目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-287 认证机制不恰当 类漏洞列表 1282

CWE-287 认证机制不恰当 类弱点 1282 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-287 属于身份验证缺陷漏洞,指系统在验证用户身份时未能充分核实其声明的真实性。攻击者常利用此弱点通过暴力破解、凭证填充或会话劫持等手段冒充合法用户,从而获取未授权访问权限。开发者应实施多因素认证、使用强哈希算法存储凭证、设置合理的账户锁定策略,并严格验证每次访问的身份凭证,以确保身份声明得到充分证明。

MITRE CWE 官方描述
CWE:CWE-287 Improper Authentication 英文:当某个actor声称具有某一特定身份时,产品未能证明或未能充分证明该声明是正确的。
常见影响 (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
缓解措施 (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
代码示例 (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE ID标题CVSS风险等级Published
CVE-2026-12183 BUK TS-G系统2.9.1-2.10.2认证漏洞 — BUK TS-G Gas Station Automation System 9.8 Critical2026-06-13
CVE-2026-50623 Apache CXF OAuth2 TokenIntrospectionService 认证绕过漏洞 — Apache CXF--2026-06-12
CVE-2026-48611 OAuth实现未正确验证身份导致默认安装账户劫持 — phpBB--2026-06-12
CVE-2026-40995 Spring Security X.509认证绕过漏洞 — Spring Web Services 5.4 Medium2026-06-11
CVE-2026-46705 russh服务器身份验证状态未重置漏洞 — russh 5.3 Medium2026-06-10
CVE-2026-45567 Roxy-WI API接口认证绕过及GPT接口未授权访问漏洞 — roxy-wi 8.3 High2026-06-10
CVE-2026-47838 使用X.509客户端证书时未授权用户冒充漏洞 — Spring Security 6.8 Medium2026-06-09
CVE-2026-44810 Microsoft 加密服务提权漏洞 — Windows 11 version 23H2 8.4 High2026-06-09
CVE-2026-49848 FreeSWITCH mod_verto 预认证userVariables注入漏洞 — freeswitch 4.3 Medium2026-06-09
CVE-2026-49843 FreeSWITCH mod_verto 预认证会话驱逐漏洞 — freeswitch 5.3 Medium2026-06-09
CVE-2026-41720 Spring LDAP 空密码认证绕过漏洞 — Spring LDAP 7.4 High2026-06-09
CVE-2026-11618 DTStack Taier 源码连接测试端点身份验证绕过漏洞 — Taier 7.3 High2026-06-09
CVE-2026-50751 VPN远程访问及移动接入用户认证绕过漏洞 — Quantum Security Gateway--2026-06-08
CVE-2026-34123 TP-Link Tapo C520WS 白名单验证绕过漏洞 — Tapo C520WS v2--2026-06-05
CVE-2026-46389 UDS Identity Config 客户端身份认证绕过漏洞 — uds-identity-config 10.0 Critical2026-06-05
CVE-2026-11345 灵起CDN文件访问身份验证绕过漏洞 — linqi--2026-06-05
CVE-2026-6274 DTS Electronics Redline WR3200 身份验证绕过漏洞 — Redline WR3200 9.8 Critical2026-06-05
CVE-2023-5502 Arista EOS 802.1X 认证绕过漏洞 — EOS 5.9 Medium2026-06-04
CVE-2026-49202 会议录播接口验证缺失及CORS策略宽松漏洞 — Connect M6E 5G Portable WiFi Router--2026-06-04
CVE-2026-49203 未认证eSIM配置操纵漏洞 — Connect M6E 5G Portable WiFi Router--2026-06-04
CVE-2026-49194 SCREEN_CLICK 身份验证绕过漏洞 — Connect M6E 5G Portable WiFi Router--2026-06-04
CVE-2026-49191 M3WebServer 后端 API 密钥硬编码泄露漏洞 — Connect M6E 5G Portable WiFi Router--2026-06-04
CVE-2026-49186 MQTT代理主题访问控制列表缺失 — Connect M6E 5G Portable WiFi Router--2026-06-04
CVE-2026-10777 ealpha072 学生管理系统后台 config.php 认证缺陷 — Student-Management-System 7.3 High2026-06-03
CVE-2026-45289 CloudburstMC 协议:FULL 类型认证令牌部分缺失验证 — Protocol 5.3 Medium2026-06-02
CVE-2026-49448 authentik 通过空POST绕过SourceStage — authentik 9.8 Critical2026-06-02
CVE-2026-49443 authentik UserSourceConnection.group可被API修改 — authentik 8.8 High2026-06-02
CVE-2026-10619 Sayan365 学生管理系统 认证绕过漏洞 — student-management-system 7.3 High2026-06-02
CVE-2026-5076 ARMember Premium <= 7.3.1 不安全密码重置机制导致未授权提权漏洞 — ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup 9.8 Critical2026-06-02
CVE-2026-10611 MISP LDAP混合认证下OTP绕过漏洞 — misp--2026-06-02

CWE-287(认证机制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 1282 条 CVE 漏洞。