CWE-305
AllowedAuthentication Bypass by Primary Weakness
Abstraction: Base · Status: Draft
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
281 vulnerabilities reference this CWE, most recent first.
GHSA-8WJ3-CPMR-8WHP
Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-18 19:19Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the develop branch and is expected to be part of version 2.2.2.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.1"
},
"package": {
"ecosystem": "Packagist",
"name": "cockpit-hq/cockpit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2818"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-287",
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-18T19:19:58Z",
"nvd_published_at": "2022-08-15T11:21:00Z",
"severity": "HIGH"
},
"details": "Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the `develop` branch and is expected to be part of version 2.2.2.",
"id": "GHSA-8wj3-cpmr-8whp",
"modified": "2022-08-18T19:19:58Z",
"published": "2022-08-16T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2818"
},
{
"type": "WEB",
"url": "https://github.com/cockpit-hq/cockpit/commit/4bee1b903ee20818f4a8ecb9d974b9536cc54cb4"
},
{
"type": "PACKAGE",
"url": "https://github.com/cockpit-hq/cockpit"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/ee27e5df-516b-4cf4-9f28-346d907b5491"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Cockpit Content Platform vulnerable to 2FA bypass"
}
GHSA-8WRG-M8VM-5FVJ
Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2021-05-20 22:25Impact
Authentication Bypass by Primary Weakness (CWE-305)
Commit:
https://github.com/kongchuanhujiao/server/commit/9a125624f219e496bdf4b07b404816d5a309bdc1
ALL Users is impacted.
Patches
Yes, PLEASE UPGRADE TO v1.3.21-beta.d0ffc0a6
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kongchuanhujiao/server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21403"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T22:25:09Z",
"nvd_published_at": "2021-03-26T18:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAuthentication Bypass by Primary Weakness (CWE-305)\n\nCommit:\n\nhttps://github.com/kongchuanhujiao/server/commit/9a125624f219e496bdf4b07b404816d5a309bdc1\n\nALL Users is impacted.\n\n### Patches\n\nYes, PLEASE UPGRADE TO v1.3.21-beta.d0ffc0a6",
"id": "GHSA-8wrg-m8vm-5fvj",
"modified": "2021-05-20T22:25:09Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kongchuanhujiao/server/security/advisories/GHSA-8wrg-m8vm-5fvj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21403"
},
{
"type": "WEB",
"url": "https://github.com/kongchuanhujiao/server/commit/9a125624f219e496bdf4b07b404816d5a309bdc1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authentication Bypass by Primary Weakness in github.com/kongchuanhujiao/server"
}
GHSA-93X3-M7PW-PPQM
Vulnerability from github – Published: 2024-05-13 14:57 – Updated: 2024-05-14 20:01Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending.
The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.
A brute-force attack calling account_update.php with increasing user IDs is possible.
Impact
A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to.
Patches
92d11a01b195a1b6717a2f205218089158ea6d00
Workarounds
Mitigate the risk by reducing the verification token's validity (change the value of the TOKEN_EXPIRY_AUTHENTICATED constant in constants_inc.php).
References
https://mantisbt.org/bugs/view.php?id=34433
Credits
Alexander Christian, from Vantage Point Security Indonesia
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.1"
},
"package": {
"ecosystem": "Packagist",
"name": "mantisbt/mantisbt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.26.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34077"
],
"database_specific": {
"cwe_ids": [
"CWE-305",
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-13T14:57:13Z",
"nvd_published_at": "2024-05-14T15:38:28Z",
"severity": "HIGH"
},
"details": "Insufficient access control in the registration and password reset process allows an attacker to reset another user\u0027s password and takeover their account, if the victim has an incomplete request pending.\n\nThe exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password.\n\nA brute-force attack calling account_update.php with increasing user IDs is possible. \n \n### Impact\n\nA successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to.\n\n### Patches\n\n92d11a01b195a1b6717a2f205218089158ea6d00\n\n### Workarounds\n\nMitigate the risk by reducing the verification token\u0027s validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in *constants_inc.php*).\n\n### References\n\nhttps://mantisbt.org/bugs/view.php?id=34433\n\n### Credits\n\nAlexander Christian, from Vantage Point Security Indonesia\n",
"id": "GHSA-93x3-m7pw-ppqm",
"modified": "2024-05-14T20:01:07Z",
"published": "2024-05-13T14:57:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-93x3-m7pw-ppqm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34077"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/92d11a01b195a1b6717a2f205218089158ea6d00"
},
{
"type": "PACKAGE",
"url": "https://github.com/mantisbt/mantisbt"
},
{
"type": "WEB",
"url": "https://mantisbt.org/bugs/view.php?id=34433"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Mantis Bug Tracker (MantisBT) allows user account takeover in the signup/reset password process"
}
GHSA-9559-HPF7-PQV3
Vulnerability from github – Published: 2025-05-19 09:31 – Updated: 2025-11-03 18:31Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.
{
"affected": [],
"aliases": [
"CVE-2025-46801"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-19T08:15:21Z",
"severity": "CRITICAL"
},
"details": "Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.",
"id": "GHSA-9559-hpf7-pqv3",
"modified": "2025-11-03T18:31:16Z",
"published": "2025-05-19T09:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46801"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN06238225"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00014.html"
},
{
"type": "WEB",
"url": "https://www.pgpool.net/mediawiki/index.php/Main_Page#News"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-95PW-Q9XH-P66R
Vulnerability from github – Published: 2026-06-22 12:32 – Updated: 2026-07-07 12:31The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.
