CWE-592
DEPRECATED: Authentication Bypass Issues
Description
This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
CVEs mapped to this weakness (14)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1085 | Cri | 0.59 | 9.0 | 0.02 | Jun 15, 2018 | openshift-ansible before versions 3.9.23, 3.7.46 deploys a misconfigured etcd file that causes the SSL client certificate authentication to be disabled. Quotations around the values of ETCD_CLIENT_CERT_AUTH and ETCD_PEER_CLIENT_CERT_AUTH in etcd.conf result in etcd being… | ||
| CVE-2017-2684 | Cri | 0.59 | 9.0 | 0.02 | Feb 22, 2017 | Siemens SIMATIC Logon prior to V1.5 SP3 Update 2 could allow an attacker with knowledge of a valid user name, and physical or network access to the affected system, to bypass the application-level authentication. | ||
| CVE-2026-43512 | Cri | 0.57 | 9.8 | 0.01 | May 12, 2026 | DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.… | ||
| CVE-2017-2650 | Hig | 0.55 | 8.5 | 0.01 | Jul 27, 2018 | It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins. | ||
| CVE-2016-8371 | Hig | 0.51 | 7.3 | 0.11 | Apr 5, 2018 | The web server in Phoenix Contact ILC PLCs can be accessed without authenticating even if the authentication mechanism is enabled. | ||
| CVE-2023-30971 | — | Med | 0.44 | 6.8 | 0.00 | Dec 19, 2025 | Gotham Gaia application was found to be exposing multiple unauthenticated endpoints. | |
| CVE-2017-7536 | — | Hig | 0.39 | 7.0 | 0.00 | Jan 10, 2018 | In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By… | |
| CVE-2018-10847 | Med | 0.27 | 4.2 | 0.02 | Jul 30, 2018 | prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session… | ||
| CVE-2017-12164 | Med | 0.27 | 4.1 | 0.00 | Jul 26, 2018 | A flaw was discovered in gdm 3.24.1 where gdm greeter was no longer setting the ran_once boolean during autologin. If autologin was enabled for a victim, an attacker could simply select 'login as another user' to unlock their screen. | ||
| CVE-2016-8616 | Low | 0.17 | 3.7 | 0.03 | Aug 1, 2018 | A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has… | ||
| CVE-2018-14643 | — | Cri | 0.00 | 9.8 | 0.06 | Sep 21, 2018 | An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context. | |
| CVE-2017-7537 | — | Med | 0.00 | 5.9 | 0.01 | Jul 26, 2018 | It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 10.6.4. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing… | |
| CVE-2014-2367 | 0.00 | — | 0.02 | Jul 19, 2014 | The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call. | |||
| CVE-2012-4688 | 0.00 | — | 0.02 | Dec 31, 2012 | The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support. |
- risk 0.59cvss 9.0epss 0.02
openshift-ansible before versions 3.9.23, 3.7.46 deploys a misconfigured etcd file that causes the SSL client certificate authentication to be disabled. Quotations around the values of ETCD_CLIENT_CERT_AUTH and ETCD_PEER_CLIENT_CERT_AUTH in etcd.conf result in etcd being…
- risk 0.59cvss 9.0epss 0.02
Siemens SIMATIC Logon prior to V1.5 SP3 Update 2 could allow an attacker with knowledge of a valid user name, and physical or network access to the affected system, to bypass the application-level authentication.
- risk 0.57cvss 9.8epss 0.01
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.…
- risk 0.55cvss 8.5epss 0.01
It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.
- risk 0.51cvss 7.3epss 0.11
The web server in Phoenix Contact ILC PLCs can be accessed without authenticating even if the authentication mechanism is enabled.
- risk 0.44cvss 6.8epss 0.00
Gotham Gaia application was found to be exposing multiple unauthenticated endpoints.
- risk 0.39cvss 7.0epss 0.00
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By…
- risk 0.27cvss 4.2epss 0.02
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session…
- risk 0.27cvss 4.1epss 0.00
A flaw was discovered in gdm 3.24.1 where gdm greeter was no longer setting the ran_once boolean during autologin. If autologin was enabled for a victim, an attacker could simply select 'login as another user' to unlock their screen.
- risk 0.17cvss 3.7epss 0.03
A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has…
- risk 0.00cvss 9.8epss 0.06
An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.
- risk 0.00cvss 5.9epss 0.01
It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 10.6.4. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing…
- CVE-2014-2367Jul 19, 2014risk 0.00cvss —epss 0.02
The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.
- CVE-2012-4688Dec 31, 2012risk 0.00cvss —epss 0.02
The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support.