CWE-302 使用假设不可变数据进行的认证绕过 类弱点 29 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-302 属于认证绕过漏洞,指系统错误假设某些关键数据不可变,而攻击者实际能控制或修改这些数据。攻击者通常通过篡改会话令牌、缓存数据或配置参数,欺骗认证机制从而获取未授权访问权限。开发者应避免依赖易变数据作为安全判断依据,需实施严格的数据完整性校验,确保认证关键信息在存储和传输过程中不被恶意篡改,以保障身份验证的可靠性。
boolean authenticated = new Boolean(getCookieValue("authenticated")).booleanValue(); if (authenticated) { ... }| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2026-28510 | elabftw 登录绕过多因素认证漏洞 — elabftw | 5.9 | Medium | 2026-05-05 |
| CVE-2026-27840 | ZITADEL 安全漏洞 — zitadel | 4.3 | Medium | 2026-02-26 |
| CVE-2024-45370 | Socomec Easy Config System 安全漏洞 — Easy Config System | 7.3 | High | 2025-12-01 |
| CVE-2025-47158 | Microsoft Azure DevOps 安全漏洞 — Azure DevOps | 9.0 | Critical | 2025-07-18 |
| CVE-2025-20285 | Cisco ISE和Cisco ISE-PIC 安全漏洞 — Cisco Identity Services Engine Software | 4.1 | Medium | 2025-07-16 |
| CVE-2025-46647 | Apache Apisix 安全漏洞 — Apache APISIX | 7.5AI | HighAI | 2025-07-02 |
| CVE-2025-29813 | Microsoft Visual Studio 安全漏洞 — Azure DevOps | 10.0 | Critical | 2025-05-08 |
| CVE-2025-26522 | Rupeeseed RupeeWeb 安全漏洞 — RupeeWeb | 8.1 | - | 2025-02-14 |
| CVE-2024-56404 | One Identity Identity Manager 安全漏洞 — Identity Manager | 9.9 | Critical | 2025-01-24 |
| CVE-2024-12838 | CHANGING CGFIDO 安全漏洞 — CGFIDO | 8.8 | High | 2024-12-31 |
| CVE-2024-43441 | Apache HugeGraph 安全漏洞 — Apache HugeGraph-Server | 9.8 | - | 2024-12-24 |
| CVE-2024-8475 | Digital Operation Services WiFiBurada 安全漏洞 — WiFiBurada | 6.5 | Medium | 2024-12-17 |
| CVE-2024-49056 | Microsoft airlift.microsoft.com 安全漏洞 — airlift.microsoft.com | 7.3 | High | 2024-11-12 |
| CVE-2024-47086 | Apex Softcell LD DP Back Office 安全漏洞 — LD DP Back Office | 6.5AI | MediumAI | 2024-09-19 |
| CVE-2024-3462 | Ant Media Server 安全漏洞 — Ant Media Server Community Edition | 5.3 | - | 2024-05-13 |
| CVE-2024-4024 | GitLab CE/EE 安全漏洞 — GitLab | 7.3 | High | 2024-04-25 |
| CVE-2024-22179 | Electrolink FM/DAB/TV Transmitter 安全漏洞 — Compact DAB Transmitter | 7.5 | High | 2024-04-18 |
| CVE-2024-3741 | Electrolink FM/DAB/TV Transmitter 安全漏洞 — Compact DAB Transmitter | 7.5 | High | 2024-04-18 |
| CVE-2023-47127 | TYPO3 安全漏洞 — typo3 | 4.2 | Medium | 2023-11-14 |
| CVE-2023-4612 | Apereo CAS 授权问题漏洞 — CAS | 9.1 | - | 2023-11-09 |
| CVE-2023-4669 | Exagate SYSGuard 授权问题漏洞 — SYSGuard 3001 | 9.8 | Critical | 2023-09-14 |
| CVE-2022-3875 | Click Studios Passwordstate 授权问题漏洞 — Passwordstate | 7.3 | High | 2022-12-19 |
| CVE-2022-40703 | AliveCor KardiaMobile 授权问题漏洞 — Kardia App | 5.2 | Medium | 2022-10-26 |
| CVE-2022-2503 | Google Dm-verity 授权问题漏洞 — Linux Kernel | 6.9 | Medium | 2022-08-12 |
| CVE-2022-22729 | Yokogawa Exaopc 授权问题漏洞 — CENTUM CS 3000 | 9.8 | - | 2022-03-11 |
| CVE-2021-1561 | Cisco Secure Email 授权问题漏洞 — Cisco Content Security Management Appliance (SMA) | 5.4 | Medium | 2021-08-18 |
| CVE-2021-1399 | Cisco Cisco Self Care Portal 安全漏洞 — Cisco Unified Communications Manager | 4.3 | Medium | 2021-04-08 |
| CVE-2020-15074 | OpenVPN 代码问题漏洞 — OpenVPN Access Server | 7.5 | - | 2020-07-14 |
| CVE-2016-9482 | PHP FormMail Generator 授权问题漏洞 — Generator | 9.8 | - | 2018-07-13 |
CWE-302(使用假设不可变数据进行的认证绕过) 是常见的弱点类别,本平台收录该类弱点关联的 29 条 CVE 漏洞。