目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-290 使用欺骗进行的认证绕过 类漏洞列表 259

CWE-290 使用欺骗进行的认证绕过 类弱点 259 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-290 是一种身份验证绕过漏洞,源于身份验证机制实现不当,易受欺骗攻击。攻击者通常通过伪造或篡改身份标识(如IP地址、证书或令牌),使系统误认其为合法用户从而获取未授权访问权限。开发者应实施强身份验证策略,包括多因素认证、严格的输入验证及防重放机制,并定期审查认证逻辑,确保身份源的可信性与完整性,以有效防御此类欺骗行为。

MITRE CWE 官方描述
CWE:CWE-290 通过欺骗绕过身份验证 (Authentication Bypass by Spoofing) 英文:这种以攻击为导向的弱点是由错误实现的身份验证方案引起的,这些方案容易受到欺骗攻击 (spoofing attacks)。
常见影响 (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
This weakness can allow an attacker to access resources which are not otherwise accessible without proper authentication.
代码示例 (2)
The following code authenticates users.
String sourceIP = request.getRemoteAddr(); if (sourceIP != null && sourceIP.equals(APPROVED_IP)) { authenticated = true; }
Bad · Java
Both of these examples check if a request is from a trusted address before responding to the request.
sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==getTrustedAddress()) { n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); } }
Bad · C
while(true) { DatagramPacket rp=new DatagramPacket(rData,rData.length); outSock.receive(rp); String in = new String(p.getData(),0, rp.getLength()); InetAddress clientIPAddress = rp.getAddress(); int port = rp.getPort(); if (isTrustedAddress(clientIPAddress) & secretKey.equals(in)) { out = secret.getBytes(); DatagramPacket sp =new DatagramPacket(out,out.length, IPAddress, port); outSock.send(sp); } }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2024-22457 Dell Secure Connect Gateway 安全漏洞 — Secure Connect Gateway (SCG) 5.0 Appliance - SRS 7.1 High2024-03-01
CVE-2024-21494 Caddy 安全漏洞 — github.com/greenpau/caddy-security 5.4 Medium2024-02-17
CVE-2023-7169 Snow Software Inventory Agent 安全漏洞 — Snow Inventory Agent 6.0 Medium2024-02-08
CVE-2024-23832 Mastodon 安全漏洞 — mastodon 9.4 Critical2024-02-01
CVE-2023-6044 Lenovo Vantage 安全漏洞 — Vantage 6.3 Medium2024-01-19
CVE-2023-44117 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.5AIHighAI2024-01-16
CVE-2023-4566 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.5AIHighAI2024-01-16
CVE-2023-4001 grub2 安全漏洞 — Red Hat Enterprise Linux 9 6.8 Medium2024-01-15
CVE-2024-0454 Dell EMC ELAN Match-on-Chip FPR solution 安全漏洞 — DELL Inspiron 6.0 Medium2024-01-12
CVE-2023-49794 KernelSU 安全漏洞 — KernelSU 6.7 Medium2024-01-02
CVE-2023-6263 Network Optix NxCloud 安全漏洞 — NxCloud 8.3 High2023-11-22
CVE-2023-3103 Unitree Robotics A1 安全漏洞 — A1 8.0 High2023-11-22
CVE-2023-5801 Huawei HarmonyOS 安全漏洞 — HarmonyOS 9.1 -2023-11-08
CVE-2023-20246 Cisco Catalys 和 Integrated Services Virtual Router 安全漏洞 — Cisco Firepower Threat Defense Software 5.8 Medium2023-11-01
CVE-2023-20245 Cisco Firepower Threat Defense 安全漏洞 — Cisco Adaptive Security Appliance (ASA) Software 5.8 Medium2023-11-01
CVE-2023-20256 Cisco Firepower Threat Defense 安全漏洞 — Cisco Adaptive Security Appliance (ASA) Software 5.0 Medium2023-11-01
CVE-2023-28803 Zscaler Client Connector 安全漏洞 — Client Connector 5.9 Medium2023-10-23
CVE-2023-30803 Sangfor Next-Gen Application Firewall 安全漏洞 — Net-Gen Application Firewall 9.8 Critical2023-10-10
CVE-2023-41329 WireMock 安全漏洞 — wiremock 3.9 Low2023-09-06
CVE-2023-4178 Neutron Smart VMS 安全漏洞 — Neutron Smart VMS 9.8 Critical2023-09-05
CVE-2023-31424 Broadcom Brocade SANnav 安全漏洞 — SANnav 8.1 High2023-08-31
CVE-2023-30950 Palantir Foundry 安全漏洞 — com.palantir.campaigns:campaigns 6.5 Medium2023-08-03
CVE-2022-48513 Huawei HarmonyOS 安全漏洞 — HarmonyOS 9.1 -2023-07-06
CVE-2023-22814 Western Digital My Cloud OS 安全漏洞 — My Cloud OS 5 10.0 Critical2023-06-30
CVE-2023-3243 Honeywell Alerton 安全漏洞 — BCM-WEB 8.3 High2023-06-28
CVE-2023-3128 Grafana 安全漏洞 — Grafana 9.4 Critical2023-06-22
CVE-2023-2807 PandoraFMS 安全漏洞 — Pandora FMS 6.4 Medium2023-06-13
CVE-2022-36331 多款Western Digital产品和SanDisk ibi 安全漏洞 — My Cloud OS 5 10.0 Critical2023-06-12
CVE-2023-2887 CBOT Chatbot 安全漏洞 — Chatbot 9.8 Critical2023-05-25
CVE-2023-22474 Parse Server 安全漏洞 — parse-server 8.7 High2023-02-03

CWE-290(使用欺骗进行的认证绕过) 是常见的弱点类别,本平台收录该类弱点关联的 259 条 CVE 漏洞。