CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-JX78-FJMH-Q5CC
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-07-13 00:01Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.
{
"affected": [],
"aliases": [
"CVE-2021-31864"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-28T07:15:00Z",
"severity": "MODERATE"
},
"details": "Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.",
"id": "GHSA-jx78-fjmh-q5cc",
"modified": "2022-07-13T00:01:25Z",
"published": "2022-05-24T17:49:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31864"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00013.html"
},
{
"type": "WEB",
"url": "https://www.redmine.org/news/131"
},
{
"type": "WEB",
"url": "https://www.redmine.org/projects/redmine/wiki/Security_Advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXF6-Q59W-R36Q
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27Cisco Carrier Routing System (CRS) 3.9, 4.0, and 4.1 allows remote attackers to bypass ACL entries via fragmented packets, aka Bug ID CSCtj10975.
{
"affected": [],
"aliases": [
"CVE-2012-1342"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-08-06T17:55:00Z",
"severity": "MODERATE"
},
"details": "Cisco Carrier Routing System (CRS) 3.9, 4.0, and 4.1 allows remote attackers to bypass ACL entries via fragmented packets, aka Bug ID CSCtj10975.",
"id": "GHSA-jxf6-q59w-r36q",
"modified": "2022-05-13T01:27:48Z",
"published": "2022-05-13T01:27:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1342"
},
{
"type": "WEB",
"url": "http://www.cisco.com/cisco/software/release.html?mdfid=279506669\u0026catid=268437899\u0026flowid=1915\u0026reltype=all\u0026relind=AVAILABLE\u0026release=3.9.2\u0026softwareid=280867577"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXF8-G6GQ-M62F
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03Two authorization bypass through user-controlled key vulnerabilities in the Fortinet FortiPresence 2.1.0 administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters.
{
"affected": [],
"aliases": [
"CVE-2020-6641"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-02T11:15:00Z",
"severity": "MODERATE"
},
"details": "Two authorization bypass through user-controlled key vulnerabilities in the Fortinet FortiPresence 2.1.0 administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters.",
"id": "GHSA-jxf8-g6gq-m62f",
"modified": "2022-05-24T19:03:54Z",
"published": "2022-05-24T19:03:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6641"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-19-258"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXGP-JGH3-8JC8
Vulnerability from github – Published: 2023-01-09 21:57 – Updated: 2023-01-24 23:29Summary
Unauthorized access refers to the ability to bypass the system's preset permission settings to access some API interfaces. The attack exploits a flaw in how online applications handle routing permissions.
Affected Version
<= v3.16.3
Patches
The vulnerability has been fixed in v3.16.3.
https://github.com/KubeOperator/KubeOperator/commit/7ef42bf1c16900d13e6376f8be5ecdbfdfb44aaf
Workarounds
It is recommended to upgrade the version to v3.16.4.
For more information
If you have any questions or comments about this advisory, please open an issue.
References
https://github.com/KubeOperator/KubeOperator/releases/tag/v3.16.4
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/KubeOperator/KubeOperator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.16.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22480"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-09T21:57:54Z",
"nvd_published_at": "2023-01-14T01:15:00Z",
"severity": "HIGH"
},
"details": "### Summary\n\nUnauthorized access refers to the ability to bypass the system\u0027s preset permission settings to access some API interfaces. The attack exploits a flaw in how online applications handle routing permissions.\n\n### Affected Version\n\n\u003c= v3.16.3\n\n### Patches\n\nThe vulnerability has been fixed in v3.16.3.\n\nhttps://github.com/KubeOperator/KubeOperator/commit/7ef42bf1c16900d13e6376f8be5ecdbfdfb44aaf\n\n### Workarounds\n\nIt is recommended to upgrade the version to v3.16.4.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please open an issue.\n\n### References\n\nhttps://github.com/KubeOperator/KubeOperator/releases/tag/v3.16.4",
"id": "GHSA-jxgp-jgh3-8jc8",
"modified": "2023-01-24T23:29:09Z",
"published": "2023-01-09T21:57:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/KubeOperator/KubeOperator/security/advisories/GHSA-jxgp-jgh3-8jc8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22480"
},
{
"type": "WEB",
"url": "https://github.com/KubeOperator/KubeOperator/commit/7ef42bf1c16900d13e6376f8be5ecdbfdfb44aaf"
},
{
"type": "PACKAGE",
"url": "https://github.com/KubeOperator/KubeOperator"
},
{
"type": "WEB",
"url": "https://github.com/KubeOperator/KubeOperator/releases/tag/v3.16.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "KubeOperator allows unauthorized access to system API"
}
GHSA-JXP6-F9WG-M536
Vulnerability from github – Published: 2024-02-18 03:30 – Updated: 2024-12-06 21:30The VerifiedBoot module has a vulnerability that may cause authentication errors.Successful exploitation of this vulnerability may affect integrity.
