Authentication Bypass by Primary Weakness| ID: 305 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The authentication algorithm is sound, but the implemented
mechanism can be bypassed as the result of a separate weakness that is primary
to the authentication error.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Bypass protection
mechanism | |
Detection MethodsNone
Potential MitigationsNone
RelationshipsMost "authentication bypass" errors are resultant, not primary.
| Related CWE | Type | View | Chain |
|---|
| CWE-305 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2002-1374 : The provided password is only compared against the first character of the real password.
- CVE-2000-0979 : The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password.
- CVE-2001-0088 : Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Authentication Bypass by Primary Weakness | |
References:None
