CWE-1390

ClassIncomplete

View on MITRE

Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

50 linked vulnerabilities

1 related weaknesses

Extended Description

Attackers may be able to bypass weak authentication faster and/or with less effort than expected.

IntegrityConfidentialityAvailabilityAccess ControlRead Application DataGain Privileges or Assume IdentityExecute Unauthorized Code or Commands

This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.

Modes of Introduction

Architecture and DesignImplementation

Related Weaknesses

CWE-287ChildOf

Example CVEs (7)

CVE-2024-48445

Chain: e-commerce app relies on an easily-guessable timestamp (CWE-341) in a weak authentication algorithm (CWE-1390)

CVE-2022-30034

Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390).

CVE-2022-35248

Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication

CVE-2021-3116

Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390)

CVE-2022-29965

Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords

External Links

MITRE CWE Database