{
"affected": [],
"aliases": [
"CVE-2023-52361"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-18T03:15:08Z",
"severity": "HIGH"
},
"details": "The VerifiedBoot module has a vulnerability that may cause authentication errors.Successful exploitation of this vulnerability may affect integrity.",
"id": "GHSA-jxp6-f9wg-m536",
"modified": "2024-12-06T21:30:34Z",
"published": "2024-02-18T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52361"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/2"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXV7-5F9P-6RG2
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
{
"affected": [],
"aliases": [
"CVE-2020-36289"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-12T04:15:00Z",
"severity": "MODERATE"
},
"details": "Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.",
"id": "GHSA-jxv7-5f9p-6rg2",
"modified": "2022-05-24T19:02:16Z",
"published": "2022-05-24T19:02:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36289"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/JRASERVER-71559"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXVJ-G7Q4-JGQ7
Vulnerability from github – Published: 2023-06-27 00:30 – Updated: 2024-04-04 05:11An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This is a similar, but not identical vulnerability as CVE-2023-34146 and CVE-2023-34148.
{
"affected": [],
"aliases": [
"CVE-2023-34147"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-26T22:15:11Z",
"severity": "HIGH"
},
"details": "An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis is a similar, but not identical vulnerability as CVE-2023-34146 and CVE-2023-34148.",
"id": "GHSA-jxvj-g7q4-jgq7",
"modified": "2024-04-04T05:11:37Z",
"published": "2023-06-27T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34147"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/dcx/s/solution/000293322?language=en_US"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-833"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JXXM-27VP-C3M5
Vulnerability from github – Published: 2026-03-24 21:44 – Updated: 2026-03-27 22:09Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0-RC.1"
},
{
"fixed": "2.12.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33217"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T21:44:17Z",
"nvd_published_at": "2026-03-25T20:16:32Z",
"severity": "HIGH"
},
"details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nThe nats-server provides an MQTT client interface.\n\n### Problem Description\n\nWhen using ACLs on message subjects, these ACLs were not applied in the `$MQTT.\u003e` namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.\n\n### Affected Versions\n\nAny version before v2.12.6 or v2.11.15\n\n### Workarounds\n\nNone.",
"id": "GHSA-jxxm-27vp-c3m5",
"modified": "2026-03-27T22:09:37Z",
"published": "2026-03-24T21:44:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-jxxm-27vp-c3m5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33217"
},
{
"type": "WEB",
"url": "https://advisories.nats.io/CVE/secnote-2026-07.txt"
},
{
"type": "PACKAGE",
"url": "https://github.com/nats-io/nats-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "NATS allows MQTT clients to bypass ACL checks"
}
GHSA-M295-R33Q-79RG
Vulnerability from github – Published: 2024-01-26 00:30 – Updated: 2024-10-18 18:30An authentication bypass vulnerability exists in the web component of the Motorola MR2600. An attacker can exploit this vulnerability to access protected URLs and retrieve sensitive information.
{
"affected": [],
"aliases": [
"CVE-2024-23629"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-26T00:15:11Z",
"severity": "CRITICAL"
},
"details": "An authentication bypass vulnerability exists in the web component of the Motorola MR2600. An attacker can exploit this vulnerability to access protected URLs and retrieve sensitive information.\n",
"id": "GHSA-m295-r33q-79rg",
"modified": "2024-10-18T18:30:36Z",
"published": "2024-01-26T00:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23629"
},
{
"type": "WEB",
"url": "https://blog.exodusintel.com/2024/01/25/motorola-mr2600-authentication-bypass-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M297-3JV9-M927
Vulnerability from github – Published: 2026-03-05 21:30 – Updated: 2026-03-06 22:28A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-3009"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-06T22:28:28Z",
"nvd_published_at": "2026-03-05T19:16:18Z",
"severity": "HIGH"
},
"details": "A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.",
"id": "GHSA-m297-3jv9-m927",
"modified": "2026-03-06T22:28:28Z",
"published": "2026-03-05T21:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3009"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/46911"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/4fd5367e6cc28cfa68fb2240fc459c12b1fdbf2a"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3947"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3948"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-3009"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441867"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/releases/tag/26.5.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.