Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-290 (使用欺骗进行的认证绕过) — Vulnerability Class 245

245 vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过). AI Chinese analysis included.

CWE-290 represents a critical authentication weakness where systems fail to properly validate the origin of identity claims, allowing attackers to bypass security controls through spoofing. This vulnerability typically arises when authentication mechanisms rely on easily forged data, such as IP addresses or HTTP headers, without implementing robust verification. Attackers exploit this by injecting malicious or manipulated credentials that mimic legitimate users, thereby gaining unauthorized access to sensitive resources or administrative functions. To mitigate this risk, developers must implement multi-factor authentication and ensure that identity verification relies on cryptographically secure tokens rather than easily spoofable network identifiers. Additionally, rigorous input validation and strict adherence to secure authentication protocols, such as OAuth or OpenID Connect, help prevent attackers from impersonating valid entities, ensuring that only genuinely authenticated users can access protected systems.

MITRE CWE Description
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication.
Examples (2)
The following code authenticates users.
String sourceIP = request.getRemoteAddr(); if (sourceIP != null && sourceIP.equals(APPROVED_IP)) { authenticated = true; }
Bad · Java
Both of these examples check if a request is from a trusted address before responding to the request.
sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) { n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); } }
Bad · C
while(true) { DatagramPacket rp=new DatagramPacket(rData,rData.length); outSock.receive(rp); String in = new String(p.getData(),0, rp.getLength()); InetAddress clientIPAddress = rp.getAddress(); int port = rp.getPort(); if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) { out = secret.getBytes(); DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp); } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-58124 Huawei EMUI和Huawei HarmonyOS 安全漏洞 — HarmonyOS 8.4 High2025-04-07
CVE-2025-22223 VMware Spring Security 安全漏洞 — Spring Security 5.3 Medium2025-03-24
CVE-2024-54085 Redfish Authentication Bypass — MegaRAC-SPx 9.4 -2025-03-11
CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification — server 8.6 High2025-03-10
CVE-2025-22271 IP Spoofing in CyberArk Endpoint Privilege Manager — Endpoint Privilege Manager 7.5 -2025-02-28
CVE-2025-25055 JIP InfoBridge FileMegane 安全漏洞 — FileMegane 7.5 -2025-02-17
CVE-2025-1298 TECNO com.transsion.carlcare 安全漏洞 — com.transsion.carlcare 9.8 -2025-02-14
CVE-2025-25182 Stroom Authentication/Authorization Bypass when using AWS ALB — stroom 9.4 Critical2025-02-12
CVE-2022-3180 WPGateway <= 3.5 - Unauthenticated Privilege Escalation — WPGateway 9.8 -2025-02-11
CVE-2025-1104 D-Link DHP-W310AV authentication spoofing — DHP-W310AV 7.3 High2025-02-07
CVE-2025-21415 Azure AI Face Service Elevation of Privilege Vulnerability — Azure AI Face Service 9.9 Critical2025-01-29
CVE-2025-24628 WordPress reCaptcha by BestWebSoft Plugin <= 1.78 - Captcha Bypass vulnerability — Google Captcha 5.3 Medium2025-01-27
CVE-2024-55925 API Security bypass through header manipulation — Xerox Workplace Suite 7.5 High2025-01-23
CVE-2025-24458 JetBrains YouTrack 安全漏洞 — YouTrack 7.1 High2025-01-21
CVE-2024-13061 2100 Technology Electronic Official Document Management System - Authentication Bypass — Official Document Management System 9.8 Critical2024-12-31
CVE-2024-12108 WhatsUp Gold - Public API signing key rotation issue — WhatsUp Gold 9.6 Critical2024-12-31
CVE-2023-41133 WordPress Secure Admin IP plugin <= 2.0 - IP Spoofing vulnerability — Secure Admin IP 5.3 Medium2024-12-13
CVE-2024-50380 Authentication Bypass by Spoofing in Snap One OVRC cloud — OVRC cloud 8.2 -2024-12-02
CVE-2024-36466 Unauthenticated Zabbix frontend takeover when SSO is being used — Zabbix 8.8 High2024-11-28
CVE-2024-8935 Schneider Electric Modicon M340 安全漏洞 — Modicon M340 CPU (part numbers BMXP34*) 7.5 High2024-11-13
CVE-2024-51504 Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server — Apache ZooKeeper 9.1AICriticalAI2024-11-07
CVE-2024-20384 Cisco Firepower Threat Defense和Cisco Adaptive Security Appliance 安全漏洞 — Cisco Adaptive Security Appliance (ASA) Software 5.8 Medium2024-10-23
CVE-2024-20299 Cisco Adaptive Security Appliance and Firepower Threat Defense AnyConnect Access Control List Bypass Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 5.8 Medium2024-10-23
CVE-2024-20297 Cisco Adaptive Security Appliance and Firepower Threat Defense AnyConnect Access Control List Bypass Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 5.8 Medium2024-10-23
CVE-2024-10125 Lack of JWT issuer and signer validation — Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware 7.5 High2024-10-21
CVE-2024-8901 Lack of JWT issuer and signer validation — AWS ALB Route Directive Adapter For Istio 7.5 High2024-10-21
CVE-2024-45453 WordPress Maintenance Redirect plugin <= 2.0.1 - IP Bypass vulnerability — Maintenance Redirect 3.7 Low2024-09-23
CVE-2024-6678 Authentication Bypass by Spoofing in GitLab — GitLab 9.9 Critical2024-09-12
CVE-2024-44104 Ivanti Workspace Control 安全漏洞 — Workspace Control 8.8 High2024-09-10
CVE-2024-43944 WordPress Maintenance & Coming Soon Redirect Animation plugin <= 2.3.3 - Bypass Vulnerability vulnerability — Maintenance & Coming Soon Redirect Animation 3.7 Low2024-08-29

Vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过) represent 245 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.