1. Home
  2. Weaknesses
  3. CWE-291

CWE-291: Reliance on IP Address for Authentication

ID CWE-291
Abstraction Variant
Structure Simple
Status Incomplete
Number of CVEs 2
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product uses an IP address for authentication.

IP addresses can be easily spoofed. Attackers can forge the source IP address of the packets they send, but response packets will return to the forged IP address. To see the response packets, the attacker has to sniff the traffic between the victim machine and the forged IP address. In order to accomplish the required sniffing, attackers typically attempt to locate themselves on the same subnet as the victim machine. Attackers may be able to circumvent this requirement by using source routing, but source routing is disabled across much of the Internet today. In summary, IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication.

Modes of Introduction

Phase Note
Architecture and Design COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-290 Authentication Bypass by Spoofing Base Simple Incomplete
CWE-1000 Research Concepts Draft CWE-923 Improper Restriction of Communication Channel to Intended Endpoints Class Simple Incomplete
CWE-1000 Research Concepts Draft CWE-471 Modification of Assumed-Immutable Data (MAID) Base Simple Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-4 Using Alternative IP Address Encodings CWE-291

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date