245 vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过). AI Chinese analysis included.
CWE-290 represents a critical authentication weakness where systems fail to properly validate the origin of identity claims, allowing attackers to bypass security controls through spoofing. This vulnerability typically arises when authentication mechanisms rely on easily forged data, such as IP addresses or HTTP headers, without implementing robust verification. Attackers exploit this by injecting malicious or manipulated credentials that mimic legitimate users, thereby gaining unauthorized access to sensitive resources or administrative functions. To mitigate this risk, developers must implement multi-factor authentication and ensure that identity verification relies on cryptographically secure tokens rather than easily spoofable network identifiers. Additionally, rigorous input validation and strict adherence to secure authentication protocols, such as OAuth or OpenID Connect, help prevent attackers from impersonating valid entities, ensuring that only genuinely authenticated users can access protected systems.
String sourceIP = request.getRemoteAddr(); if (sourceIP != null && sourceIP.equals(APPROVED_IP)) { authenticated = true; }sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) { n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); } }while(true) { DatagramPacket rp=new DatagramPacket(rData,rData.length); outSock.receive(rp); String in = new String(p.getData(),0, rp.getLength()); InetAddress clientIPAddress = rp.getAddress(); int port = rp.getPort(); if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) { out = secret.getBytes(); DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp); } }| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2019-18259 | Omron PLC CJ series和CS series 安全漏洞 — Omron PLC CJ and CS Series | 9.8 | - | 2019-12-16 |
| CVE-2019-3884 | Red Hat OpenShift 授权问题漏洞 — atomic-openshift | 5.4 | - | 2019-08-01 |
| CVE-2019-3775 | UAA allows users to modify their own email address — UAA Release (OSS) | 8.1 | - | 2019-03-07 |
| CVE-2018-15715 | Zoom Client 安全漏洞 — Zoom | 9.8 | - | 2018-11-30 |
| CVE-2017-14003 | LAVA Ether-Serial Link 授权问题漏洞 — LAVA Computer MFG Inc. Ether-Serial Link | 9.8 | - | 2017-10-11 |
Vulnerabilities classified as CWE-290 (使用欺骗进行的认证绕过) represent 245 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.