Authentication Bypass by Primary Weakness

Draft Base

Structure: Simple

Description

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

Observed Examples 3

CVE-2002-1374The provided password is only compared against the first character of the real password.

CVE-2000-0979The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password.

CVE-2001-0088Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Weak Authentication (CWE-1390)

Taxonomy Mapping

PLOVER

Notes

RelationshipMost "authentication bypass" errors are resultant, not primary.