CWE-1390 Detail

CWE-1390

Name

Weak Authentication

Status

Incomplete

Published

2022-10-13
00h00 +00:00

Modified

2024-02-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

CWE Description

Attackers may be able to bypass weak authentication faster and/or with less effort than expected.

General Informations

Modes Of Introduction

Architecture and Design
Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Technologies

Class: ICS/OT (Undetermined)
Class: Not Technology-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Integrity Confidentiality Availability Access Control	Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands Note: This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.

Observed Examples

References	Description
CVE-2022-30034	Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390).
CVE-2022-35248	Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication
CVE-2021-3116	Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390)
CVE-2022-29965	Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords
CVE-2022-29959	Initialization file contains credentials that can be decoded using a "simple string transformation"
CVE-2020-8994	UART interface for AI speaker uses empty password for root shell

Vulnerability Mapping Notes

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comment : Examine children of this entry to see if there is a better fit

References

REF-1283

OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs.
https://www.forescout.com/resources/ot-icefall-report/

Submission

Name	Organization	Date	Date release	Version
CWE Content Team	MITRE	2022-10-05 +00:00	2022-10-13 +00:00	4.9

Modifications

Name	Organization	Date	Comment
CWE Content Team	MITRE	2023-01-31 +00:00	updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2023-10-26 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2024-02-29 +00:00	updated Observed_Examples