CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-JP7H-4F3C-9RC7
Vulnerability from github – Published: 2025-10-23 16:01 – Updated: 2025-10-23 16:01Impact
This is a cross-account impersonation vulnerability in the auth-aws plugin. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access.
This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts.
The core of the vulnerability is a flawed caching mechanism that fails to validate the AWS Account ID during authentication. While the use of wildcards in a bound_iam_principal_arn configuration significantly increases the attack surface, wildcards are not a prerequisite for exploitation. The vulnerability can be exploited with specific ARN bindings if a role name collision occurs.
Successful exploitation can lead to unauthorized access to secrets, data exfiltration, and privilege escalation. Given that the only prerequisite is a duplicate role name, the severity is considered high.
Patches
This vulnerability has been patched in version 0.1.1 of the auth-aws plugin.
Users are advised to upgrade to version 0.1.1 or later to remediate this vulnerability.
Workarounds
For users who are unable to upgrade to version 0.1.1 immediately, the most effective workaround is to guarantee that IAM role names are unique across all AWS accounts that could potentially interact with your OpenBao environment. This is the most critical mitigation step.
Primary Mitigation: Audit your AWS organizations to identify and rename any duplicate IAM role names. Enforce a naming convention that includes account-specific identifiers to prevent future collisions.
While removing wildcards from your bound_iam_principal_arn configuration is still recommended as a security best practice, it will not mitigate this vulnerability if duplicate role names exist.
Credits
This vulnerability was discovered and reported by Pavlos Karakalidis
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao-plugins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59048"
],
"database_specific": {
"cwe_ids": [
"CWE-694",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-23T16:01:27Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThis is a cross-account impersonation vulnerability in the `auth-aws` plugin. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the **same name** in a trusted account, leading to unauthorized access.\n\nThis impacts all users of the `auth-aws` plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts.\n\nThe core of the vulnerability is a flawed caching mechanism that fails to validate the AWS Account ID during authentication. While the use of wildcards in a `bound_iam_principal_arn configuration` significantly increases the attack surface, **wildcards are not a prerequisite for exploitation**. The vulnerability can be exploited with specific ARN bindings if a role name collision occurs.\n\nSuccessful exploitation can lead to unauthorized access to secrets, data exfiltration, and privilege escalation. Given that the only prerequisite is a duplicate role name, the severity is considered **high**.\n\n### Patches\nThis vulnerability has been patched in version **0.1.1** of the `auth-aws` plugin.\nUsers are advised to upgrade to version **0.1.1** or later to remediate this vulnerability.\n\n### Workarounds\nFor users who are unable to upgrade to version **0.1.1** immediately, the most effective workaround is to **guarantee that IAM role names are unique across all AWS accounts** that could potentially interact with your OpenBao environment. This is the most critical mitigation step.\n\n**Primary Mitigation**: Audit your AWS organizations to identify and rename any duplicate IAM role names. Enforce a naming convention that includes account-specific identifiers to prevent future collisions.\n\nWhile removing wildcards from your `bound_iam_principal_arn` configuration is still recommended as a security best practice, it **will not** mitigate this vulnerability if duplicate role names exist.\n\n### Credits\nThis vulnerability was discovered and reported by [Pavlos Karakalidis](https://github.com/pkarakal/)",
"id": "GHSA-jp7h-4f3c-9rc7",
"modified": "2025-10-23T16:01:27Z",
"published": "2025-10-23T16:01:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao-plugins/security/advisories/GHSA-jp7h-4f3c-9rc7"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao-plugins/commit/2a77af36834746ca6d3ac9bd1049154c84b3efae"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao-plugins"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method"
}
GHSA-JP94-W382-QGWR
Vulnerability from github – Published: 2024-04-17 00:30 – Updated: 2024-04-17 00:30Vulnerability in the Oracle Hospitality Simphony product of Oracle Food and Beverage Applications (component: Simphony Enterprise Server). Supported versions that are affected are 19.1.0-19.5.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Simphony. While the vulnerability is in Oracle Hospitality Simphony, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Simphony. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
{
"affected": [],
"aliases": [
"CVE-2024-21010"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-16T22:15:15Z",
"severity": "CRITICAL"
},
"details": "Vulnerability in the Oracle Hospitality Simphony product of Oracle Food and Beverage Applications (component: Simphony Enterprise Server). Supported versions that are affected are 19.1.0-19.5.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Simphony. While the vulnerability is in Oracle Hospitality Simphony, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Simphony. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).",
"id": "GHSA-jp94-w382-qgwr",
"modified": "2024-04-17T00:30:54Z",
"published": "2024-04-17T00:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21010"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPF7-FXP6-98PF
Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized locations and execute it.
{
"affected": [],
"aliases": [
"CVE-2021-36311"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-23T20:15:00Z",
"severity": "HIGH"
},
"details": "Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized locations and execute it.",
"id": "GHSA-jpf7-fxp6-98pf",
"modified": "2022-05-24T19:21:13Z",
"published": "2022-05-24T19:21:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36311"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000192419"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPF9-QWFV-JPP5
Vulnerability from github – Published: 2022-08-17 00:00 – Updated: 2022-08-18 00:00Sequi PortBloque S has an improper authorization vulnerability, which may allow a low-privileged user to perform administrative functions using specifically crafted requests.
