CWE-305 - Authentication Bypass by Primary Weakness

CWE ID:

CWE-305

Abstraction:Base
Structure:Simple
Status:Draft

Release Date:2006-07-19
Latest Modification Date:2023-06-29

Weakness Name

Authentication Bypass by Primary Weakness

Description

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Common Consequences

Scope: Access Control

Impact: Bypass Protection Mechanism

Related Weaknesses

CWE-1390Weak Authentication

Latest Security News

Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
Ivanti patches Connect Secure zero-day exploited since mid-March
Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware
Texas State Bar warns of data breach after INC ransomware claims attack
Oracle privately confirms Cloud breach to customers
Recent GitHub supply chain attack traced to leaked SpotBugs token
Attackers are leveraging Cisco Smart Licensing Utility static admin credentials (CVE-2024-20439)
Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware
AI Threats Are Evolving Fast — Learn Practical Defense Tactics in this Expert Webinar
AI Adoption in the Enterprise: Breaking Through the Security and Compliance Gridlock

Top CVE List

CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2025-24813 Apache Tomcat Path Equivalence Vulnerability

Common Alerts

MediumHTTP to HTTPS Insecure Transition in Form Post
HighSQL Injection - PostgreSQL
HighPath Traversal
InformationalCookie Poisoning
HighPersonally Identifiable Information via WebSocket
HighCORS Misconfiguration
HighPath Traversal
InformationalPossible Username Enumeration
InformationalHTTP Parameter Pollution
HighExpression Language Injection

Top CWE List

HighCWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-693 Protection Mechanism Failure
CWE-1426 Improper Validation of Generative AI Output
CWE-1091 Use of Object without Invoking Destructor Method
CWE-1053 Missing Documentation for Design
CWE-1063 Creation of Class Instance within a Static Code Block
CWE-1121 Excessive McCabe Cyclomatic Complexity
CWE-1173 Improper Use of Validation Framework
CWE-1230 Exposure of Sensitive Information Through Metadata
CWE-125 Out-of-bounds Read