CWE-306 关键功能的认证机制缺失 类弱点 1168 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-306指关键功能缺乏身份验证,属于访问控制缺陷。攻击者可直接调用需高权限或消耗大量资源的功能,无需提供凭证,从而实施未授权操作或资源耗尽攻击。开发者应确保所有敏感操作强制实施身份验证机制,严格校验用户身份,防止未认证请求访问关键业务逻辑,保障系统安全。
public BankAccount createBankAccount(String accountNumber, String accountType, String accountName, String accountSSN, double balance) { BankAccount account = new BankAccount(); account.setAccountNumber(accountNumber); account.setAccountType(accountType); account.setAccountOwnerName(accountName); account.setAccountOwnerSSN(accountSSN); account.setBalance(balance); return account; }private boolean isUserAuthentic = false; // authenticate user, // if user is authenticated then set variable to true // otherwise set variable to false public boolean authenticateUser(String username, String password) { ... } public BankAccount createNewBankAccount(String accountNumber, String accountType, String accountName, String accountSSN, double balance) { BankAccount account = null; if (isUserAuthentic) { account = new BankAccount(); account.setAccountNumber(accountNumber); account.setAccountType(accountType); account.setAccountOwnerName(accountName); account.setAccountOwnerSSN(accountS| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2019-18572 | Dell RSA Identity Governance and Lifecycle和RSA Via Lifecycle and Governance 授权问题漏洞 — RSA Identity Governance & Lifecycle | 9.8 | - | 2019-12-18 |
| CVE-2019-5152 | Shadowsocks-libev 访问控制错误漏洞 — Shadowsocks | 5.9 | - | 2019-12-18 |
| CVE-2019-18339 | Siemens SiNVR 3 Central Control Server 访问控制错误漏洞 — SiNVR/SiVMS Video Server | 9.8 | Critical | 2019-12-12 |
| CVE-2019-5164 | Shadowsocks-libev 访问控制错误漏洞 — Shadowsocks | 7.8 | - | 2019-12-03 |
| CVE-2019-5163 | Shadowsocks-libev 访问控制错误漏洞 — Shadowsocks | 7.5 | - | 2019-12-03 |
| CVE-2019-18230 | Honeywell equIP系列和Performance系列IP摄像头访问控制错误漏洞 — Honeywell equIP & Performance series IP cameras | 7.5 | - | 2019-10-31 |
| CVE-2019-3978 | MikroTik RouterOS 访问控制错误漏洞 — MikroTik RouterOS | 7.5 | - | 2019-10-28 |
| CVE-2019-13525 | Honeywell IP-AK2 访问控制错误漏洞 — Honeywell IP-AK2 | 5.3 | - | 2019-10-25 |
| CVE-2019-13549 | Rittal Chiller SK 3232-Series 访问控制错误漏洞 — Rittal Chiller SK 3232-Series | 7.5 | - | 2019-10-25 |
| CVE-2019-15282 | Cisco Identity Services Engine 访问控制错误漏洞 — Cisco Identity Services Engine Software | 5.3 | - | 2019-10-16 |
| CVE-2019-1895 | Cisco Enterprise NFV Infrastructure Software 访问控制错误漏洞 — Cisco Enterprise NFV Infrastructure Software | 9.8 | - | 2019-08-07 |
| CVE-2015-7559 | Apache ActiveMQ 输入验证错误漏洞 — ActiveMQ | 4.9 | - | 2019-08-01 |
| CVE-2019-10915 | Siemens TIA Administrator 访问控制错误漏洞 — TIA Administrator | 7.8 | - | 2019-07-11 |
| CVE-2019-1876 | Cisco Wide Area Application Services Software 访问控制错误漏洞 — Cisco Wide Area Application Services (WAAS) | 5.3 | - | 2019-06-20 |
| CVE-2019-1631 | Cisco Integrated Management Controller 访问控制错误漏洞 — Cisco Unified Computing System (Management Software) | 5.3 | - | 2019-06-20 |
| CVE-2019-1629 | Cisco Integrated Management Controller 访问控制错误漏洞 — Cisco Unified Computing System (Management Software) | 7.5 | - | 2019-06-20 |
| CVE-2017-15123 | Red Hat CloudForms 访问控制错误漏洞 — CloudForms | 7.5 | - | 2019-06-12 |
| CVE-2019-6820 | 多款Schneider Electric产品访问控制错误漏洞 — Modicon and PacDrive Controller, All versions of: Modicon M100, Modicon M200, Modicon M221, ATV IMC drive controller, Modicon M241, Modicon M251, Modicon M258, Modicon LMC058, Modicon LMC078, PacDrive Eco ,PacDrive Pro, PacDrive Pro2 | 8.2 | - | 2019-05-22 |
| CVE-2019-10919 | Siemens LOGO!8 BM 访问控制错误漏洞 — LOGO! 8 BM (incl. SIPLUS variants) | 9.8 | - | 2019-05-14 |
| CVE-2019-10922 | Siemens SIMATIC WinCC和SIMATIC PCS 7 访问控制错误漏洞 — SIMATIC PCS 7 V8.0 and earlier | 9.8 | - | 2019-05-14 |
| CVE-2019-6542 | ENTTEC Datagate MK2 访问控制错误漏洞 — Datagate MK2 | 7.5 | - | 2019-03-28 |
| CVE-2019-3917 | Nokia Alcatel Lucent I-240W-Q GPON ONT 访问控制错误漏洞 — Alcatel Lucent I-240W-Q GPON ONT | 7.5 | - | 2019-03-05 |
| CVE-2018-19636 | SUSE Supportutils 输入验证错误漏洞 — supportutils | 7.8 | - | 2019-03-05 |
| CVE-2019-6543 | AVEVA Group plc InduSoft Web Studio和InTouch Edge HMI 访问控制错误漏洞 — AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update | 8.4 | - | 2019-02-13 |
| CVE-2019-6533 | Kunbus PR100088 Modbus 安全漏洞 — PR100088 Modbus gateway | 9.1 | - | 2019-02-12 |
| CVE-2018-0181 | Cisco Policy Suite for Mobile和Policy Suite Diameter Routing Agent 访问控制错误漏洞 — Cisco Policy Suite (CPS) Software | 9.1 | - | 2019-01-10 |
| CVE-2018-18995 | ABB GATE-E1和GATE-E2 安全漏洞 — ABB GATE-E1 and GATE-E2 | 9.8 | - | 2019-01-03 |
| CVE-2018-17924 | 多款Rockwell Automation产品安全漏洞 — Rockwell Automation | 7.5 | - | 2018-12-07 |
| CVE-2018-5393 | TP-Link EAP Controller for Linux 安全漏洞 — EAP Controller | 9.8 | - | 2018-09-28 |
| CVE-2018-14796 | Tec4Data SmartCooler 安全漏洞 — SmartCooler | 7.5 | - | 2018-09-20 |
CWE-306(关键功能的认证机制缺失) 是常见的弱点类别,本平台收录该类弱点关联的 1168 条 CVE 漏洞。