{
"affected": [],
"aliases": [
"CVE-2022-2661"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-16T21:15:00Z",
"severity": "HIGH"
},
"details": "Sequi PortBloque S has an improper authorization vulnerability, which may allow a low-privileged user to perform administrative functions using specifically crafted requests.",
"id": "GHSA-jpf9-qwfv-jpp5",
"modified": "2022-08-18T00:00:17Z",
"published": "2022-08-17T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2661"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPQF-F2V3-PX9W
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-10-06 18:52A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.
{
"affected": [],
"aliases": [
"CVE-2021-40504"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-10T16:15:00Z",
"severity": "MODERATE"
},
"details": "A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.",
"id": "GHSA-jpqf-f2v3-px9w",
"modified": "2022-10-06T18:52:11Z",
"published": "2022-05-24T19:20:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40504"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3105728"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JQ88-5P5W-X8C3
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 02:00OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.
{
"affected": [],
"aliases": [
"CVE-2019-15941"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-25T20:15:00Z",
"severity": "CRITICAL"
},
"details": "OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.",
"id": "GHSA-jq88-5p5w-x8c3",
"modified": "2024-04-04T02:00:11Z",
"published": "2022-05-24T16:56:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15941"
},
{
"type": "WEB",
"url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1881"
},
{
"type": "WEB",
"url": "https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-6-is-out"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Sep/46"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4533"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ8V-8C7P-26P2
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of service due to iimproper authorization checking. IBM X-Force ID: 189445.
{
"affected": [],
"aliases": [
"CVE-2020-4794"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-21T18:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of service due to iimproper authorization checking. IBM X-Force ID: 189445.",
"id": "GHSA-jq8v-8c7p-26p2",
"modified": "2022-05-24T17:37:11Z",
"published": "2022-05-24T17:37:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4794"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/189445"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6359463"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JQ92-QVF9-X3JX
Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-06 00:01In Settings, there is a possible way to read Bluetooth device names without proper permissions due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-172838801
{
"affected": [],
"aliases": [
"CVE-2021-39751"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-30T16:15:00Z",
"severity": "MODERATE"
},
"details": "In Settings, there is a possible way to read Bluetooth device names without proper permissions due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-172838801",
"id": "GHSA-jq92-qvf9-x3jx",
"modified": "2022-04-06T00:01:54Z",
"published": "2022-03-31T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39751"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-12l"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JQ9F-GM9W-RWM9
Vulnerability from github – Published: 2026-02-05 21:46 – Updated: 2026-02-06 19:07Impact
OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22 <= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed.
Affected Users
Users are affected by this vulnerability if all of the following preconditions are met: - OpenFGA v1.8.5 to v1.11.2 is being used - The model has a relation directly assignable by a type bound public access and assignable by type bound non-public access - A tuple is assigned for the relation that is a type bound public access - A tuple is assigned for the same object with the same relation that is not type bound public access - A tuple is assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access
Fix
Upgrade to v1.11.3. This upgrade is backwards compatible.
Workaround
None
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.11.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/openfga/openfga"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.5"
},
{
"fixed": "1.11.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24851"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-05T21:46:41Z",
"nvd_published_at": "2026-02-06T18:15:58Z",
"severity": "MODERATE"
},
"details": "### Impact\nOpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22 \u003c= Helm chart \u003c= openfga-0.2.51, v.1.8.5 \u003c= docker \u003c= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed.\n\n\n### Affected Users\nUsers are affected by this vulnerability if all of the following preconditions are met:\n- OpenFGA v1.8.5 to v1.11.2 is being used\n- The model has a relation directly assignable by a [type bound public access](https://openfga.dev/docs/concepts#what-is-type-bound-public-access) and assignable by type bound non-public access\n- A tuple is assigned for the relation that is a type bound public access\n- A tuple is assigned for the same object with the same relation that is not type bound public access\n- A tuple is assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access\n\n\n### Fix\nUpgrade to v1.11.3. This upgrade is backwards compatible.\n\n### Workaround\nNone",
"id": "GHSA-jq9f-gm9w-rwm9",
"modified": "2026-02-06T19:07:06Z",
"published": "2026-02-05T21:46:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24851"
},
{
"type": "WEB",
"url": "https://github.com/openfga/openfga/commit/1bb5eddf4a3d2fc718aab7914b8f9a1200d2f7ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/openfga/openfga"
},
{
"type": "WEB",
"url": "https://github.com/openfga/openfga/releases/tag/v1.11.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "OpenFGA Improper Policy Enforcement"
}
GHSA-JQF5-5C3V-WJ97
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.
{
"affected": [],
"aliases": [
"CVE-2020-13303"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-15T13:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.",
"id": "GHSA-jqf5-5c3v-wj97",
"modified": "2022-05-24T17:28:16Z",
"published": "2022-05-24T17:28:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13303"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/962231"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13303.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/238887"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.