CWE-306: Missing Authentication for Critical Function
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
常见后果
影响范围: Access Control Other
技术影响: Gain Privileges or Assume Identity Varies by Context
说明: Exposing critical functionality essentially provides an attacker with the privilege level of that functionality. The consequences will depend on the associated functionality, but they can range from reading or modifying sensitive data, accessing administrative or other privileged functionality, or possibly even executing arbitrary code.
潜在缓解措施
阶段: Architecture and Design
阶段: Architecture and Design
描述: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
阶段: Architecture and Design
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Implementation System Configuration Operation
描述: When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to require strong authentication for users who should be allowed to access the data [REF-1297] [REF-1298] [REF-1302].
检测方法
方法: Manual Analysis
方法: Automated Static Analysis
有效性: Limited
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: SOAR Partial
方法: Automated Static Analysis - Source Code
有效性: SOAR Partial
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2024-11680
File-sharing PHP product does not check if user is logged in during requests for PHP library files under an includes/ directory, allowing configuration changes, code execution, and other impacts.
参考: CVE-2022-31260
Chain: a digital asset management program has an undisclosed backdoor in the legacy version of a PHP script (CWE-912) that could allow an unauthenticated user to export metadata (CWE-306)
参考: CVE-2022-29951
TCP-based protocol in Programmable Logic Controller (PLC) has no authentication.
参考: CVE-2022-29952
Condition Monitor firmware uses a protocol that does not require authentication.
参考: CVE-2022-30276
SCADA-based protocol for bridging WAN and LAN traffic has no authentication.
参考: CVE-2022-30313
Safety Instrumented System uses proprietary TCP protocols with no authentication.
参考: CVE-2022-30317
Distributed Control System (DCS) uses a protocol that has no authentication.
参考: CVE-2021-21972
Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV.
参考: CVE-2020-10263
Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access
参考: CVE-2021-23147
WiFi router does not require authentication for its UART port, allowing adversaries with physical access to execute commands as root
参考: CVE-2021-37415
IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.
参考: CVE-2020-13927
Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV.
参考: CVE-2002-1810
MFV. Access TFTP server without authentication and obtain configuration file with sensitive plaintext information.
参考: CVE-2008-6827
Agent software running at privileges does not authenticate incoming requests over an unprotected channel, allowing a Shatter" attack.
参考: CVE-2004-0213
Product enforces restrictions through a GUI but not through privileged APIs.
参考: CVE-2020-15483
monitor device allows access to physical UART debug port without authentication
参考: CVE-2019-9201
Programmable Logic Controller (PLC) does not have an authentication feature on its communication protocols.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
| Architecture and Design | Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. |
| Operation | When migrating data to the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), there is a risk of losing the protections that were originally provided by hosting on internal networks. If access does not require authentication, it can be easier for attackers to access the data from anywhere on the Internet. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | No Authentication for Critical Function | - |
| Software Fault Patterns | SFP31 | Missing authentication | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.1 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.2 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 2.1 | - |
| ISA/IEC 62443 | Part 4-1 | Req SR-2 | - |
| ISA/IEC 62443 | Part 4-1 | Req SVV-3 | - |
关键信息
CWE ID: CWE-306
抽象级别: Base
结构: Simple
状态: Draft
利用可能性: High