Description
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Potential Impact
Access Control
Bypass Protection Mechanism
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2002-1374 | The provided password is only compared against the first character of the real password. |
| CVE-2000-0979 | The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password. |
| CVE-2001-0088 | Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Authentication Bypass by Primary Weakness
Frequently Asked Questions
What is CWE-305?
CWE-305 (Authentication Bypass by Primary Weakness) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
How can CWE-305 be exploited?
Attackers can exploit CWE-305 (Authentication Bypass by Primary Weakness) to bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-305?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-305?
CWE-305 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.