CWE-2878 advisories

Improper Authentication

What it is

Authentication can be bypassed or spoofed, letting an attacker act as another user.

How to fix it

Upgrade to the patched release and rotate any exposed credentials/sessions.

How to avoid it

Use a vetted auth library, verify every token server-side, and fail closed.

Known Improper Authentication vulnerabilities

WEB3-STAKE-COM-2023 — critical · Web3 · CEX/Stake.com
APPSEC-NOAUTH-2023 — critical · Web app/Microsoft Entra ID (Azure AD) OAuth/OIDC apps · exploited
SC-GHA-OIDC-MISCONFIG-2021 — critical · CI/CD · GitHub Actions/GitHub Actions to cloud OIDC trust misconfiguration · exploited
WEB3-FTX-DRAIN-2022 — critical · Web3 · CEX/FTX
SC-KASEYA-VSA-2021 — critical · Software vendor · MSP/Kaseya VSA
APPSEC-PELOTON-API-2021 — medium · API/Peloton
APPSEC-INSTAGRAM-OTP-BRUTEFORCE-2019 — high · API/Instagram (Meta) mobile password recovery · exploited
APPSEC-FACEBOOK-VIEWAS-2018 — critical · Web app/Facebook

Stateward flags Improper Authentication in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.