CWE-287
Improper Authentication
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (2,419)
page 107 of 121| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2010-2057 | 0.00 | — | 0.03 | Oct 20, 2010 | shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State… | |||
| CVE-2008-7263 | 0.00 | — | 0.02 | Oct 19, 2010 | ftpserver.py in pyftpdlib before 0.5.0 does not delay its response after receiving an invalid login attempt, which makes it easier for remote attackers to obtain access via a brute-force attack. | |||
| CVE-2007-6737 | 0.00 | — | 0.01 | Oct 19, 2010 | FTPServer.py in pyftpdlib before 0.2.0 does not increment the attempted_logins count for a USER command that specifies an invalid username, which makes it easier for remote attackers to obtain access via a brute-force attack. | |||
| CVE-2010-3739 | 0.00 | — | 0.01 | Oct 5, 2010 | The audit facility in the Security component in IBM DB2 UDB 9.5 before FP6a uses instance-level audit settings to capture connection (aka CONNECT and AUTHENTICATION) events in certain circumstances in which database-level audit settings were intended, which might make it easier… | |||
| CVE-2010-3686 | 0.00 | — | 0.02 | Sep 29, 2010 | The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. | |||
| CVE-2010-3685 | 0.00 | — | 0.02 | Sep 29, 2010 | The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an… | |||
| CVE-2010-3091 | 0.00 | — | 0.02 | Sep 29, 2010 | The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID… | |||
| CVE-2010-1820 | 0.00 | — | 0.02 | Sep 21, 2010 | Apple Filing Protocol (AFP) Server in Apple Mac OS X 10.6.x through 10.6.4 does not properly handle errors, which allows remote attackers to bypass the password requirement for shared-folder access by leveraging knowledge of a valid account name. | |||
| CVE-2010-3471 | 0.00 | — | 0.01 | Sep 20, 2010 | Session fixation vulnerability in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 4.0.2.x before 4.0.2.7-P8AE-FP007 allows remote attackers to hijack web sessions via unspecified vectors. | |||
| CVE-2010-2940 | 0.00 | — | 0.02 | Aug 30, 2010 | The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password. | |||
| CVE-2010-1802 | 0.00 | — | 0.01 | Aug 25, 2010 | libsecurity in Apple Mac OS X 10.5.8 and 10.6.4 does not properly perform comparisons to domain-name strings in X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a certificate associated with a similar domain name, as demonstrated by use of a… | |||
| CVE-2010-2944 | 0.00 | — | 0.01 | Aug 20, 2010 | The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges. | |||
| CVE-2010-0834 | 0.00 | — | 0.03 | Aug 10, 2010 | The base-files package before 5.0.0ubuntu7.1 on Ubuntu 9.10 and before 5.0.0ubuntu20.10.04.2 on Ubuntu 10.04 LTS, as shipped on Dell Latitude 2110 netbooks, does not require authentication for package installation, which allows remote archive servers and man-in-the-middle… | |||
| CVE-2010-2526 | 0.00 | — | 0.01 | Aug 5, 2010 | The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon… | |||
| CVE-2010-2927 | 0.00 | — | 0.02 | Aug 2, 2010 | The slapi_printmessage function in IBM Tivoli Directory Server (ITDS) before 6.0.0.8-TIV-ITDS-IF0006 allows remote attackers to cause a denial of service (daemon crash) via multiple incomplete DIGEST-MD5 connection attempts. | |||
| CVE-2010-0833 | 0.00 | — | 0.04 | Jul 28, 2010 | The pam_lsass library in Likewise Open 5.4 and CIFS 5.4 before build 8046, and 6.0 before build 8234, as used in HP StorageWorks X9000 Network Storage Systems and possibly other products, uses "SetPassword logic" when running as part of a root service, which allows remote… | |||
| CVE-2010-2668 | 0.00 | — | 0.01 | Jul 8, 2010 | Unspecified vulnerability in Adaptive Micro Systems ALPHA Ethernet Adapter II Web-Manager 3.40.2 allows remote attackers to bypass authentication and read or write configuration files via unknown vectors. | |||
| CVE-2010-1670 | 0.00 | — | 0.02 | Jul 6, 2010 | Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins associated with logins that use the single sign-on (SSO) functionality, which allows remote attackers to bypass authentication via an empty password. … | |||
| CVE-2009-4909 | 0.00 | — | 0.02 | Jun 25, 2010 | admin/index.php in oBlog allows remote attackers to conduct brute-force password guessing attacks via HTTP requests. | |||
| CVE-2010-1375 | 0.00 | — | 0.00 | Jun 17, 2010 | NetAuthSysAgent in Network Authorization in Apple Mac OS X 10.5.8 does not have the expected authorization requirements, which allows local users to gain privileges via unspecified vectors. |
- CVE-2010-2057Oct 20, 2010risk 0.00cvss —epss 0.03
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State…
- CVE-2008-7263Oct 19, 2010risk 0.00cvss —epss 0.02
ftpserver.py in pyftpdlib before 0.5.0 does not delay its response after receiving an invalid login attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.
- CVE-2007-6737Oct 19, 2010risk 0.00cvss —epss 0.01
FTPServer.py in pyftpdlib before 0.2.0 does not increment the attempted_logins count for a USER command that specifies an invalid username, which makes it easier for remote attackers to obtain access via a brute-force attack.
- CVE-2010-3739Oct 5, 2010risk 0.00cvss —epss 0.01
The audit facility in the Security component in IBM DB2 UDB 9.5 before FP6a uses instance-level audit settings to capture connection (aka CONNECT and AUTHENTICATION) events in certain circumstances in which database-level audit settings were intended, which might make it easier…
- CVE-2010-3686Sep 29, 2010risk 0.00cvss —epss 0.02
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.
- CVE-2010-3685Sep 29, 2010risk 0.00cvss —epss 0.02
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an…
- CVE-2010-3091Sep 29, 2010risk 0.00cvss —epss 0.02
The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID…
- CVE-2010-1820Sep 21, 2010risk 0.00cvss —epss 0.02
Apple Filing Protocol (AFP) Server in Apple Mac OS X 10.6.x through 10.6.4 does not properly handle errors, which allows remote attackers to bypass the password requirement for shared-folder access by leveraging knowledge of a valid account name.
- CVE-2010-3471Sep 20, 2010risk 0.00cvss —epss 0.01
Session fixation vulnerability in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 4.0.2.x before 4.0.2.7-P8AE-FP007 allows remote attackers to hijack web sessions via unspecified vectors.
- CVE-2010-2940Aug 30, 2010risk 0.00cvss —epss 0.02
The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password.
- CVE-2010-1802Aug 25, 2010risk 0.00cvss —epss 0.01
libsecurity in Apple Mac OS X 10.5.8 and 10.6.4 does not properly perform comparisons to domain-name strings in X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a certificate associated with a similar domain name, as demonstrated by use of a…
- CVE-2010-2944Aug 20, 2010risk 0.00cvss —epss 0.01
The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.
- CVE-2010-0834Aug 10, 2010risk 0.00cvss —epss 0.03
The base-files package before 5.0.0ubuntu7.1 on Ubuntu 9.10 and before 5.0.0ubuntu20.10.04.2 on Ubuntu 10.04 LTS, as shipped on Dell Latitude 2110 netbooks, does not require authentication for package installation, which allows remote archive servers and man-in-the-middle…
- CVE-2010-2526Aug 5, 2010risk 0.00cvss —epss 0.01
The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon…
- CVE-2010-2927Aug 2, 2010risk 0.00cvss —epss 0.02
The slapi_printmessage function in IBM Tivoli Directory Server (ITDS) before 6.0.0.8-TIV-ITDS-IF0006 allows remote attackers to cause a denial of service (daemon crash) via multiple incomplete DIGEST-MD5 connection attempts.
- CVE-2010-0833Jul 28, 2010risk 0.00cvss —epss 0.04
The pam_lsass library in Likewise Open 5.4 and CIFS 5.4 before build 8046, and 6.0 before build 8234, as used in HP StorageWorks X9000 Network Storage Systems and possibly other products, uses "SetPassword logic" when running as part of a root service, which allows remote…
- CVE-2010-2668Jul 8, 2010risk 0.00cvss —epss 0.01
Unspecified vulnerability in Adaptive Micro Systems ALPHA Ethernet Adapter II Web-Manager 3.40.2 allows remote attackers to bypass authentication and read or write configuration files via unknown vectors.
- CVE-2010-1670Jul 6, 2010risk 0.00cvss —epss 0.02
Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins associated with logins that use the single sign-on (SSO) functionality, which allows remote attackers to bypass authentication via an empty password. …
- CVE-2009-4909Jun 25, 2010risk 0.00cvss —epss 0.02
admin/index.php in oBlog allows remote attackers to conduct brute-force password guessing attacks via HTTP requests.
- CVE-2010-1375Jun 17, 2010risk 0.00cvss —epss 0.00
NetAuthSysAgent in Network Authorization in Apple Mac OS X 10.5.8 does not have the expected authorization requirements, which allows local users to gain privileges via unspecified vectors.