Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3257 vulnerabilities reference this CWE, most recent first.

GHSA-F656-9J3J-FF9J

Vulnerability from github – Published: 2022-10-14 19:00 – Updated: 2022-10-18 12:00
VLAI
Details

Online Birth Certificate Management System version 1.0 suffers from an Insecure Direct Object Reference (IDOR) vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-14T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Online Birth Certificate Management System version 1.0 suffers from an Insecure Direct Object Reference (IDOR) vulnerability",
  "id": "GHSA-f656-9j3j-ff9j",
  "modified": "2022-10-18T12:00:32Z",
  "published": "2022-10-14T19:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42067"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/168524/Online-Birth-Certificate-Management-System-1.0-Insecure-Direct-Object-Reference.html"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F67Q-RX5W-V4HR

Vulnerability from github – Published: 2025-02-24 03:31 – Updated: 2025-02-24 03:31
VLAI
Details

A vulnerability, which was classified as problematic, has been found in SourceCodester Best Employee Management System 1.0. This issue affects some unknown processing of the file /admin/salary_slip.php. The manipulation of the argument id leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1607"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-24T01:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in SourceCodester Best Employee Management System 1.0. This issue affects some unknown processing of the file /admin/salary_slip.php. The manipulation of the argument id leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-f67q-rx5w-v4hr",
  "modified": "2025-02-24T03:31:51Z",
  "published": "2025-02-24T03:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1607"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Best-employee-management-system-unauthorized-access.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.296597"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.296597"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.498432"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F6H3-846H-2R8W

Vulnerability from github – Published: 2026-03-04 18:58 – Updated: 2026-03-04 18:58
VLAI
Summary
OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization
Details

Summary

In certain elevated-mode configurations, tools.elevated.allowFrom accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit.

Context

OpenClaw is commonly used in 1:1 chats or trusted group chats. In that intended model, this issue is best treated as authorization hardening / defense-in-depth for elevated sender approval.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version at triage: 2026.2.21-2
  • Affected versions: <= 2026.2.21-2
  • Planned patched version (pre-set for publish-ready advisory): 2026.2.22

Details

Elevated sender authorization now matches sender-scoped identity values only by default (SenderId, From, SenderE164) and no longer considers recipient routing fields such as ctx.To.

Mutable sender metadata (SenderName, SenderUsername, SenderTag) now requires explicit allowlist prefixes (name:, username:, tag:). Explicit identity prefixes are also supported (id:, from:, e164:).

Fix Commit(s)

  • 6817c0ec7b4fa830123d4f5c340f075a4bd04ee2

Release Process Note

The advisory patched_versions is pre-set to the planned next release (2026.2.22). Once npm openclaw@2026.2.22 is published, this advisory can be published without additional content edits.

OpenClaw thanks @jiseoung for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T18:58:07Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn certain elevated-mode configurations, `tools.elevated.allowFrom` accepted broader identity signals than intended. The fix tightens matching to sender-scoped identity by default and makes mutable metadata matching explicit.\n\n### Context\nOpenClaw is commonly used in 1:1 chats or trusted group chats. In that intended model, this issue is best treated as authorization hardening / defense-in-depth for elevated sender approval.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version at triage: `2026.2.21-2`\n- Affected versions: `\u003c= 2026.2.21-2`\n- Planned patched version (pre-set for publish-ready advisory): `2026.2.22`\n\n### Details\nElevated sender authorization now matches sender-scoped identity values only by default (`SenderId`, `From`, `SenderE164`) and no longer considers recipient routing fields such as `ctx.To`.\n\nMutable sender metadata (`SenderName`, `SenderUsername`, `SenderTag`) now requires explicit allowlist prefixes (`name:`, `username:`, `tag:`). Explicit identity prefixes are also supported (`id:`, `from:`, `e164:`).\n\n### Fix Commit(s)\n- `6817c0ec7b4fa830123d4f5c340f075a4bd04ee2`\n\n### Release Process Note\nThe advisory `patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm `openclaw@2026.2.22` is published, this advisory can be published without additional content edits.\n\nOpenClaw thanks @jiseoung for reporting.",
  "id": "GHSA-f6h3-846h-2r8w",
  "modified": "2026-03-04T18:58:07Z",
  "published": "2026-03-04T18:58:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/6817c0ec7b4fa830123d4f5c340f075a4bd04ee2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization"
}

GHSA-F6J7-PP4G-5XQX

Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-01-23 22:35
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rosebud: from n/a through <= 1.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24631"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-23T15:16:22Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rosebud: from n/a through \u003c= 1.4.",
  "id": "GHSA-f6j7-pp4g-5xqx",
  "modified": "2026-01-23T22:35:53Z",
  "published": "2026-01-23T15:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24631"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/rosebud/vulnerability/wordpress-rosebud-theme-1-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F6VX-5RMG-69J9

