CWE-139014 advisories

Weak Authentication

What it is

The authentication mechanism is weak enough to be bypassed, guessed, or replayed.

How to fix it

Upgrade, enforce strong authentication (MFA), and invalidate weak sessions.

How to avoid it

Use vetted auth with MFA, rate-limit attempts, and never rely on guessable secrets.

Known Weak Authentication vulnerabilities

WEB3-FRONTEND-DNS-HIJACK-2022 — high · Web3/dApp web frontend / DNS / registrar / CDN trust boundary
PHISH-AITM — high · Phishing · AiTM/Adversary-in-the-middle (AiTM) phishing
OPSEC-SNOWFLAKE-2024 — critical · Cloud/Snowflake (customer tenants)
OPSEC-MIDNIGHT-BLIZZARD-2024 — critical · Identity/Microsoft 365 / Entra ID
OPSEC-MGM-CAESARS-2023 — critical · Hospitality/MGM Resorts and Caesars Entertainment
PHISH-RETOOL-2023 — high · Phishing · Smishing/Retool
OPSEC-LASTPASS-2022 — critical · Identity/LastPass
OPSEC-UBER-2022 — high · Identity/Uber
OPSEC-TWILIO-2022 — high · Communications/Twilio
OPSEC-COLONIAL-PIPELINE-2021 — critical · Critical infrastructure/Colonial Pipeline
OPSEC-TWITTER-2020 — high · Social media/Twitter
OPSEC-MARRIOTT-STARWOOD-2018 — critical · Hospitality/Marriott (Starwood)
OPSEC-SONY-PICTURES-2014 — critical · Entertainment/Sony Pictures Entertainment
OPSEC-TARGET-2013 — critical · Retail · POS/Target

Stateward flags Weak Authentication in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.