{"@ID": "1390", "@Name": "Weak Authentication", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.", "Extended_Description": {"xhtml:p": "Attackers may be able to bypass weak authentication faster and/or with less effort than expected."}, "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "287", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "ICS/OT", "@Prevalence": "Undetermined"}, {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}]}, "Common_Consequences": {"Consequence": {"Scope": ["Integrity", "Confidentiality", "Availability", "Access Control"], "Impact": ["Read Application Data", "Gain Privileges or Assume Identity", "Execute Unauthorized Code or Commands"], "Note": "This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code."}}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-153", "Intro_Text": "In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were \"insecure by design\" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.", "Body_Text": "Multiple OT products used weak authentication."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2024-48445", "Description": "Chain: e-commerce app relies on an easily-guessable timestamp (CWE-341) in a weak authentication algorithm (CWE-1390)", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-48445"}, {"Reference": "CVE-2022-30034", "Description": "Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390).", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-30034"}, {"Reference": "CVE-2022-35248", "Description": "Chat application skips validation when Central Authentication Service\n\t\t  (CAS) is enabled, effectively removing the second factor from\n\t\t  two-factor authentication", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-35248"}, {"Reference": "CVE-2021-3116", "Description": "Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an  incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390)", "Link": "https://www.cve.org/CVERecord?id=CVE-2021-3116"}, {"Reference": "CVE-2022-29965", "Description": "Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-29965"}, {"Reference": "CVE-2022-29959", "Description": "Initialization file contains credentials that can be decoded using a \"simple string transformation\"", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-29959"}, {"Reference": "CVE-2020-8994", "Description": "UART interface for AI speaker uses empty password for root shell", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-8994"}]}, "References": {"Reference": {"@External_Reference_ID": "REF-1283"}}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is a Class and might have Base-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2022-10-05", "Submission_Version": "4.9", "Submission_ReleaseDate": "2022-10-13"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-02-29", "Modification_Version": "4.14", "Modification_ReleaseDate": "2024-02-29", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Observed_Examples, Relationships, Weakness_Ordinalities"}]}}
