Description

A resource that should require authentication is accessible without proper authentication mechanisms in place. This vulnerability allows unauthorized access to potentially sensitive information or functionality.

Remediation

1. Implement proper authentication mechanisms for all sensitive resources. 2. Ensure that authentication checks are performed server-side before granting access. 3. Use strong, industry-standard authentication protocols (e.g., OAuth 2.0, JWT). 4. Regularly audit and test authentication mechanisms to ensure they are functioning correctly.

References

OWASP API Security Top 10 2023: API2 - Broken Authentication

OWASP API Security Top 10 2023: API5 - Broken Function Level Authorization

CWE-287: Improper Authentication

Related Vulnerabilities

WordPress Improper Authentication Vulnerability (CVE-2022-43504)

Atlassian Jira Improper Authentication Vulnerability (CVE-2021-39119)

PostgreSQL Improper Authentication Vulnerability (CVE-2009-3231)

WordPress Plugin iThemes Sync Security Bypass (2.0.17)

Apache OFBiz Authentication Bypass (CVE-2023-51467)

Severity

Medium

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L