket(rData,rData.length); outSock.receive(rp); String in = new String(p.getData(),0, rp.getLength()); InetAddress clientIPAddress = rp.getAddress(); int port = rp.getPort(); if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) { out = secret.getBytes(); DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp); } }| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2020-2033 | Palo Alto Networks GlobalProtect 信任管理问题漏洞 — GlobalProtect App | 5.3 | Medium | 2020-06-10 |
| CVE-2020-10136 | Cisco NX-OS Software 代码问题漏洞 — RFC2003 - IP Encapsulation within IP | 8.2 | - | 2020-06-02 |
| CVE-2020-2002 | Palo Alto Networks PAN-OS 安全漏洞 — PAN-OS | 8.1 | High | 2020-05-13 |
| CVE-2019-18259 | Omron PLC CJ series和CS series 安全漏洞 — Omron PLC CJ and CS Series | 9.8 | - | 2019-12-16 |
| CVE-2019-3884 | Red Hat OpenShift 授权问题漏洞 — atomic-openshift | 5.4 | - | 2019-08-01 |
| CVE-2019-3775 | Cloud Foundry UAA 授权问题漏洞 — UAA Release (OSS) | 8.1 | - | 2019-03-07 |
| CVE-2018-15715 | Zoom Client 安全漏洞 — Zoom | 9.8 | - | 2018-11-30 |
| CVE-2017-14003 | LAVA Ether-Serial Link 授权问题漏洞 — LAVA Computer MFG Inc. Ether-Serial Link | 9.8 | - | 2017-10-11 |
CWE-290(使用欺骗进行的认证绕过) 是常见的弱点类别,本平台收录该类弱点关联的 278 条 CVE 漏洞。