CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5517 vulnerabilities reference this CWE, most recent first.
GHSA-M7X4-XMJQ-8HXP
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-07-13 00:01Improper access control vulnerability in Buffalo broadband routers (BHR-4GRV firmware Ver.1.99 and prior, DWR-HP-G300NH firmware Ver.1.83 and prior, HW-450HP-ZWE firmware Ver.1.99 and prior, WHR-300HP firmware Ver.1.99 and prior, WHR-300 firmware Ver.1.99 and prior, WHR-G301N firmware Ver.1.86 and prior, WHR-HP-G300N firmware Ver.1.99 and prior, WHR-HP-GN firmware Ver.1.86 and prior, WPL-05G300 firmware Ver.1.87 and prior, WZR-450HP-CWT firmware Ver.1.99 and prior, WZR-450HP-UB firmware Ver.1.99 and prior, WZR-HP-AG300H firmware Ver.1.75 and prior, WZR-HP-G300NH firmware Ver.1.83 and prior, WZR-HP-G301NH firmware Ver.1.83 and prior, WZR-HP-G302H firmware Ver.1.85 and prior, WZR-HP-G450H firmware Ver.1.89 and prior, WZR-300HP firmware Ver.1.99 and prior, WZR-450HP firmware Ver.1.99 and prior, WZR-600DHP firmware Ver.1.99 and prior, WZR-D1100H firmware Ver.1.99 and prior, FS-HP-G300N firmware Ver.3.32 and prior, FS-600DHP firmware Ver.3.38 and prior, FS-R600DHP firmware Ver.3.39 and prior, and FS-G300N firmware Ver.3.13 and prior) allows remote unauthenticated attackers to bypass access restriction and to start telnet service and execute arbitrary OS commands with root privileges via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2021-3512"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-28T01:15:00Z",
"severity": "HIGH"
},
"details": "Improper access control vulnerability in Buffalo broadband routers (BHR-4GRV firmware Ver.1.99 and prior, DWR-HP-G300NH firmware Ver.1.83 and prior, HW-450HP-ZWE firmware Ver.1.99 and prior, WHR-300HP firmware Ver.1.99 and prior, WHR-300 firmware Ver.1.99 and prior, WHR-G301N firmware Ver.1.86 and prior, WHR-HP-G300N firmware Ver.1.99 and prior, WHR-HP-GN firmware Ver.1.86 and prior, WPL-05G300 firmware Ver.1.87 and prior, WZR-450HP-CWT firmware Ver.1.99 and prior, WZR-450HP-UB firmware Ver.1.99 and prior, WZR-HP-AG300H firmware Ver.1.75 and prior, WZR-HP-G300NH firmware Ver.1.83 and prior, WZR-HP-G301NH firmware Ver.1.83 and prior, WZR-HP-G302H firmware Ver.1.85 and prior, WZR-HP-G450H firmware Ver.1.89 and prior, WZR-300HP firmware Ver.1.99 and prior, WZR-450HP firmware Ver.1.99 and prior, WZR-600DHP firmware Ver.1.99 and prior, WZR-D1100H firmware Ver.1.99 and prior, FS-HP-G300N firmware Ver.3.32 and prior, FS-600DHP firmware Ver.3.38 and prior, FS-R600DHP firmware Ver.3.39 and prior, and FS-G300N firmware Ver.3.13 and prior) allows remote unauthenticated attackers to bypass access restriction and to start telnet service and execute arbitrary OS commands with root privileges via unspecified vectors.",
"id": "GHSA-m7x4-xmjq-8hxp",
"modified": "2022-07-13T00:01:27Z",
"published": "2022-05-24T17:49:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3512"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU99235714/index.html"
},
{
"type": "WEB",
"url": "https://www.buffalo.jp/news/detail/20210427-01.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M7XM-6MH9-6WWV
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38In checkCallerIsSystemOr of CompanionDeviceManagerService.java, there is a possible way to get a nearby Bluetooth device's MAC address without appropriate permissions due to a permissions bypass. This could lead to local escalation of privilege that grants access to nearby MAC addresses, with User execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.0, Android-8.1, Android-9, Android-10, Android-11; Android ID: A-167244818.
