Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-308 (使用单一因素认证机制) — Vulnerability Class 8

8 vulnerabilities classified as CWE-308 (使用单一因素认证机制). AI Chinese analysis included.

CWE-308 represents a critical authentication weakness where systems rely on a single credential, such as a password, for access control in contexts demanding higher assurance. Attackers typically exploit this vulnerability by employing brute-force attacks, credential stuffing, or phishing to steal the solitary factor, thereby gaining unauthorized entry without needing to bypass additional security layers. This single point of failure significantly lowers the barrier for malicious actors to compromise user accounts and sensitive data. To mitigate this risk, developers must implement multi-factor authentication (MFA) solutions that require two or more distinct verification methods, such as combining something the user knows with something they have or are. By integrating diverse factors, organizations ensure that compromising one element does not result in total system breach, thereby substantially enhancing overall security posture and resilience against common credential-based attacks.

MITRE CWE Description
The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.
Common Consequences (1)
Access ControlBypass Protection Mechanism
If the secret in a single-factor authentication scheme gets compromised, full authentication is possible.
Mitigations (1)
Architecture and DesignUse multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise. For this reason, if multiple schemes are possible, they should be implemented and required -- especially if they are easy to use.
Examples (1)
In both of these examples, a user is logged in if their given password matches a stored password:
unsigned char *check_passwd(char *plaintext) { ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); //Login if hash matches stored hash if (equal(ctext, secret_password())) { login_user(); } }
Bad · C
String plainText = new String(plainTextIn); MessageDigest encer = MessageDigest.getInstance("SHA"); encer.update(plainTextIn); byte[] digest = password.digest(); //Login if hash matches stored hash if (equal(digest,secret_password())) { login_user(); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-33550 SOGo 安全漏洞 — SOGo 2.0 Low2026-03-22
CVE-2025-64103 Zitadel Bypass Second Authentication Factor — zitadel 9.1AICriticalAI2025-10-29
CVE-2025-42959 Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476 — SAP NetWeaver ABAP Server and ABAP Platform 8.1 High2025-07-08
CVE-2024-47652 Insecure Authentication Vulnerability — Client Dashboard 9.8 -2024-10-04
CVE-2023-25681 IBM Spectrum Virtualize security bypass — Spectrum Virtualize 5.3 Medium2024-03-05
CVE-2023-50934 IBM PowerSC improper authentication — PowerSC 5.3 Medium2024-02-02
CVE-2023-49075 Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls — admin-ui-classic-bundle 8.5 High2023-11-28
CVE-2023-34228 JetBrains TeamCity 安全漏洞 — TeamCity 5.3 Medium2023-05-31

Vulnerabilities classified as CWE-308 (使用单一因素认证机制) represent 8 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.