Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-290 (使用欺骗进行的认证绕过) — Vulnerability Class 245

245 vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过). AI Chinese analysis included.

CWE-290 represents a critical authentication weakness where systems fail to properly validate the origin of identity claims, allowing attackers to bypass security controls through spoofing. This vulnerability typically arises when authentication mechanisms rely on easily forged data, such as IP addresses or HTTP headers, without implementing robust verification. Attackers exploit this by injecting malicious or manipulated credentials that mimic legitimate users, thereby gaining unauthorized access to sensitive resources or administrative functions. To mitigate this risk, developers must implement multi-factor authentication and ensure that identity verification relies on cryptographically secure tokens rather than easily spoofable network identifiers. Additionally, rigorous input validation and strict adherence to secure authentication protocols, such as OAuth or OpenID Connect, help prevent attackers from impersonating valid entities, ensuring that only genuinely authenticated users can access protected systems.

MITRE CWE Description
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication.
Examples (2)
The following code authenticates users.
String sourceIP = request.getRemoteAddr(); if (sourceIP != null && sourceIP.equals(APPROVED_IP)) { authenticated = true; }
Bad · Java
Both of these examples check if a request is from a trusted address before responding to the request.
sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) { n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); } }
Bad · C
while(true) { DatagramPacket rp=new DatagramPacket(rData,rData.length); outSock.receive(rp); String in = new String(p.getData(),0, rp.getLength()); InetAddress clientIPAddress = rp.getAddress(); int port = rp.getPort(); if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) { out = secret.getBytes(); DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp); } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-48396 Apache SeaTunnel Web: Authentication bypass — Apache SeaTunnel Web 9.8AICriticalAI2024-07-30
CVE-2024-41107 Apache CloudStack: SAML Signature Exclusion — Apache CloudStack 9.8 -2024-07-19
CVE-2023-40356 PingOne MFA Integration Kit MFA bypass — PingOne MFA Integration Kit for PingFederate 5.3AIMediumAI2024-07-09
CVE-2023-40702 PingOne MFA Integration Kit MFA bypass — PingOne MFA Integration Kit for PingFederate 8.1AIHighAI2024-07-09
CVE-2024-37430 WordPress Patreon WordPress plugin <= 1.9.0 - Image Protection Bypass vulnerability — Patreon WordPress 5.3 Medium2024-07-09
CVE-2024-6163 local IP restriction of internal HTTP endpoints — Checkmk 5.3 Medium2024-07-08
CVE-2024-37082 Cloud Foundry 安全漏洞 — haproxy-boshrelease 9.1 Critical2024-07-03
CVE-2024-39350 Synology Camera Firmware 安全漏洞 — Camera Firmware 7.5 High2024-06-28
CVE-2024-5812 Smart Rule Overwrite Bypass in BeyondInsight PasswordSafe — BeyondInsight PasswordSafe 3.3 Low2024-06-11
CVE-2024-35749 WordPress Under Construction / Maintenance Mode from Acurax plugin <= 2.6 - IP Bypass vulnerability — Under Construction / Maintenance Mode from Acurax 3.7 Low2024-06-10
CVE-2024-5037 Openshift/telemeter: iss check during jwt authentication can be bypassed 7.5 High2024-06-05
CVE-2023-52176 WordPress Malware Scanner plugin <= 4.7.1 - IP Restriction Bypass vulnerability — Malware Scanner 5.3 Medium2024-06-04
CVE-2023-51667 WordPress Rate my Post – WP Rating System plugin <= 3.4.2 - Broken Access Control vulnerability — Rate my Post – WP Rating System 5.3 Medium2024-06-04
CVE-2023-51543 WordPress RegistrationMagic plugin <= 5.2.5.0 - IP Limit Bypass vulnerability — RegistrationMagic 5.3 Medium2024-06-04
CVE-2023-51542 WordPress Branda plugin <= 3.4.14 - IP Restriction Bypass vulnerability — Branda 5.3 Medium2024-06-04
CVE-2023-49741 WordPress Coming soon and Maintenance mode plugin <= 3.7.3 - IP Filtering Bypass vulnerability — Coming soon and Maintenance mode 3.7 Low2024-06-04
CVE-2023-48753 WordPress Restricted Site Access plugin <= 7.4.1 - IP Restriction Bypass vulnerability — Restricted Site Access 5.3 Medium2024-06-04
CVE-2023-48271 WordPress Maspik – Spam Blacklist plugin <= 0.10.3 - IP Filtering Bypass vulnerability — Maspik – Spam blacklist 5.3 Medium2024-06-04
CVE-2023-47769 WordPress WP Maintenance plugin <= 6.1.3 - IP Filtering Bypass vulnerability — WP Maintenance 3.7 Low2024-06-04
CVE-2023-41134 WordPress Antispam Bee plugin <= 2.11.3 - Country IP Restriction Bypass vulnerability — Antispam Bee 5.3 Medium2024-06-04
CVE-2023-37865 WordPress IP2Location Country Blocker plugin <= 2.29.1 - IP Bypass Vulnerability vulnerability — Download IP2Location Country Blocker 5.3 Medium2024-06-04
CVE-2024-4358 Registration Authentication Bypass Vulnerability — Telerik Report Server 9.8 Critical2024-05-29
CVE-2024-20363 Cisco 多款产品安全漏洞 — Cisco Firepower Threat Defense Software 5.8 Medium2024-05-22
CVE-2024-32827 WordPress Giveaways and Contests by RafflePress plugin <= 1.12.7 - IP Restriction Bypass vulnerability — Giveaways and Contests 5.3 Medium2024-05-17
CVE-2024-32786 WordPress Royal Elementor Addons and Templates plugin <= 1.3.93 - IP Bypass vulnerability — Royal Elementor Addons 5.3 Medium2024-05-17
CVE-2024-32708 WordPress Maintenance Mode plugin <= 3.0.1 - IP Bypass vulnerability — Maintenance Mode 3.7 Low2024-05-17
CVE-2024-22139 WordPress WordPress Manutenção plugin <= 1.0.6 - Bypass vulnerability — WordPress Manutenção 3.7 Low2024-05-17
CVE-2024-21746 WordPress Wp Ultimate Review plugin <= 2.3.6 - IP limit Bypass vulnerability — Wp Ultimate Review 5.3 Medium2024-05-17
CVE-2024-25595 WordPress Defender Security plugin <= 4.4.1 - IP Restriction Bypass vulnerability — Defender Security 5.3 Medium2024-05-17
CVE-2024-25906 WordPress Comments Like Dislike plugin <= 1.2.2 - IP Restriction Bypass Vulnerability vulnerability — Comments Like Dislike 4.3 Medium2024-05-17

Vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过) represent 245 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.