CWE-290 使用欺骗进行的认证绕过 类弱点 259 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-290 是一种身份验证绕过漏洞,源于身份验证机制实现不当,易受欺骗攻击。攻击者通常通过伪造或篡改身份标识(如IP地址、证书或令牌),使系统误认其为合法用户从而获取未授权访问权限。开发者应实施强身份验证策略,包括多因素认证、严格的输入验证及防重放机制,并定期审查认证逻辑,确保身份源的可信性与完整性,以有效防御此类欺骗行为。
String sourceIP = request.getRemoteAddr(); if (sourceIP != null && sourceIP.equals(APPROVED_IP)) { authenticated = true; }sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) { n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); } }while(true) { DatagramPacket rp=new DatagramPacket(rData,rData.length); outSock.receive(rp); String in = new String(p.getData(),0, rp.getLength()); InetAddress clientIPAddress = rp.getAddress(); int port = rp.getPort(); if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) { out = secret.getBytes(); DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp); } }| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2026-8644 | IBM WebSphere Application Server 身份伪装漏洞 — WebSphere Application Server | 9.1 | Critical | 2026-06-01 |
| CVE-2026-42674 | WordPress Advanced Access Manager <= 7.1.0 绕过漏洞 — Advanced Access Manager | 7.5 | High | 2026-06-01 |
| CVE-2026-47123 | FreeScout 数据伪造问题漏洞 — freescout | 7.5 | High | 2026-05-29 |
| CVE-2026-44649 | SillyTavern 安全漏洞 — SillyTavern | 9.8 | Critical | 2026-05-29 |
| CVE-2026-46414 | UFO³ 安全漏洞 — UFO | 8.8 | High | 2026-05-27 |
| CVE-2026-8676 | Silicon Simplicity SDK 安全漏洞 — Simplicity SDK | 8.8 | High | 2026-05-26 |
| CVE-2018-25361 | Soroush IM Desktop App 安全漏洞 — Soroush IM Desktop App | 6.8 | Medium | 2026-05-25 |
| CVE-2026-7507 | Keycloak 安全漏洞 — Red Hat build of Keycloak 26.2 | 7.5 | High | 2026-05-19 |
| CVE-2026-46356 | Fleet 安全漏洞 — fleet | - | - | 2026-05-14 |
| CVE-2026-24899 | Fleet 安全漏洞 — fleet | - | - | 2026-05-14 |
| CVE-2026-24000 | Fleet 安全漏洞 — fleet | - | - | 2026-05-14 |
| CVE-2026-40460 | F5 NGINX Plus和F5 NGINX Open Source 安全漏洞 — NGINX Plus | 6.5 | Medium | 2026-05-13 |
| CVE-2026-44183 | Cleanuparr 安全漏洞 — Cleanuparr | 9.8 | Critical | 2026-05-12 |
| CVE-2026-45223 | Crabbox 安全漏洞 — crabbox | 8.8 | High | 2026-05-11 |
| CVE-2021-47923 | OpenCart 安全漏洞 — opencart | 9.8 | Critical | 2026-05-10 |
| CVE-2026-42354 | Sentry 安全漏洞 — sentry | 9.1 | Critical | 2026-05-08 |
| CVE-2026-44118 | OpenClaw 安全漏洞 — OpenClaw | 7.8 | High | 2026-05-06 |
| CVE-2026-39858 | Traefik 安全漏洞 — traefik | 9.8 | - | 2026-04-30 |
| CVE-2018-25318 | Tenda FH303和Tenda A300 安全漏洞 — FH303/A300 | 9.8 | Critical | 2026-04-29 |
| CVE-2018-25317 | Tenda W3002R 安全漏洞 — W3002R | 9.8 | Critical | 2026-04-29 |
| CVE-2018-25316 | Tenda W308R 安全漏洞 — W308R v2 | 9.8 | Critical | 2026-04-29 |
| CVE-2026-7422 | FreeRTOS-Plus-TCP 安全漏洞 — FreeRTOS-Plus-TCP | 6.5 | Medium | 2026-04-29 |
| CVE-2026-25660 | CodeChecker 安全漏洞 — CodeChecker | 9.8AI | CriticalAI | 2026-04-24 |
| CVE-2026-40575 | OAuth2 Proxy 安全漏洞 — oauth2-proxy | 9.1 | Critical | 2026-04-21 |
| CVE-2026-22734 | Cloud Foundry cf-deployment和Cloud Foundry UUA 安全漏洞 — UUA | 8.6 | High | 2026-04-16 |
| CVE-2026-34457 | OAuth2 Proxy 安全漏洞 — oauth2-proxy | 9.1 | Critical | 2026-04-14 |
| CVE-2026-35656 | OpenClaw 安全漏洞 — OpenClaw | 6.5 | Medium | 2026-04-10 |
| CVE-2026-35622 | OpenClaw 安全漏洞 — OpenClaw | 5.9 | Medium | 2026-04-09 |
| CVE-2026-3902 | Django 安全漏洞 — Django | 5.3AI | MediumAI | 2026-04-07 |
| CVE-2026-34778 | Electron 数据伪造问题漏洞 — electron | 5.9 | Medium | 2026-04-03 |
CWE-290(使用欺骗进行的认证绕过) 是常见的弱点类别,本平台收录该类弱点关联的 259 条 CVE 漏洞。