CWE-305
Authentication Bypass by Primary Weakness
Description
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (72)
page 4 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-34077 | 0.00 | — | 0.01 | May 13, 2024 | MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending. The exploit… | |||
| CVE-2023-47090 | — | 0.00 | — | 0.01 | Oct 30, 2023 | NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest… | ||
| CVE-2023-37918 | 0.00 | — | 0.01 | Jul 21, 2023 | Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with… | |||
| CVE-2023-1307 | 0.00 | — | 0.01 | Mar 10, 2023 | Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13. | |||
| CVE-2023-0777 | 0.00 | — | 0.15 | Feb 10, 2023 | Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4. | |||
| CVE-2020-36569 | — | 0.00 | — | 0.01 | Dec 27, 2022 | Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token. | ||
| CVE-2022-4722 | — | 0.00 | — | 0.01 | Dec 23, 2022 | Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5. | ||
| CVE-2022-2818 | 0.00 | — | 0.01 | Aug 15, 2022 | Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2. | |||
| CVE-2021-3850 | 0.00 | — | 0.02 | Jan 25, 2022 | Authentication Bypass by Primary Weakness in GitHub repository adodb/adodb prior to 5.20.21. | |||
| CVE-2021-21403 | 0.00 | — | 0.01 | Mar 26, 2021 | In github.com/kongchuanhujiao/server before version 1.3.21 there is an authentication Bypass by Primary Weakness vulnerability. All users are impacted. This is fixed in version 1.3.21. | |||
| CVE-2020-14359 | 0.00 | — | 0.01 | Feb 23, 2021 | A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a… | |||
| CVE-2019-14909 | 0.00 | — | 0.01 | Dec 4, 2019 | A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted. |
- CVE-2024-34077May 13, 2024risk 0.00cvss —epss 0.01
MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending. The exploit…
- CVE-2023-47090Oct 30, 2023risk 0.00cvss —epss 0.01
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest…
- CVE-2023-37918Jul 21, 2023risk 0.00cvss —epss 0.01
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with…
- CVE-2023-1307Mar 10, 2023risk 0.00cvss —epss 0.01
Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13.
- CVE-2023-0777Feb 10, 2023risk 0.00cvss —epss 0.15
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
- CVE-2020-36569Dec 27, 2022risk 0.00cvss —epss 0.01
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.
- CVE-2022-4722Dec 23, 2022risk 0.00cvss —epss 0.01
Authentication Bypass by Primary Weakness in GitHub repository ikus060/rdiffweb prior to 2.5.5.
- CVE-2022-2818Aug 15, 2022risk 0.00cvss —epss 0.01
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.
- CVE-2021-3850Jan 25, 2022risk 0.00cvss —epss 0.02
Authentication Bypass by Primary Weakness in GitHub repository adodb/adodb prior to 5.20.21.
- CVE-2021-21403Mar 26, 2021risk 0.00cvss —epss 0.01
In github.com/kongchuanhujiao/server before version 1.3.21 there is an authentication Bypass by Primary Weakness vulnerability. All users are impacted. This is fixed in version 1.3.21.
- CVE-2020-14359Feb 23, 2021risk 0.00cvss —epss 0.01
A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a…
- CVE-2019-14909Dec 4, 2019risk 0.00cvss —epss 0.01
A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.