{
"affected": [],
"aliases": [
"CVE-2025-4994"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T10:16:17Z",
"severity": "HIGH"
},
"details": "The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device\u0027s configuration service via the Bluetooth Low Energy (BLE) interface. Consequently, an attacker within wireless range can gain unauthorized administrative access to the device configuration.",
"id": "GHSA-95pw-q9xh-p66r",
"modified": "2026-07-07T12:31:35Z",
"published": "2026-06-22T12:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4994"
},
{
"type": "WEB",
"url": "https://www.schutzwerk.com/en/blog/schutzwerk-sa-2025-001"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2026/Jul/17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9FQF-7QJX-9M2H
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2025-11-04 21:30The currency dispenser of NCR SelfSev ATMs running APTRA XFS 05.01.00 or earlier does not adequately authenticate session key generation requests from the host computer, allowing an attacker with physical access to internal ATM components to issue valid commands to dispense currency by generating a new session key that the attacker knows.
{
"affected": [],
"aliases": [
"CVE-2020-10123"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-21T21:15:00Z",
"severity": "LOW"
},
"details": "The currency dispenser of NCR SelfSev ATMs running APTRA XFS 05.01.00 or earlier does not adequately authenticate session key generation requests from the host computer, allowing an attacker with physical access to internal ATM components to issue valid commands to dispense currency by generating a new session key that the attacker knows.",
"id": "GHSA-9fqf-7qjx-9m2h",
"modified": "2025-11-04T21:30:24Z",
"published": "2022-05-24T17:26:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10123"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/116713"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/116713"
},
{
"type": "WEB",
"url": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf"
},
{
"type": "WEB",
"url": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf"
},
{
"type": "WEB",
"url": "https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf"
},
{
"type": "WEB",
"url": "https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9J22-G5G3-CW39
Vulnerability from github – Published: 2025-05-12 18:31 – Updated: 2025-05-12 18:31SEL BIOS packages prior to 1.3.49152.117 or 2.6.49152.98 allow a local attacker to bypass password authentication and change password-protected BIOS settings by importing a BIOS settings file with no password set.
{
"affected": [],
"aliases": [
"CVE-2025-46750"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-12T17:15:48Z",
"severity": "MODERATE"
},
"details": "SEL BIOS packages prior to 1.3.49152.117 or 2.6.49152.98 allow a local attacker to bypass password authentication and change password-protected BIOS settings by importing a BIOS settings file with no password set.",
"id": "GHSA-9j22-g5g3-cw39",
"modified": "2025-05-12T18:31:48Z",
"published": "2025-05-12T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46750"
},
{
"type": "WEB",
"url": "https://selinc.com/products/software/latest-software-versions"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9MHQ-XCRQ-XC75
Vulnerability from github – Published: 2023-05-10 00:30 – Updated: 2024-04-04 03:58An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by exploiting the SetUser method or can exploit the Race Condition in the authentication message.
{
"affected": [],
"aliases": [
"CVE-2023-28126"
],
"database_specific": {
"cwe_ids": [
"CWE-305",
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-09T22:15:09Z",
"severity": "MODERATE"
},
"details": "An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by exploiting the SetUser method or can exploit the Race Condition in the authentication message.",
"id": "GHSA-9mhq-xcrq-xc75",
"modified": "2024-04-04T03:58:08Z",
"published": "2023-05-10T00:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28126"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/ZDI-CAN-17750-Ivanti-Avalanche-EnterpriseServer-GetSettings-Exposed-Dangerous-Method-Authentication-Bypass-Vulnerability?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9WC2-MV76-38JP
Vulnerability from github – Published: 2022-11-14 19:00 – Updated: 2022-11-18 00:30Authentication Bypass by Primary Weakness in GitHub repository kareadita/kavita prior to 0.6.0.3.
{
"affected": [],
"aliases": [
"CVE-2022-3993"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-305",
"CWE-307",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-14T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass by Primary Weakness in GitHub repository kareadita/kavita prior to 0.6.0.3.",
"id": "GHSA-9wc2-mv76-38jp",
"modified": "2022-11-18T00:30:20Z",
"published": "2022-11-14T19:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3993"
},
{
"type": "WEB",
"url": "https://github.com/kareadita/kavita/commit/f8db37d3f9aa42d47e7c4f4ca839e892d3f97afb"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/bebd0cd6-18ec-469c-b6ca-19ffa9db0699"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C57H-RX24-VF52
Vulnerability from github – Published: 2025-04-03 21:32 – Updated: 2025-10-22 00:33CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
{
"affected": [],
"aliases": [
"CVE-2025-31161"
],
"database_specific": {
"cwe_ids": [
"CWE-305"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-03T20:15:25Z",
"severity": "CRITICAL"
},
"details": "CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka \"Unauthenticated HTTP(S) port access.\" A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.",
"id": "GHSA-c57h-rx24-vf52",
"modified": "2025-10-22T00:33:16Z",
"published": "2025-04-03T21:32:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31161"
},
{
"type": "WEB",
"url": "https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis"
},
{
"type": "WEB",
"url": "https://crushftp.com/crush11wiki/Wiki.jsp?page=Update#section-Update-VulnerabilityInfo"
},
{
"type": "WEB",
"url": "https://outpost24.com/blog/crushftp-auth-bypass-vulnerability"
},
{
"type": "WEB",
"url": "https://projectdiscovery.io/blog/crushftp-authentication-bypass"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31161"
},
{
"type": "WEB",
"url": "https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation"
},
{
"type": "WEB",
"url": "https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation"
},
{
"type": "WEB",
"url": "https://www.infosecurity-magazine.com/news/crushftp-flaw-exploited-disclosure"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-31161-detect-crushftp-vulnerability"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-31161-mitigate-crushftp-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.