CVEbaza.plSłownik CWECWE-592
Common Weakness Enumeration

CWE-592

DEPRECATED: Authentication Bypass Issues

Kategoria: ClassCVE: 24
Opis

Ta słabość została wycofana, ponieważ obejmowała zduplikowane pojęcia już opisane w CWE-287. Rekomenduje się użycie CWE-287 zamiast tej kategorii.

Description (EN)

This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

Podatności CVE z CWE-592 (24)
9.8
CVSS
CRITICAL
CVE-2026-43512

Podatność w mechanizmie uwierzytelnienia digest w Apache Tomcat umożliwia atakującemu ominięcie procesu uwierzytelnienia bez posiadania jakichkolwiek uprawnień. Ocena CVSS 9.8 (CRITICAL) wskazuje na wyjątkowo wysokie ryzyko dla systemów wystawionych na dostęp sieciowy.

pub. 2026-05-12
9.8
CVSS
CRITICAL
CVE-2019-14910

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.

pub. 2019-12-05
9.8
CVSS
CRITICAL
CVE-2019-3899

It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11.

pub. 2019-04-22
9.8
CVSS
CRITICAL
CVE-2014-5432

Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16 is remotely accessible via Port 22/SSH without authentication. A remote attacker may be able to make unauthorized configuration changes to the WBM, as well as issue commands to access account credentials and shared keys. Baxter asserts that this vulnerability only allows access to features and functionality on the WBM and that the SIGMA Spectrum infusion pump cannot be controlled from the WBM. Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes.

pub. 2019-03-26
9.8
CVSS
CRITICAL
CVE-2018-14643

An authentication bypass flaw was found in the smart_proxy_dynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context.

pub. 2018-09-21
9.1
CVSS
CRITICAL
CVE-2018-10933

A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.

pub. 2018-10-17
9.0
CVSS
CRITICAL
CVE-2018-1085

openshift-ansible before versions 3.9.23, 3.7.46 deploys a misconfigured etcd file that causes the SSL client certificate authentication to be disabled. Quotations around the values of ETCD_CLIENT_CERT_AUTH and ETCD_PEER_CLIENT_CERT_AUTH in etcd.conf result in etcd being configured to allow remote users to connect without any authentication if they can access the etcd server bound to the network on the master nodes. An attacker could use this flaw to read and modify all the data about the Openshift cluster in the etcd datastore, potentially adding another compute node, or bringing down the entire cluster.

pub. 2018-06-15
9.0
CVSS
CRITICAL
CVE-2017-2684

Siemens SIMATIC Logon prior to V1.5 SP3 Update 2 could allow an attacker with knowledge of a valid user name, and physical or network access to the affected system, to bypass the application-level authentication.

pub. 2017-02-22
8.8
CVSS
HIGH
CVE-2019-14843

A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue.

pub. 2020-01-07
8.5
CVSS
HIGH
CVE-2017-2650

It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.

pub. 2018-07-27
8.3
CVSS
HIGH
CVE-2019-14909

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.

pub. 2019-12-04
8.1
CVSS
HIGH
CVE-2019-10201

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

pub. 2019-08-14
7.8
CVSS
HIGH
CVE-2024-38884

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a local attacker to perform an Authentication Bypass attack due to improperly implemented security checks for standard authentication mechanisms

pub. 2024-08-02
7.5
CVSS
HIGH
CVE-2014-2367

The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.

pub. 2014-07-19
7.5
CVSS
HIGH
CVE-2012-4688

The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support.

pub. 2012-12-31
7.3
CVSS
HIGH
CVE-2016-8371

The web server in Phoenix Contact ILC PLCs can be accessed without authenticating even if the authentication mechanism is enabled.

pub. 2018-04-05
7.0
CVSS
HIGH
CVE-2017-7536

In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().

pub. 2018-01-10
6.8
CVSS
MEDIUM
CVE-2023-30971

Gotham Gaia application was found to be exposing multiple unauthenticated endpoints.

pub. 2025-12-19
6.5
CVSS
MEDIUM
CVE-2019-10198

An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task.

pub. 2019-07-31
6.3
CVSS
MEDIUM
CVE-2024-42759

An issue in Ellevo v.6.2.0.38160 allows a remote attacker to escalate privileges via the /api/usuario/cadastrodesuplente endpoint.

pub. 2024-09-09
Pokazano 20 z 24 podatności
Informacje
ID: CWE-592
Typ: Class
Podatności: 24
MITRE CWE ↗
← Słownik CWE