CWE-306— Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.— MITRE CWE catalog
2,405 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-306page 18 of 49
- CVE-2022-27495MEDIUMCVSS 6.5EG 6.52022-05-05
On all versions 1.3.x (fixed in 1.4.0) NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
- CVE-2022-27582CRITICALCVSS 9.8EG 9.82022-11-01
Password recovery vulnerability in SICK SIM4000 (PPC) Partnumber 1078787 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This lead…
- CVE-2022-27584CRITICALCVSS 9.8EG 9.82022-11-01
Password recovery vulnerability in SICK SIM2000ST Partnumber 1080579 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mechanism method. This leads to…
- CVE-2022-27585CRITICALCVSS 9.8EG 9.82022-11-01
Password recovery vulnerability in SICK SIM1000 FX Partnumber 1097816 and 1097817 with firmware version <1.6.0 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the passwor…
- CVE-2022-27586CRITICALCVSS 9.8EG 9.82022-11-01
Password recovery vulnerability in SICK SIM1004 Partnumber 1098148 with firmware version <2.0.0 allows an unprivileged remote attacker to gain access to the userlevel defined as RecoverableUserLevel by invocating the password recovery mech…
- CVE-2022-27623HIGHCVSS 7.4EG 9.12022-10-25
Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors.
- CVE-2022-27645HIGHCVSS 8.8EG 8.82023-03-29
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700v3 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within readycloud_co…
- CVE-2022-2765MEDIUMCVSS 6.3EG 9.82022-08-11
A vulnerability was found in SourceCodester Company Website CMS 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard/settings. The manipulation leads to improper authentic…
- CVE-2022-27891MEDIUMCVSS 5.3EG 5.32023-02-16
Palantir Gotham included an unauthenticated endpoint that listed all active usernames on the stack with an active session. The affected services have been patched and automatically deployed to all Apollo-managed Gotham instances. It is hig…
- CVE-2022-28660CRITICALCVSS 9.8EG 9.82022-05-20
The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in micros…
- CVE-2022-28719CRITICALCVSS 9.8EG 9.82022-04-28
Missing authentication for critical function in AssetView prior to Ver.13.2.0 allows a remote unauthenticated attacker with some knowledge on the system configuration to upload a crafted configuration file to the managing server, which may…
- CVE-2022-28771HIGHCVSS 7.5EG 7.52022-07-12
Due to missing authentication check, SAP Business one License service API - version 10.0 allows an unauthenticated attacker to send malicious http requests over the network. On successful exploitation, an attacker can break the whole appli…
- CVE-2022-28809HIGHCVSS 7.8EG 7.82022-07-17
An issue was discovered in Open Design Alliance Drawings SDK before 2023.3. An Out-of-Bounds Read vulnerability exists when reading a DWG file with an invalid vertex number in a recovery mode. An attacker can leverage this vulnerability to…
- CVE-2022-29226CRITICALCVSS 10.0EG 10.02022-06-09
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authenticatio…
- CVE-2022-29270MEDIUMCVSS 4.3EG 4.32022-06-29
In Nagios XI through 5.8.5, it is possible for a user without password verification to change his e-mail address.
- CVE-2022-29402MEDIUMCVSS 6.8EG 6.82022-05-25
TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console. This vulnerability allows attackers to connect to the UART port via a serial connection and execute commands as the root user without authentic…
- CVE-2022-29877MEDIUMCVSS 6.5EG 6.52022-05-20
A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions …
- CVE-2022-29879MEDIUMCVSS 4.3EG 6.52022-05-20
A vulnerability has been identified in SICAM T (All versions < V3.0). The web based management interface of affected devices does not employ special access protection for certain internal developer views. This could allow authenticated use…
- CVE-2022-29881MEDIUMCVSS 5.3EG 5.32022-05-20
A vulnerability has been identified in SICAM T (All versions < V3.0). The web based management interface of affected devices does not employ special access protection for certain internal developer views. This could allow unauthenticated u…
- CVE-2022-29883MEDIUMCVSS 5.3EG 5.32022-05-20
A vulnerability has been identified in SICAM T (All versions < V3.0). Affected devices do not restrict unauthenticated access to certain pages of the web interface. This could allow an attacker to delete log files without authentication.
- CVE-2022-29934HIGHCVSS 7.8EG 7.82022-04-29
USU Oracle Optimization before 5.17.5 lacks Polkit authentication, which allows smartcollector users to achieve root access via pkexec. NOTE: this is not an Oracle Corporation product.
