CWE-306 关键功能的认证机制缺失 类弱点 1168 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-306指关键功能缺乏身份验证,属于访问控制缺陷。攻击者可直接调用需高权限或消耗大量资源的功能,无需提供凭证,从而实施未授权操作或资源耗尽攻击。开发者应确保所有敏感操作强制实施身份验证机制,严格校验用户身份,防止未认证请求访问关键业务逻辑,保障系统安全。
public BankAccount createBankAccount(String accountNumber, String accountType, String accountName, String accountSSN, double balance) { BankAccount account = new BankAccount(); account.setAccountNumber(accountNumber); account.setAccountType(accountType); account.setAccountOwnerName(accountName); account.setAccountOwnerSSN(accountSSN); account.setBalance(balance); return account; }private boolean isUserAuthentic = false; // authenticate user, // if user is authenticated then set variable to true // otherwise set variable to false public boolean authenticateUser(String username, String password) { ... } public BankAccount createNewBankAccount(String accountNumber, String accountType, String accountName, String accountSSN, double balance) { BankAccount account = null; if (isUserAuthentic) { account = new BankAccount(); account.setAccountNumber(accountNumber); account.setAccountType(accountType); account.setAccountOwnerName(accountName); account.setAccountOwnerSSN(accountSCWE-306(关键功能的认证机制缺失) 是常见的弱点类别,本平台收录该类弱点关联的 1168 条 CVE 漏洞。