CWE-287
DiscouragedImproper Authentication
Abstraction: Class · Status: Draft
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
5951 vulnerabilities reference this CWE, most recent first.
GHSA-66H5-29P5-X9FQ
Vulnerability from github – Published: 2022-05-14 02:42 – Updated: 2025-04-11 03:42Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.
{
"affected": [],
"aliases": [
"CVE-2010-4333"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-12-22T03:00:00Z",
"severity": "HIGH"
},
"details": "Pointter PHP Micro-Blogging Social Network 1.8 allows remote attackers to bypass authentication and obtain administrative privileges via arbitrary values of the auser and apass cookies.",
"id": "GHSA-66h5-29p5-x9fq",
"modified": "2025-04-11T03:42:13Z",
"published": "2022-05-14T02:42:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4333"
},
{
"type": "WEB",
"url": "http://www.exploit-db.com/exploits/15741"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/515306/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.uncompiled.com/2010/12/pointter-php-micro-blogging-social-network-unauthorized-privilege-escalation-cve-2010-4333"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-66RX-GQX3-P98M
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-07-13 15:30Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.axis2:axis2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-5351"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-13T15:30:16Z",
"nvd_published_at": "2012-10-09T23:55:00Z",
"severity": "MODERATE"
},
"details": "Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a \"Signature exclusion attack,\" a different vulnerability than CVE-2012-4418. ",
"id": "GHSA-66rx-gqx3-p98m",
"modified": "2022-07-13T15:30:42Z",
"published": "2022-05-13T01:01:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5351"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79487"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper Authentication in Apache Axis2"
}
GHSA-66VH-4G4J-7X2Q
Vulnerability from github – Published: 2022-05-17 05:26 – Updated: 2025-04-11 04:00The administrative interface in the embedded web server on the BreakingPoint Storm appliance before 3.0 does not require authentication for the gwt/BugReport script, which allows remote attackers to obtain sensitive information by downloading a .tgz file.
{
"affected": [],
"aliases": [
"CVE-2012-2963"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-08-12T16:55:00Z",
"severity": "MODERATE"
},
"details": "The administrative interface in the embedded web server on the BreakingPoint Storm appliance before 3.0 does not require authentication for the gwt/BugReport script, which allows remote attackers to obtain sensitive information by downloading a .tgz file.",
"id": "GHSA-66vh-4g4j-7x2q",
"modified": "2025-04-11T04:00:24Z",
"published": "2022-05-17T05:26:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2963"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/520430"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/MAPG-8GANCC"
},
{
"type": "WEB",
"url": "http://www.secureworks.com/research/advisories/SWRX-2012-005"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-66WX-WCFH-HV4G
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-07-13 00:01A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.0. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.
{
"affected": [],
"aliases": [
"CVE-2021-28122"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-10T15:15:00Z",
"severity": "CRITICAL"
},
"details": "A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.0. The WebUI component allows an unauthenticated user to use a crafted HTTP API request to create, read, update, or delete entries in the subscriber database. For example, new administrative users can be added. The issue occurs because Express is not set up to require authentication.",
"id": "GHSA-66wx-wcfh-hv4g",
"modified": "2022-07-13T00:01:14Z",
"published": "2022-05-24T17:44:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28122"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/issues/837"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/pull/838"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/compare/v2.2.0...v2.2.1"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6726-2RX3-CGWH
Vulnerability from github – Published: 2024-02-07 15:30 – Updated: 2024-02-07 19:23Improper Authentication vulnerability in Apache Ozone.
The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0.
Users are recommended to upgrade to version 1.4.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.ozone:ozone-main"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-39196"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-07T19:23:35Z",
"nvd_published_at": "2024-02-07T13:15:07Z",
"severity": "MODERATE"
},
"details": "Improper Authentication vulnerability in Apache Ozone.\n\nThe vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication.\nThe attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability.\nThe accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone.\nThis issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0.\n\nUsers are recommended to upgrade to version 1.4.0, which fixes the issue.",
"id": "GHSA-6726-2rx3-cgwh",
"modified": "2024-02-07T19:23:35Z",
"published": "2024-02-07T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39196"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/ozone"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/o96ct5t7kj5cgrmmfc6756m931t08nky"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/07/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Ozone Improper Authentication vulnerability"
}
GHSA-676J-VQR4-6W3H
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2025-10-22 00:31SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
{
"affected": [],
"aliases": [
"CVE-2020-6287"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-14T13:15:00Z",
"severity": "HIGH"
},
"details": "SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.",
"id": "GHSA-676j-vqr4-6w3h",
"modified": "2025-10-22T00:31:56Z",
"published": "2022-05-24T17:22:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6287"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2934135"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-6287"
},
{
"type": "WEB",
"url": "https://www.onapsis.com/recon-sap-cyber-security-vulnerability"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Apr/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6795-RMGW-89Q2
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2023-03-08 03:30A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and get limited access to the web-based management interface. The vulnerability is due to an incorrect implementation of authentication in the web-based management interface. An attacker could exploit this vulnerability by sending a crafted authentication request to the web-based management interface on an affected system. A successful exploit could allow the attacker to view limited configuration details and potentially upload a virtual machine image.
