CWE-1390
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Weak Authentication
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Description du CWE
Attackers may be able to bypass weak authentication faster and/or with less effort than expected.
Informations générales
Modes d'introduction
Architecture and DesignImplementation
Plateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Technologies
Class: ICS/OT (Undetermined)Class: Not Technology-Specific (Undetermined)
Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Integrity Confidentiality Availability Access Control | Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands Note: This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code. |
Exemples observés
| Références | Description |
|---|---|
CVE-2022-30034 | Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390). |
CVE-2022-35248 | Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication |
CVE-2021-3116 | Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390) |
CVE-2022-29965 | Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords |
CVE-2022-29959 | Initialization file contains credentials that can be decoded using a "simple string transformation" |
CVE-2020-8994 | UART interface for AI speaker uses empty password for root shell |
Notes de cartographie des vulnérabilités
Justification : This CWE entry is a Class and might have Base-level children that would be more appropriateCommentaire : Examine children of this entry to see if there is a better fit
Références
REF-1283
OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk managementForescout Vedere Labs.
https://www.forescout.com/resources/ot-icefall-report/
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 4.9 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Observed_Examples |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.