- CVE-2022-29951CRITICALCVSS 9.1EG 9.12022-07-26
JTEKT TOYOPUC PLCs through 2022-04-29 mishandle authentication. They utilize the CMPLink/TCP protocol (configurable on ports 1024-65534 on either TCP or UDP) for a wide variety of engineering purposes such as starting and stopping the PLC,…
- CVE-2022-29952CRITICALCVSS 9.1EG 9.12022-07-26
Bently Nevada condition monitoring equipment through 2022-04-29 mishandles authentication. It utilizes the TDI command and data protocols (60005/TCP, 60007/TCP) for communications between the monitoring controller and System 1 and/or Bentl…
- CVE-2022-29957HIGHCVSS 7.8EG 7.82022-07-26
The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP…
- CVE-2022-30229HIGHCVSS 7.2EG 5.32022-06-14
A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.6.6). The affected application does not require authenticated access for privileged functions. This could allow an unauthenticated attacker to change data o…
- CVE-2022-30230CRITICALCVSS 9.8EG 9.82022-06-14
A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.6.6). The affected application does not require authenticated access for privileged functions. This could allow an unauthenticated attacker to create a new …
- CVE-2022-30276HIGHCVSS 7.5EG 7.52022-07-26
The Motorola MOSCAD and ACE line of RTUs through 2022-05-02 omit an authentication requirement. They feature IP Gateway modules which allow for interfacing between Motorola Data Link Communication (MDLC) networks (potentially over a variet…
- CVE-2022-30313HIGHCVSS 7.5EG 7.52022-07-28
Honeywell Experion PKS Safety Manager through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0051, there is a Honeywell Experion PKS Safety Manager multiple proprietary protocols with unauthenticated …
- CVE-2022-30317CRITICALCVSS 9.1EG 9.12022-08-31
Honeywell Experion LX through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0055, there is a Honeywell Experion LX Control Data Access (CDA) EpicMo protocol with unauthenticated functionality issue. …
- CVE-2022-30515MEDIUMCVSS 5.3EG 5.32022-11-08
ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration.
- CVE-2022-31022MEDIUMCVSS 6.2EG 6.22022-06-01
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, …
- CVE-2022-31176HIGHCVSS 8.3EG 8.32022-09-02
Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser (Chromium/Chrome). An internal security review identified an unauthorized file disclosure vulnerability. It i…
- CVE-2022-31260MEDIUMCVSS 6.5EG 6.52022-07-17
In Montala ResourceSpace through 9.8 before r19636, csv_export_results_metadata.php allows attackers to export collection metadata via a non-NULL k value.
- CVE-2022-31266MEDIUMCVSS 4.3EG 9.82022-06-29
In ILIAS through 7.10, lack of verification when changing an email address (on the Profile Page) allows remote attackers to take over accounts.
- CVE-2022-31461HIGHCVSS 7.4EG 6.52022-06-02
Owl Labs Meeting Owl 5.2.0.15 allows attackers to deactivate the passcode protection mechanism via a certain c 11 message.
- CVE-2022-31685CRITICALCVSS 9.8EG 9.82022-11-09
VMware Workspace ONE Assist prior to 22.10 contains an Authentication Bypass vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the a…
- CVE-2022-31701MEDIUMCVSS 5.3EG 5.32022-12-14
VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
- CVE-2022-3188MEDIUMCVSS 5.3EG 5.32022-12-21
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where unauthenticated users could open PHP index pages without authentication and download the history file from the device; the history file includes the late…
- CVE-2022-32157HIGHCVSS 7.5EG 7.52022-06-15
Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles. Remediation requires you to update the deployment server to version 9.0 and Configure authentication for deployment servers…
- CVE-2022-32251HIGHCVSS 8.8EG 9.82022-06-14
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). There is a missing authentication verification for a resource used to change the roles and permissions of a user. This could allow an attacker to ch…
- CVE-2022-3229CRITICALCVSS 9.8EG 9.82023-02-06
Because the web management interface for Unified Intents' Unified Remote solution does not itself require authentication, a remote, unauthenticated attacker can change or disable authentication requirements for the Unified Remote protocol,…
- CVE-2022-32503HIGHCVSS 7.6EG 7.62024-05-14
An issue was discovered on certain Nuki Home Solutions devices. An attacker with physical access to this JTAG port may be able to connect to the device and bypass both hardware and software security protections. This affects Nuki Keypad be…
- CVE-2022-32528HIGHCVSS 8.6EG 9.12023-01-30
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause access to manipulate and read specific files in the IGSS project report directory, potentially leading to a denial-of-service condition when an …
- CVE-2022-32557HIGHCVSS 7.5EG 7.52022-06-14
An issue was discovered in Couchbase Server before 7.0.4. The Index Service does not enforce authentication for TCP/TLS servers.
- CVE-2022-3312MEDIUMCVSS 4.6EG 4.62022-11-01
Insufficient validation of untrusted input in VPN in Google Chrome on ChromeOS prior to 106.0.5249.62 allowed a local attacker to bypass managed device restrictions via physical access to the device. (Chromium security severity: Medium)
- CVE-2022-33138HIGHCVSS 7.5EG 7.52022-07-12
A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMAT…
- CVE-2022-3327CRITICALCVSS 9.8EG 9.82022-10-20
Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6.
- CVE-2022-34321HIGHCVSS 8.2EG 8.22024-03-12
Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capa…
- CVE-2022-34767MEDIUMCVSS 5.9EG 9.82022-07-21
Web page which "wizardpwd.asp" ALLNET Router model WR0500AC is prone to Authorization bypass vulnerability – the password, located at "admin" allows changing the http[s]://wizardpwd.asp/cgi-bin. Does not validate the user's identity and …
- CVE-2022-34858CRITICALCVSS 9.8EG 9.82022-08-22
Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress.
Map vulnerabilities like CWE-306 to your infrastructure
EchelonGraph correlates every CVE — across CWE-306 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →