CWE-288: Authentication Bypass Using an Alternate Path or Channel

ID CWE-288

Abstraction Base

Structure Simple

Status Incomplete

Number of CVEs 152

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

Modes of Introduction

Phase	Note
Architecture and Design	COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.
Architecture and Design	This is often seen in web applications that assume that access to a particular CGI program can only be obtained through a "front" screen, when the supporting programs are directly accessible. But this problem is not just in web apps.

Applicable Platforms

Type	Class	Name	Prevalence
Language	Not Language-Specific

Relationships

View			Weakness
# ID	View	Status	# ID	Name	Abstraction	Structure	Status
CWE-1000	Research Concepts	Draft	CWE-306	Missing Authentication for Critical Function	Base	Simple	Draft
CWE-1340	CISQ Data Protection Measures	Incomplete	CWE-284	Improper Access Control	Pillar	Simple	Incomplete
CWE-1000	Research Concepts	Draft	CWE-420	Unprotected Alternate Channel	Base	Simple	Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPEC™) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org

# ID	Name	Weaknesses
CAPEC-127	Directory Indexing	CWE-288
CAPEC-665	Exploitation of Thunderbolt Protection Flaws	CWE-288

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date