目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-287 认证机制不恰当 类漏洞列表 1296

CWE-287 认证机制不恰当 类弱点 1296 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-287 属于身份验证缺陷漏洞,指系统在验证用户身份时未能充分核实其声明的真实性。攻击者常利用此弱点通过暴力破解、凭证填充或会话劫持等手段冒充合法用户,从而获取未授权访问权限。开发者应实施多因素认证、使用强哈希算法存储凭证、设置合理的账户锁定策略,并严格验证每次访问的身份凭证,以确保身份声明得到充分证明。

MITRE CWE 官方描述
CWE:CWE-287 Improper Authentication 英文:当某个actor声称具有某一特定身份时,产品未能证明或未能充分证明该声明是正确的。
常见影响 (1)
Integrity, Confidentiality, Availability, Access ControlRead Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
缓解措施 (1)
Architecture and DesignUse an authentication framework or library such as the OWASP ESAPI Authentication feature.
代码示例 (2)
The following code intends to ensure that the user is already logged in. If not, the code performs authentication with the user-provided username and password. If successful, it sets the loggedin and user cookies to "remember" that the user has already logged in. Finally, the code performs administrator tasks if the logged-in user has the "Administrator" username, as recorded in the user cookie.
my $q = new CGI; if ($q->cookie('loggedin') ne "true") { if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("Error: you need to log in first"); } else { # Set loggedin and user cookies. $q->cookie( -name => 'loggedin', -value => 'true' ); $q->cookie( -name => 'user', -value => $q->param('username') ); } } if ($q->cookie('user') eq "Administrator") { DoAdministratorTasks(); }
Bad · Perl
GET /cgi-bin/vulnerable.cgi HTTP/1.1 Cookie: user=Administrator Cookie: loggedin=true [body of request]
Attack
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
CVE ID标题CVSS风险等级Published
CVE-2020-1718 Red Hat Keycloak 授权问题漏洞 — keycloak 7.1 High2020-05-12
CVE-2020-10916 TP-Link TL-WA855RE 授权问题漏洞 — TL-WA855RE 8.0 -2020-05-07
CVE-2020-3125 Cisco Adaptive Security Appliances Software 授权问题漏洞 — Cisco Adaptive Security Appliance (ASA) Software 9.1 -2020-05-06
CVE-2020-11020 Faye 授权问题漏洞 — Faye 8.5 High2020-04-29
CVE-2019-19104 ABB Busch-Jaeger 6186/11 Telefon-Gateway 访问控制错误漏洞 — TG/S 3.2 Telephone Gateway 9.1 Critical2020-04-22
CVE-2020-7276 McAfee Endpoint Security 授权问题漏洞 — McAfee Endpoint Security (ENS) 6.4 Medium2020-04-15
CVE-2020-8148 Ubiquiti Networks UniFi Cloud Key 授权问题漏洞 — UniFi Cloud Key Gen2 5.3 -2020-04-13
CVE-2019-14880 Moodle 授权问题漏洞 — moodle 9.8 -2020-03-31
CVE-2019-15796 python-apt 数据伪造问题漏洞 — Python-apt 4.7 Medium2020-03-26
CVE-2020-10888 TP-Link Archer A7 AC1750 授权问题漏洞 — Archer A7 9.8 -2020-03-25
CVE-2011-2054 Cisco Adaptive Security Appliances 安全漏洞 — Cisco ASA 4.3 Medium2020-02-19
CVE-2019-15617 Nextcloud Server 授权问题漏洞 — Nextcloud Server 4.3 -2020-02-04
CVE-2019-15620 Nextcloud Talk 信息泄露漏洞 — Nextcloud Talk 2.7 -2020-02-04
CVE-2019-15585 GitLab 授权问题漏洞 — Gitlab CE/EE 9.8 -2020-01-28
CVE-2020-5224 Django User Sessions 加密问题漏洞 — django-user-sessions 6.5 Medium2020-01-24
CVE-2019-6854 编号重复 — EcoStruxure Geo SCADA Expert (ClearSCADA) with initial releases before 1 January 2019 (see notification for more details) 7.8 -2020-01-06
CVE-2019-18337 Siemens SiNVR 3 Central Control Server和SiNVR 3 Video Server 授权问题漏洞 — Control Center Server (CCS) 9.8 Critical2019-12-12
CVE-2019-18341 Siemens SiNVR 3 Central Control Server和SiNVR 3 Video Server 授权问题漏洞 — Control Center Server (CCS) 5.3 Medium2019-12-12
CVE-2019-18312 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 MS3000 Migration Server 5.3 -2019-12-12
CVE-2019-18314 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 Application Server 9.8 -2019-12-12
CVE-2019-18315 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 Application Server 9.8 -2019-12-12
CVE-2019-18317 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 Application Server 7.5 -2019-12-12
CVE-2019-18318 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 Application Server 7.5 -2019-12-12
CVE-2019-18319 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 Application Server 7.5 -2019-12-12
CVE-2019-18320 Siemens SPPA-T3000 代码问题漏洞 — SPPA-T3000 Application Server 7.5 -2019-12-12
CVE-2019-18321 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 MS3000 Migration Server 9.1 -2019-12-12
CVE-2019-18322 Siemens SPPA-T3000 授权问题漏洞 — SPPA-T3000 MS3000 Migration Server 9.1 -2019-12-12
CVE-2019-18284 Siemens SPPA-T3000 访问控制错误漏洞 — SPPA-T3000 Application Server 9.8 -2019-12-12
CVE-2019-18286 Siemens SPPA-T3000 信息泄露漏洞 — SPPA-T3000 Application Server 5.3 -2019-12-12
CVE-2019-18287 Siemens SPPA-T3000 信息泄露漏洞 — SPPA-T3000 Application Server 5.3 -2019-12-12

CWE-287(认证机制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 1296 条 CVE 漏洞。