Vulnerability from github – Published: 2023-06-23 15:30 – Updated: 2026-04-28 21:32
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in JS Help Desk js-support-ticket allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk: from n/a through 2.7.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23679"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-23T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in JS Help Desk js-support-ticket allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk: from n/a through 2.7.7.",
  "id": "GHSA-f6vx-5rmg-69j9",
  "modified": "2026-04-28T21:32:54Z",
  "published": "2023-06-23T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23679"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/js-support-ticket/wordpress-js-help-desk-best-help-desk-support-plugin-plugin-2-7-7-idor-leading-to-ticket-deletion-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F6X8-HGHG-9RXJ

Vulnerability from github – Published: 2024-04-15 12:30 – Updated: 2024-04-15 12:30
VLAI
Details

A potential security vulnerability has been identified in HPE FlexFabric and FlexNetwork series products. This vulnerability could be exploited to gain privileged access to switches resulting in information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22439"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-15T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "\nA potential security vulnerability has been identified in HPE FlexFabric and FlexNetwork series products. This vulnerability could be exploited to gain privileged access to switches resulting in information disclosure.\n\n",
  "id": "GHSA-f6x8-hghg-9rxj",
  "modified": "2024-04-15T12:30:34Z",
  "published": "2024-04-15T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22439"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US\u0026docId=hpesbnw04625en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F72G-52V7-MG3P

Vulnerability from github – Published: 2025-09-19 21:31 – Updated: 2025-09-26 16:23
VLAI
Summary
Mattermost boards plugin fails to restrict download access to files
Details

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-plugin-boards"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250716054606-3f3e3becfe1d"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0-20250721095935-11c36f4d1e44"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.5.0-rc1"
            },
            {
              "fixed": "10.5.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.11.0-rc1"
            },
            {
              "fixed": "9.11.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-9081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-22T18:00:01Z",
    "nvd_published_at": "2025-09-19T20:15:40Z",
    "severity": "LOW"
  },
  "details": "Mattermost versions 10.5.x \u003c= 10.5.8, 9.11.x \u003c= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration",
  "id": "GHSA-f72g-52v7-mg3p",
  "modified": "2025-09-26T16:23:18Z",
  "published": "2025-09-19T21:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9081"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost-plugin-boards/pull/114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost-plugin-boards/commit/3f3e3becfe1d66db0d0f4fd235f04afd6e1ec40b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost-plugin-boards"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3978"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost boards plugin fails to restrict download access to files"
}

GHSA-F78Q-MW55-HMG4

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 18:32
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Innovio: from n/a through <= 1.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:33Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Innovio: from n/a through \u003c= 1.7.",
  "id": "GHSA-f78q-mw55-hmg4",
  "modified": "2026-01-27T18:32:12Z",
  "published": "2026-01-22T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22404"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/innovio/vulnerability/wordpress-innovio-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F7H9-HRG7-94FG

Vulnerability from github – Published: 2024-10-01 15:32 – Updated: 2024-11-16 00:31
VLAI
Details

Bluetooth LE and BR/EDR Secure Connections pairing and Secure Simple Pairing using the Passkey entry protocol in Bluetooth Core Specifications 2.1 through 5.3 may permit an unauthenticated man-in-the-middle attacker to identify the Passkey used during pairing by reflection of a crafted public key with the same X coordinate as the offered public key and by reflection of the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. This is a related issue to CVE-2020-26558.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-01T15:15:06Z",
    "severity": "MODERATE"
  },
  "details": "Bluetooth LE and BR/EDR Secure Connections pairing and Secure Simple Pairing using the Passkey entry protocol in Bluetooth Core Specifications 2.1 through 5.3 may permit an unauthenticated man-in-the-middle attacker to identify the Passkey used during pairing by reflection of a crafted public key with the same X coordinate as the offered public key and by reflection of the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. This is a related issue to CVE-2020-26558.",
  "id": "GHSA-f7h9-hrg7-94fg",
  "modified": "2024-11-16T00:31:49Z",
  "published": "2024-10-01T15:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37577"
    },
    {
      "type": "WEB",
      "url": "https://bluetooth.com"
    },
    {
      "type": "WEB",
      "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/passkey-impersonation"
    },
    {
      "type": "WEB",
      "url": "https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/reporting-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8CV-RHQG-3X6W

Vulnerability from github – Published: 2022-08-06 00:00 – Updated: 2022-08-11 00:00
VLAI
Details

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-05T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin \u003c= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page.",
  "id": "GHSA-f8cv-rhqg-3x6w",
  "modified": "2022-08-11T00:00:33Z",
  "published": "2022-08-06T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36284"
    },
    {
      "type": "WEB",
      "url": "https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/affiliate-for-woocommerce/wordpress-affiliate-for-woocommerce-premium-plugin-4-7-0-authenticated-idor-vulnerability-leading-to-paypal-email-change"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.