目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-309 使用口令系统作为基本认证机制 类漏洞列表 1

CWE-309 使用口令系统作为基本认证机制 类弱点 1 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-309 属于身份验证缺陷,指系统过度依赖密码作为主要认证手段。攻击者常利用弱密码、凭证填充或暴力破解等手段绕过验证。开发者应避免单一密码机制,转而实施多因素认证(MFA),结合生物特征或硬件令牌,并强制实施强密码策略及账户锁定机制,从而显著提升身份验证的安全性。

MITRE CWE 官方描述
CWE:CWE-309 Use of Password System for Primary Authentication 英文:将密码系统(Password Systems)用作主要认证手段可能受到多种缺陷或不足的影响,每种缺陷或不足都会降低该机制的有效性。
常见影响 (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
A password authentication mechanism error will almost always result in attackers being authorized as valid users.
缓解措施 (5)
Architecture and DesignIn order to protect password systems from compromise, the following should be noted: Passwords should be stored safely to prevent insider attack and to ensure that -- if a system is compromised -- the passwords are not retrievable. Due to password reuse, this information may be useful in the compromise of other systems these users work with. In order to protect these passwords, they should be stor…
Architecture and DesignUse a zero-knowledge password protocol, such as SRP.
Architecture and DesignEnsure that passwords are stored safely and are not reversible.
Architecture and DesignImplement password aging functionality that requires passwords be changed after a certain point.
Architecture and DesignUse a mechanism for determining the strength of a password and notify the user of weak password use.
代码示例 (1)
In both of these examples, a user is logged in if their given password matches a stored password:
unsigned char *check_passwd(char *plaintext) { ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); //Login if hash matches stored hash if (equal(ctext, secret_password())) { login_user(); } }
Bad · C
String plainText = new String(plainTextIn); MessageDigest encer = MessageDigest.getInstance("SHA"); encer.update(plainTextIn); byte[] digest = password.digest(); //Login if hash matches stored hash if (equal(digest,secret_password())) { login_user(); }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2024-45675 IBM Informix Dynamic Server 安全漏洞 — Informix Dynamic Server 8.4 High2025-12-02

CWE-309(使用口令系统作为基本认证机制) 是常见的弱点类别,本平台收录该类弱点关联的 1 条 CVE 漏洞。