CWE-289 36 個 CVE MITRE 定義 ↗

CWE-289:Authentication Bypass by Alternate Name

概覽

CWE-289(Authentication Bypass by Alternate Name)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-9701 2026-07-08 The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the …
CVE-2026-55075 2026-07-07 Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeov…
CVE-2026-48618 2026-06-25 A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat…
CVE-2026-56091 2026-06-25 When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://www.cve.org…
CVE-2026-53622 2026-06-23 Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypa…
CVE-2026-50627 2026-06-12 The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replaye…
CVE-2026-44492 2026-06-11 Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1…
CVE-2026-43617 2026-05-19 Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostn…
CVE-2026-39858 2026-04-30 Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet…
CVE-2026-3184 2026-04-03 A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A r…
CVE-2026-32036 2026-03-19 OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with e…
CVE-2026-23903 2026-02-09 Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The i…
CVE-2026-24058 2026-01-22 Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including …
CVE-2025-55130 2026-01-20 A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a scr…
CVE-2025-14777 2025-12-16 A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTi…
CVE-2025-13613 2025-12-09 The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that…
CVE-2025-64521 2025-11-19 authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account …
CVE-2025-64343 2025-11-07 (conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the installation directory inherits permissions from its parent dire…
CVE-2025-60375 2025-10-09 The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in th…
CVE-2025-41248 2025-09-16 The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issu…

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Potential_Mitigations, Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings
2008-11-24 CWE Content Team 1.1 updated Observed_Examples
2009-07-27 CWE Content Team 1.5 updated Other_Notes, Potential_Mitigations, Theoretical_Notes
2011-03-29 CWE Content Team 1.12 updated Potential_Mitigations
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated Relationships, Taxonomy_Mappings
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Relationships
2017-05-03 CWE Content Team 2.11 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Modes_of_Introduction, Relationships
2019-01-03 CWE Content Team 3.2 updated Relationships, Taxonomy_Mappings
2020-02-24 CWE Content Team 4.0 updated Potential_Mitigations, Relationships
2020-06-25 CWE Content Team 4.1 updated Potential_Mitigations
2022-10-13 CWE Content Team 4.9 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description, Type
2023-04-27 CWE Content Team 4.11 updated Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-12-11 CWE Content Team 4.19 updated Detection_Factors, Observed_Examples, Relationships, Weakness_Ordinalities
cvelogic Threat Intelligence