CWE-1390: Weak Authentication
The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
View on MITREExtended Description
Attackers may be able to bypass weak authentication faster and/or with less effort than expected.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Observed CVE Examples (6)
Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390).
View DetailsChat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication
View DetailsChain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of only one, allowing bypass of the proxy authentication (CWE-1390)
View DetailsDistributed Control System (DCS) uses a deterministic algorithm to generate utility passwords
View DetailsInitialization file contains credentials that can be decoded using a "simple string transformation"
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-1390: Weak Authentication?+
CWE-1390: Weak Authentication is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. Attackers may be able to bypass weak authentication faster and/or with less effort than expected.
What are the security consequences of Weak Authentication?+
If exploited, CWE-1390 (Weak Authentication) it can compromise Integrity, Confidentiality, Availability and Access Control, leading to outcomes such as Read Application Data, Gain Privileges or Assume Identity and Execute Unauthorized Code or Commands.
Which programming languages are affected by Weak Authentication?+
CWE-1390 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Weak Authentication?+
MITRE documents real CVEs mapped to CWE-1390, including CVE-2022-30034, CVE-2022-35248, CVE-2021-3116, CVE-2022-29965 and CVE-2022-29959. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-1390 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.