CWE-288

BaseIncomplete

View on MITRE

Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

355 linked vulnerabilities

3 related weaknesses

Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

Access ControlBypass Protection Mechanism

Modes of Introduction

Architecture and DesignArchitecture and Design

Related Weaknesses

CWE-306ChildOf CWE-284ChildOf CWE-420PeerOf

Example CVEs (7)

CVE-2000-1179

Router allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters.

CVE-1999-1454

Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key.

CVE-1999-1077

OS allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.

CVE-2003-0304

Direct request of installation file allows attacker to create administrator accounts.

CVE-2002-0870

Attackers may gain additional privileges by directly requesting the web management URL.

External Links

MITRE CWE Database

CWE-288: Authentication Bypass Using an Alternate Path or Channel | Mondoo Vulnerability Intelligence