{
"affected": [],
"aliases": [
"CVE-2019-1946"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-08T08:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and get limited access to the web-based management interface. The vulnerability is due to an incorrect implementation of authentication in the web-based management interface. An attacker could exploit this vulnerability by sending a crafted authentication request to the web-based management interface on an affected system. A successful exploit could allow the attacker to view limited configuration details and potentially upload a virtual machine image.",
"id": "GHSA-6795-rmgw-89q2",
"modified": "2023-03-08T03:30:16Z",
"published": "2022-05-24T16:52:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1946"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-authbypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-679G-PP8V-JVG4
Vulnerability from github – Published: 2026-06-02 15:32 – Updated: 2026-06-16 03:30An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge.
As a result, an attacker with valid primary authentication credentials could bypass the required OTP step by authenticating through the plugin-backed login flow and then directly accessing another application URL instead of completing the OTP verification page. This allows access to the application as the affected user without providing a valid TOTP, HOTP, or email OTP code.
The issue affects configurations where plugin-based authentication is enabled and OTP is expected to be mandatory. The fix ensures that OTP requirements are checked immediately after plugin authentication and before the user session is established, redirecting users to the appropriate OTP challenge when required.
{
"affected": [],
"aliases": [
"CVE-2026-10611"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-02T14:16:44Z",
"severity": "HIGH"
},
"details": "An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge.\n\n\n\nAs a result, an attacker with valid primary authentication credentials could bypass the required OTP step by authenticating through the plugin-backed login flow and then directly accessing another application URL instead of completing the OTP verification page. This allows access to the application as the affected user without providing a valid TOTP, HOTP, or email OTP code.\n\n\n\nThe issue affects configurations where plugin-based authentication is enabled and OTP is expected to be mandatory. The fix ensures that OTP requirements are checked immediately after plugin authentication and before the user session is established, redirecting users to the appropriate OTP challenge when required.",
"id": "GHSA-679g-pp8v-jvg4",
"modified": "2026-06-16T03:30:34Z",
"published": "2026-06-02T15:32:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10611"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/39b3cb15aac4318afdd2ab63b96c2eac12b271fe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-67MR-RVH8-9QX2
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. The backup tape controller (butc) process accepts incoming RPCs but does not require (or allow for) authentication of those RPCs. Handling those RPCs results in operations being performed with administrator credentials, including dumping/restoring volume contents and manipulating the backup database. For example, an unauthenticated attacker can replace any volume's content with arbitrary data.
{
"affected": [],
"aliases": [
"CVE-2018-16947"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-12T01:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. The backup tape controller (butc) process accepts incoming RPCs but does not require (or allow for) authentication of those RPCs. Handling those RPCs results in operations being performed with administrator credentials, including dumping/restoring volume contents and manipulating the backup database. For example, an unauthenticated attacker can replace any volume\u0027s content with arbitrary data.",
"id": "GHSA-67mr-rvh8-9qx2",
"modified": "2022-05-13T01:50:28Z",
"published": "2022-05-13T01:50:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16947"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00024.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4302"
},
{
"type": "WEB",
"url": "http://openafs.org/pages/security/OPENAFS-SA-2018-001.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-67P5-4GJP-J4VW
Vulnerability from github – Published: 2022-05-17 04:42 – Updated: 2022-05-17 04:42The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.
{
"affected": [],
"aliases": [
"CVE-2014-3781"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-06-11T14:55:00Z",
"severity": "MODERATE"
},
"details": "The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.",
"id": "GHSA-67p5-4gjp-j4vw",
"modified": "2022-05-17T04:42:21Z",
"published": "2022-05-17T04:42:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3781"
},
{
"type": "WEB",
"url": "http://dotclear.org/blog/post/2014/05/16/Dotclear-2.6.3"
},
{
"type": "WEB",
"url": "http://karmainsecurity.com/KIS-2014-05"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/126766/Dotclear-2.6.2-Authentication-Bypass.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2014/May/107"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/58675"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Libraries or Frameworks
Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.