目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-288 使用候选路径或通道进行的认证绕过 类漏洞列表 466

CWE-288 使用候选路径或通道进行的认证绕过 类弱点 466 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-288 指认证绕过漏洞,即系统虽设有认证机制,却存在无需验证的备用路径或通道。攻击者常利用该缺陷,通过未受保护的接口或隐藏入口直接访问受限资源,从而规避身份校验。开发者应确保所有访问入口均强制实施统一且严格的认证策略,全面审查系统架构,消除任何未授权访问的潜在路径,以保障系统安全性。

MITRE CWE 官方描述
CWE:CWE-288 通过备用路径或通道绕过身份验证 (Authentication Bypass Using an Alternate Path or Channel) 英文:产品需要身份验证,但产品存在一个不需要身份验证的备用路径或通道。
常见影响 (1)
Access ControlBypass Protection Mechanism
缓解措施 (1)
Architecture and DesignFunnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
代码示例 (1)
Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not. Access control is implemented using an allowlist (as indicated by a…
module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); output [31:0] data_out; input [31:0] data_in, incoming_id, address; input clk, rst_n; wire write_auth, addr_auth; reg [31:0] data_out, acl_oh_allowlist, q; assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; always @* acl_oh_allowlist <= 32'h8312; assign addr_auth = (address == 32'hF00) ? 1: 0; always @ (posedge clk or negedge rst_n) if (!rst_n) begin q <= 32'h0; data_out <= 32'h0; end else begin q <= (addr_auth & write_auth) ? data_in: q; data_out <= q; end end endmodule
Informative · Verilog
assign addr_auth = (address == 32'hF00) ? 1: 0;
Bad · Verilog
CVE ID标题CVSS风险等级Published
CVE-2026-40780 WordPress BookIt 插件 < 2.5.4.1 身份验证漏洞 — BookIt 7.5 High2026-06-02
CVE-2026-42654 WooCommerce钱包系统插件<=2.7.5 认证漏洞 — Wallet System for WooCommerce 7.1 High2026-06-02
CVE-2026-45577 Neotoma 访问控制错误漏洞 — neotoma--2026-05-29
CVE-2025-41273 Waterfall WF-500 安全漏洞 — WF-500--2026-05-29
CVE-2026-8697 TP-Link Archer C64 安全漏洞 — Archer C64 v1.0--2026-05-28
CVE-2026-8990 View Concept Kidsview 安全漏洞 — Kidsview--2026-05-28
CVE-2026-35090 Slican多款产品 安全漏洞 — CCT-1668--2026-05-27
CVE-2026-35087 Slican多款产品 安全漏洞 — IPx--2026-05-27
CVE-2026-42760 WordPress plugin Backup and Staging by WP Time Capsule 安全漏洞 — Backup and Staging by WP Time Capsule 7.5 High2026-05-27
CVE-2026-42749 WordPress plugin Disable Comments for Any Post Types (Remove comments) 安全漏洞 — Disable Comments for Any Post Types (Remove comments) 7.1 High2026-05-27
CVE-2026-42745 WordPress plugin Smart Online Order for Clover 安全漏洞 — Smart Online Order for Clover 7.3 High2026-05-27
CVE-2026-42735 WordPress plugin KiviCare 安全漏洞 — KiviCare 8.2 High2026-05-27
CVE-2026-45217 WordPress plugin Stripe Payment Gateway for WooCommerce 安全漏洞 — Stripe Payment Gateway for WooCommerce 6.5 Medium2026-05-25
CVE-2026-33843 Microsoft Entra 安全漏洞 — Microsoft Entra 9.1 Critical2026-05-22
CVE-2026-8598 ZKTeco CCTV Cameras 安全漏洞 — SSC335-GC2063-Face-0b77 Solution Camera 9.1 Critical2026-05-20
CVE-2026-24207 NVIDIA Triton Inference Server 安全漏洞 — Triton Inference Server 9.8 Critical2026-05-20
CVE-2026-24206 NVIDIA Triton Inference Server 安全漏洞 — Triton Inference Server 7.3 High2026-05-20
CVE-2026-4320 iCMS 安全漏洞 — ICMS Content Management--2026-05-18
CVE-2026-4524 GitLab 安全漏洞 — GitLab 6.5 Medium2026-05-14
CVE-2026-45109 Next.js 安全漏洞 — next.js 7.5 High2026-05-13
CVE-2026-44574 Next.js 安全漏洞 — next.js 8.1 High2026-05-13
CVE-2026-44575 Next.js 安全漏洞 — next.js 7.5 High2026-05-13
CVE-2026-40621 ELECOM多款产品 安全漏洞 — WRC-BE72XSD-B--2026-05-13
CVE-2026-42303 Fides 安全漏洞 — fides--2026-05-12
CVE-2026-42300 devguard 安全漏洞 — devguard--2026-05-12
CVE-2026-35422 Microsoft Windows TCP/IP 安全漏洞 — Windows 10 Version 1607 6.5 Medium2026-05-12
CVE-2026-8321 Inkeep Agents 授权问题漏洞 — agents 7.3 High2026-05-11
CVE-2026-41308 Password Pusher 安全漏洞 — PasswordPusher 6.5 Medium2026-05-08
CVE-2026-7458 WordPress plugin User Verification by PickPlugins 安全漏洞 — User Verification by PickPlugins 9.8 Critical2026-05-02
CVE-2026-7567 WordPress plugin Temporary Login 安全漏洞 — Temporary Login 9.8 Critical2026-05-01

CWE-288(使用候选路径或通道进行的认证绕过) 是常见的弱点类别,本平台收录该类弱点关联的 466 条 CVE 漏洞。