1. Home
  2. CWE Database
  3. CWE-1390
Class · High

CWE-1390: Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

CWE-1390 · Class Level ·7 CVEs

Description

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

Attackers may be able to bypass weak authentication faster and/or with less effort than expected.

Potential Impact

Integrity, Confidentiality, Availability, Access Control

Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands

Demonstrative Examples

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Multiple OT products used weak authentication.

Real-World CVE Examples

CVE IDDescription
CVE-2024-48445Chain: e-commerce app relies on an easily-guessable timestamp (CWE-341) in a weak authentication algorithm (CWE-1390)
CVE-2022-30034Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390).
CVE-2022-35248Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication
CVE-2021-3116Chain: Python-based HTTP Proxy server uses the wrong boolean operators (CWE-480) causing an incorrect comparison (CWE-697) that identifies an authN failure if all three conditions are met instead of
CVE-2022-29965Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords
CVE-2022-29959Initialization file contains credentials that can be decoded using a "simple string transformation"
CVE-2020-8994UART interface for AI speaker uses empty password for root shell

CWE-287: Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is cor...

Frequently Asked Questions

What is CWE-1390?

CWE-1390 (Weak Authentication) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.

How can CWE-1390 be exploited?

Attackers can exploit CWE-1390 (Weak Authentication) to read application data, gain privileges or assume identity, execute unauthorized code or commands. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-1390?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-1390?

CWE-1390 is classified as a Class-level weakness (High abstraction). It has been observed in 7 real-world CVEs.