CWE-287
Improper Authentication
ClassDraftLikelihood: High
Description
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-114 · CAPEC-115 · CAPEC-151 · CAPEC-194 · CAPEC-22 · CAPEC-57 · CAPEC-593 · CAPEC-633 · CAPEC-650 · CAPEC-94
CVEs mapped to this weakness (1,669)
page 63 of 84| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2011-5253 | 0.00 | — | 0.00 | Jan 12, 2013 | Dl Download Ticket Service 0.3 through 0.9 allows remote attackers to login as an arbitrary user by supplying an authorization header. | ||
| CVE-2012-4545 | 0.00 | — | 0.00 | Jan 3, 2013 | The http_negotiate_create_context function in protocol/http/http_negotiate.c in ELinks 0.12 before 0.12pre6, when using HTTP Negotiate or GSS-Negotiate authentication, delegates user credentials through GSSAPI, which allows remote servers to authenticate as the client via the delegated credentials. | ||
| CVE-2012-4688 | 0.00 | — | 0.00 | Dec 31, 2012 | The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support. | ||
| CVE-2012-3002 | 0.00 | — | 0.02 | Dec 21, 2012 | The web interface on (1) Foscam and (2) Wansview IP cameras allows remote attackers to bypass authentication, and perform administrative functions or read the admin password, via a direct request to an unspecified URL. | ||
| CVE-2012-6067 | 0.00 | — | 0.01 | Dec 4, 2012 | freeFTPd.exe in freeFTPd through 1.0.11 allows remote attackers to bypass authentication via a crafted SFTP session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c. | ||
| CVE-2012-4614 | 0.00 | — | 0.01 | Nov 27, 2012 | The default configuration of EMC Smarts Network Configuration Manager (NCM) before 9.1 does not require authentication for database access, which allows remote attackers to have an unspecified impact via a network session. | ||
| CVE-2012-2377 | 0.00 | — | 0.01 | Nov 23, 2012 | JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast. | ||
| CVE-2011-4085 | 0.00 | — | 0.01 | Nov 23, 2012 | The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. | ||
| CVE-2012-5758 | 0.00 | — | 0.03 | Nov 23, 2012 | The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2 does not require authentication for an unspecified interface, which allows remote attackers to cause a denial of service (process exit) via unknown vectors. | ||
| CVE-2012-5886 | 0.00 | — | 0.01 | Nov 17, 2012 | The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID. | ||
| CVE-2012-4613 | 0.00 | — | 0.00 | Nov 16, 2012 | EMC RSA Data Protection Manager Appliance 2.7.x and 3.x before 3.2.1 does not properly restrict the number of authentication attempts by a user account, which makes it easier for local users to bypass intended access restrictions via a brute-force attack. | ||
| CVE-2012-4021 | 0.00 | — | 0.00 | Nov 8, 2012 | MosP kintai kanri before 4.1.0 does not properly perform authentication, which allows remote authenticated users to impersonate arbitrary user accounts, and consequently obtain sensitive information or modify settings, via unspecified vectors. | ||
| CVE-2012-3315 | 0.00 | — | 0.00 | Nov 8, 2012 | The Java servlets in the management console in IBM Tivoli Federated Identity Manager (TFIM) through 6.2.2 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE security constraints, and obtain sensitive information related to (1) federation metadata or (2) a web plugin configuration template, via a crafted request. | ||
| CVE-2012-4659 | 0.00 | — | 0.01 | Oct 29, 2012 | The AAA functionality in the IPv4 SSL VPN implementations on Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices, with software 8.2 before 8.2(5.30) and 8.3 before 8.3(2.34) allows remote attackers to cause a denial of service (device reload) via a crafted authentication response, aka Bug ID CSCtz04566. | ||
| CVE-2012-5353 | 0.00 | — | 0.00 | Oct 9, 2012 | Eduserv OpenAthens SP 2.0 for Java allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack." | ||
| CVE-2012-5352 | 0.00 | — | 0.00 | Oct 9, 2012 | Java Open Single Sign-On Project Home (JOSSO) allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack." | ||
| CVE-2012-5351 | 0.00 | — | 0.00 | Oct 9, 2012 | Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418. | ||
| CVE-2012-4418 | 0.00 | — | 0.00 | Oct 9, 2012 | Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack." | ||
| CVE-2012-4457 | 0.00 | — | 0.01 | Oct 9, 2012 | OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant. | ||
| CVE-2012-4456 | 0.00 | — | 0.04 | Oct 9, 2012 | The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services. |