Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-305:Authentication Bypass by Primary Weakness
Weakness ID:305
Version:v4.17
Weakness Name:Authentication Bypass by Primary Weakness
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowed-with-ReviewC1390Weak Authentication
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 1390
Name: Weak Authentication
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC947SFP Secondary Cluster: Authentication Bypass
MemberOfProhibitedC1010Authenticate Actors
MemberOfProhibitedC1211Authentication Errors
MemberOfProhibitedC1396Comprehensive Categorization: Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 947
Name: SFP Secondary Cluster: Authentication Bypass
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1010
Name: Authenticate Actors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1211
Name: Authentication Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1396
Name: Comprehensive Categorization: Access Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-316Bypass Protection Mechanism (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-316
Name: Bypass Protection Mechanism (impact)
▼Relevant To View
Relevant to the view"Architectural Concepts - (1008)"
NatureMappingTypeIDName
MemberOfProhibitedC1010Authenticate Actors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1010
Name: Authenticate Actors
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC1211Authentication Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1211
Name: Authentication Errors
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC947SFP Secondary Cluster: Authentication Bypass
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 947
Name: SFP Secondary Cluster: Authentication Bypass
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
Access ControlN/ABypass Protection Mechanism
N/A
Scope: Access Control
Likelihood: N/A
Impact: Bypass Protection Mechanism
Note:
N/A
▼Potential Mitigations
▼Modes Of Introduction
Phase: Implementation
Note:

REALIZATION: This weakness is caused during implementation of an architectural security tactic.

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
CVE-2002-1374
The provided password is only compared against the first character of the real password.
CVE-2000-0979
The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password.
CVE-2001-0088
Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges.
Reference: CVE-2002-1374
Description:
The provided password is only compared against the first character of the real password.
Reference: CVE-2000-0979
Description:
The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password.
Reference: CVE-2001-0088
Description:
Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      Relationship

      Most "authentication bypass" errors are resultant, not primary.

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/AAuthentication Bypass by Primary Weakness
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: Authentication Bypass by Primary Weakness
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found