VYPR

CWE-287

Improper Authentication

ClassDraftLikelihood: High

Description

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94

CVEs mapped to this weakness (2,419)

page 22 of 121
  • CVE-2024-47533CriNov 18, 2024
    risk 0.57cvss 9.8epss 0.04

    Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows…

  • CVE-2023-22650HigOct 16, 2024
    risk 0.57cvss 8.8epss 0.01

    A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which…

  • CVE-2024-41929HigSep 18, 2024
    risk 0.57cvss 8.8epss 0.01

    Improper authentication vulnerability in multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings.

  • CVE-2024-45346HigAug 28, 2024
    risk 0.57cvss 8.8epss 0.00

    The Xiaomi Security Center expresses heartfelt thanks to Ken Gannon and Ilyes Beghdadi of NCC Group working with Trend Micro Zero Day Initiative! At the same time, we also welcome more outstanding and professional security experts and security teams to join the Mi Security…

  • CVE-2024-39340HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    The authentication system of Securepoint UTM mishandles OTP keys. This allows the bypassing of second-factor verification (when OTP is enabled) in both the administration web interface and the user portal. Affected versions include UTM 11.5 through 12.6.4 and Reseller Preview…

  • CVE-2024-6397CriJul 11, 2024
    risk 0.57cvss 9.8epss 0.01

    The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log…

  • CVE-2024-23767HigJun 26, 2024
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered on HMS Anybus X-Gateway AB7832-F firmware version 3. The HICP protocol allows unauthenticated changes to a device's network configurations.

  • CVE-2024-36264CriJun 12, 2024
    risk 0.57cvss 9.8epss 0.01

    ** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. If the user doesn't explicitly set `submarine.auth.default.secret`, a default value will be used. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this…

  • CVE-2024-5201HigMay 23, 2024
    risk 0.57cvss 8.8epss 0.00

    Privilege Escalation in OpenText Dimensions RM allows an authenticated user to escalate there privilege to the privilege of another user via HTTP Request

  • CVE-2024-4129HigMay 14, 2024
    risk 0.57cvss 8.8epss 0.00

    Improper Authentication vulnerability in Snow Software AB Snow License Manager on Windows allows a networked attacker to perform an Authentication Bypass if Active Directory Authentication is enabled.This issue affects Snow License Manager: from 9.33.2 through 9.34.0.

  • CVE-2024-4303HigApr 29, 2024
    risk 0.57cvss 8.8epss 0.01

    ArmorX Android APP's multi-factor authentication (MFA) for the login function is not properly implemented. Remote attackers who obtain user credentials can bypass MFA, allowing them to successfully log into the APP.

  • CVE-2023-51982CriJan 30, 2024
    risk 0.57cvss 9.8epss 0.01

    CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and…

  • CVE-2022-41678HigNov 28, 2023
    risk 0.57cvss 8.8epss 0.86

    Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able…

  • CVE-2023-48312CriNov 24, 2023
    risk 0.57cvss 9.8epss 0.01

    capsule-proxy is a reverse proxy for the capsule operator project. Affected versions are subject to a privilege escalation vulnerability which is based on a missing check if the user is authenticated based on the `TokenReview` result. All the clusters running with the…

  • CVE-2023-43961HigOct 25, 2023
    risk 0.57cvss 8.8epss 0.01

    An issue in Dromara SaToken version 1.3.50RC and before when using Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

  • CVE-2022-34155HigJul 18, 2023
    risk 0.57cvss 8.8epss 0.01

    Improper Authentication vulnerability in miniOrange OAuth Single Sign On – SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On – SSO (OAuth Client): from n/a through 6.23.3.

  • CVE-2023-37266CriJul 17, 2023
    risk 0.57cvss 9.8epss 0.06

    CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs…

  • CVE-2023-33190CriJun 29, 2023
    risk 0.57cvss 9.9epss 0.01

    Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.1-rc4 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being able to obtain cluster control…

  • CVE-2023-34340CriJun 21, 2023
    risk 0.57cvss 9.8epss 0.01

    Improper Authentication vulnerability in Apache Software Foundation Apache Accumulo. This issue affects Apache Accumulo: 2.1.0. Accumulo 2.1.0 contains a defect in the user authentication process that may succeed when invalid credentials are provided. Users are advised to…

  • CVE-2023-28609CriMar 18, 2023
    risk 0.57cvss 9.8epss 0.01

    api/auth.go in Ansible Semaphore before 2.8.89 mishandles authentication.