CWE-305 – Authentication Bypass by Primary Weakness

Read Time:40 Second

Description

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-287

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

CVE References

  • CVE-2002-1374
    • The provided password is only compared against the first character of the real password.
  • CVE-2000-0979
    • The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password.
  • CVE-2001-0088
    • Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges.