CWE-290
Authentication Bypass by Spoofing
BaseIncomplete
Description
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-21 · CAPEC-22 · CAPEC-459 · CAPEC-461 · CAPEC-473 · CAPEC-476 · CAPEC-59 · CAPEC-60 · CAPEC-667 · CAPEC-94
CVEs mapped to this weakness (154)
page 4 of 8| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-3875 | Hig | 0.49 | 7.5 | 0.00 | May 14, 2025 | Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1. | |
| CVE-2024-55470 | Hig | 0.49 | 7.5 | 0.00 | Dec 20, 2024 | Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication. | |
| CVE-2024-8935 | Hig | 0.49 | 7.5 | 0.00 | Nov 13, 2024 | CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause a denial of service and loss of confidentiality and integrity of controllers when conducting a Man-In-The-Middle attack between the controller and the engineering workstation while a valid user is establishing a communication session. This vulnerability is inherent to Diffie Hellman algorithm which does not protect against Man-In-The-Middle attacks. | |
| CVE-2024-8901 | Hig | 0.49 | 7.5 | 0.00 | Oct 22, 2024 | The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but lacks proper signer and issuer validation. In deployments of ALB that ignore security best practices, where ALB targets are directly exposed to internet traffic, an actor can provide a JWT signed by an untrusted entity in order to spoof OIDC-federated sessions and successfully bypass authentication. The repository/package has been deprecated, is end of life, and is no longer supported. As a security best practice, ensure that your ELB targets (e.g. EC2 Instances, Fargate Tasks etc.) do not have public IP addresses. Ensure any forked or derivative code validate that the signer attribute in the JWT match the ARN of the Application Load Balancer that the service is configured to use. | |
| CVE-2024-10125 | Hig | 0.49 | 7.5 | 0.00 | Oct 22, 2024 | The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets. The repository/package has been deprecated, is end of life, and is no longer supported. As a security best practice, ensure that your ELB targets (e.g. EC2 Instances, Fargate Tasks etc.) do not have public IP addresses. Ensure any forked or derivative code validate that the signer attribute in the JWT match the ARN of the Application Load Balancer that the service is configured to use. | |
| CVE-2024-49193 | Hig | 0.49 | 7.5 | 0.00 | Oct 12, 2024 | Zendesk before 2024-07-02 allows remote attackers to read ticket history via e-mail spoofing, because Cc fields are extracted from incoming e-mail messages and used to grant additional authorization for ticket viewing, the mechanism for detecting spoofed e-mail messages is insufficient, and the support e-mail addresses associated with individual tickets are predictable. | |
| CVE-2017-11717 | Hig | 0.49 | 7.5 | 0.00 | Jul 28, 2017 | MetInfo through 5.3.17 accepts the same CAPTCHA response for 120 seconds, which makes it easier for remote attackers to bypass intended challenge requirements by modifying the client-server data stream, as demonstrated by the login/findpass page. | |
| CVE-2017-6405 | Hig | 0.49 | 7.5 | 0.00 | Mar 2, 2017 | An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and earlier. Hostname-based security is open to DNS spoofing. | |
| CVE-2025-68644 | Hig | 0.48 | 7.4 | 0.00 | Dec 21, 2025 | Yealink RPS before 2025-06-27 allows unauthorized access to information, including AutoP URL addresses. This was fixed by deploying an enhanced authentication mechanism through a security update to all cloud instances. | |
| CVE-2025-27616 | Hig | 0.48 | 8.5 | 0.00 | Mar 10, 2025 | Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available. | |
| CVE-2025-50328 | Hig | 0.47 | 7.3 | 0.00 | Apr 29, 2026 | A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections. When an archive is downloaded from the internet and extracted using B1 Free Archiver, the software fails to propagate the 'Zone.Identifier' alternate data stream to the extracted files. As a result, these files can be executed without triggering Windows Defender SmartScreen warnings or security prompts, enabling untrusted code execution without standard security restrictions. | |
| CVE-2025-31511 | Hig | 0.47 | 7.3 | 0.00 | Jul 22, 2025 | An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can bypass manager approval by changing the user ID in a Request%20Building%20Access requestSubmit API call. The vendor has stated that the system is protected by updating to a version equal to or greater than one of the following build numbers: 4.1.12.2.1.19, 4.1.12.5.2.36, 4.1.13.0.60, 4.1.13.2.0.3.39, 4.1.13.2.0.3.41, 4.1.13.2.42, 4.1.13.2.25.44, 4.1.14.0.13, 4.1.14.0.43, 4.1.14.0.48, and 4.1.14.1.5.32. | |
| CVE-2025-29621 | Hig | 0.47 | 7.3 | 0.00 | Apr 22, 2025 | Francois Jacquet RosarioSIS v12.0.0 was discovered to contain a content spoofing vulnerability in the Theme configuration under the My Preferences module. This vulnerability allows attackers to manipulate application settings. | |
| CVE-2025-3029 | Hig | 0.47 | 7.3 | 0.00 | Apr 1, 2025 | A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9. | |
| CVE-2026-39959 | Hig | 0.46 | 7.1 | 0.00 | Apr 9, 2026 | Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3. | |
| CVE-2025-37147 | Hig | 0.46 | 7.1 | 0.00 | Oct 14, 2025 | A Secure Boot Bypass Vulnerability exists in affected Access Points that allows an adversary to bypass the hardware root of trust verification in place to ensure only vendor-signed firmware can execute on the device. An adversary can exploit this vulnerability to run modified or custom firmware on affected Access Points. | |
| CVE-2025-26696 | Hig | 0.46 | 7.0 | 0.00 | Mar 10, 2025 | Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8. | |
| CVE-2024-33531 | Hig | 0.46 | 8.1 | 0.00 | Apr 24, 2024 | cdbattags lua-resty-jwt 0.2.3 allows attackers to bypass all JWT-parsing signature checks by crafting a JWT with an enc header with the value A256GCM. | |
| CVE-2017-16897 | Hig | 0.46 | 8.1 | 0.00 | Dec 27, 2017 | A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response). | |
| CVE-1999-0012 | Hig | 0.46 | 7.0 | 0.01 | Feb 6, 1998 | Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names. |