CWE-1390: Weak Authentication
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
常见后果
影响范围: Integrity Confidentiality Availability Access Control
技术影响: Read Application Data Gain Privileges or Assume Identity Execute Unauthorized Code or Commands
说明: This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
观察示例
参考: CVE-2022-30034
Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390).
参考: CVE-2022-35248
Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication
参考: CVE-2021-3116
Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390)
参考: CVE-2022-29965
Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords
参考: CVE-2022-29959
Initialization file contains credentials that can be decoded using a "simple string transformation"
参考: CVE-2020-8994
UART interface for AI speaker uses empty password for root shell
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |