CWE-289
Authentication Bypass by Alternate Name
Description
The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (25)
page 2 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-64521 | 0.00 | — | 0.00 | Nov 19, 2025 | authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this… | |||
| CVE-2024-45691 | 0.00 | — | 0.00 | Nov 20, 2024 | A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values. | |||
| CVE-2023-51663 | 0.00 | — | 0.00 | Dec 29, 2023 | Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect (OIDC) email addresses from ID tokens to verify the validity of a user's domain, but because users have… | |||
| CVE-2023-41890 | 0.00 | — | 0.01 | Sep 19, 2023 | Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a… | |||
| CVE-2021-30640 | — | 0.00 | — | 0.10 | Jul 12, 2021 | A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to… |
- CVE-2025-64521Nov 19, 2025risk 0.00cvss —epss 0.00
authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this…
- CVE-2024-45691Nov 20, 2024risk 0.00cvss —epss 0.00
A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.
- CVE-2023-51663Dec 29, 2023risk 0.00cvss —epss 0.00
Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect (OIDC) email addresses from ID tokens to verify the validity of a user's domain, but because users have…
- CVE-2023-41890Sep 19, 2023risk 0.00cvss —epss 0.01
Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a…
- CVE-2021-30640Jul 12, 2021risk 0.00cvss —epss 0.10
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to…