{
"affected": [],
"aliases": [
"CVE-2021-0319"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-11T22:15:00Z",
"severity": "HIGH"
},
"details": "In checkCallerIsSystemOr of CompanionDeviceManagerService.java, there is a possible way to get a nearby Bluetooth device\u0027s MAC address without appropriate permissions due to a permissions bypass. This could lead to local escalation of privilege that grants access to nearby MAC addresses, with User execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.0, Android-8.1, Android-9, Android-10, Android-11; Android ID: A-167244818.",
"id": "GHSA-m7xm-6mh9-6wwv",
"modified": "2022-05-24T17:38:41Z",
"published": "2022-05-24T17:38:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0319"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-01-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M84V-87W9-MGJQ
Vulnerability from github – Published: 2025-12-28 09:30 – Updated: 2025-12-28 09:30A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-15123"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-28T07:15:52Z",
"severity": "LOW"
},
"details": "A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-m84v-87w9-mgjq",
"modified": "2025-12-28T09:30:27Z",
"published": "2025-12-28T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15123"
},
{
"type": "WEB",
"url": "https://github.com/Hwwg/cve/issues/36"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.338501"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.338501"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.711775"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M895-2HJ3-8CG9
Vulnerability from github – Published: 2025-10-21 18:02 – Updated: 2025-10-21 18:02In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "6.7.0.0"
},
{
"fixed": "6.7.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.10.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.7.0.0"
},
{
"fixed": "6.7.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.10.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-21T18:02:01Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low\u2011privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1.",
"id": "GHSA-m895-2hj3-8cg9",
"modified": "2025-10-21T18:02:01Z",
"published": "2025-10-21T18:02:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/shopware"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually"
}
GHSA-M8GR-Q643-3Q88
Vulnerability from github – Published: 2024-10-10 12:31 – Updated: 2024-10-10 12:31An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.
{
"affected": [],
"aliases": [
"CVE-2024-9623"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-10T10:15:08Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository.",
"id": "GHSA-m8gr-q643-3q88",
"modified": "2024-10-10T12:31:13Z",
"published": "2024-10-10T12:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9623"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/459995"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M8J3-M4JX-2RHW
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-14 18:31Incorrect Authorization vulnerability in Drupal Responsive and off-canvas menu allows Forceful Browsing.This issue affects Responsive and off-canvas menu: from 0.0.0 before 4.4.4.
{
"affected": [],
"aliases": [
"CVE-2024-13266"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:35Z",
"severity": "MODERATE"
},
"details": "Incorrect Authorization vulnerability in Drupal Responsive and off-canvas menu allows Forceful Browsing.This issue affects Responsive and off-canvas menu: from 0.0.0 before 4.4.4.",
"id": "GHSA-m8j3-m4jx-2rhw",
"modified": "2025-01-14T18:31:55Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13266"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-030"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M8J4-8JWG-MC3J
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-07-13 00:01CODESYS V2 Web-Server before 1.1.9.20 has an Improperly Implemented Security Check.
{
"affected": [],
"aliases": [
"CVE-2021-30192"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-25T13:15:00Z",
"severity": "CRITICAL"
},
"details": "CODESYS V2 Web-Server before 1.1.9.20 has an Improperly Implemented Security Check.",
"id": "GHSA-m8j4-8jwg-mc3j",
"modified": "2022-07-13T00:01:18Z",
"published": "2022-05-24T19:03:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30192"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=14726\u0026token=553da5d11234bbe1ceed59969d419a71bb8c8747\u0026download="
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M8JR-FXQX-8XX6
Vulnerability from github – Published: 2025-11-14 21:49 – Updated: 2025-11-14 21:50Summary
A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields indirectly through their dependencies, bypassing access control checks. A fix to composition logic in Federation now enforces that dependent fields match the access control requirements from of the fields they reference.
Details
Apollo Federation allows users to specify @authenticated, @requiresScopes, and @policy directives to protect fields at the field level. The @requires directive allows a field to depend on data from other fields in the schema, and @fromContext allows a field to use values from the execution context. However, Apollo Router does not enforce access control requirements on these transitively-accessed fields, and Apollo Federation did not require that fields using @requires or @fromContext have the same access control as the fields they depend on.
At execution time, when a field decorated with @requires or @fromContext was resolved, the Router would fetch the required dependency fields from subgraphs without checking whether those fields had their own access control requirements. Access control directives applied to these dependency fields were only enforced when those fields appeared explicitly in the query. If the protected fields were accessed solely as transitive dependencies (in other words, fetched to satisfy @requires or @fromContext but not directly requested) their access control requirements were silently ignored.
This discrepancy between where access controls could be defined (on any field) and where it was enforced (only on explicitly queried fields) leads to unexpected runtime security gaps.
Who is impacted
This vulnerability impacts Apollo Federation customers with supergraphs defining @authenticated, @requiresScopes, or @policy directives on fields that are also specified as dependencies in @requires or @fromContext directives.
Scope of Impact
The vulnerability could allow a malicious actor to craft a query that indirectly accesses protected fields, allowing them to bypass field-level access control. By querying only fields that depend on protected data (via @requires or @fromContext) without explicitly requesting the protected fields themselves, an attacker could retrieve sensitive information without meeting the access control requirements.
Patches
This vulnerability has been fixed in Apollo Federation by updating composition logic to validate that access control requirements on @requires and @fromContext dependency fields match the resolving field's requirements.
Note that this is a breaking change to Apollo Federation, as it no longer allows fields using @requires or @fromContext to have different access control directives from the fields they depend on. You will need to update your subgraphs to ensure that the access control requirements on fields using @requires or @fromContext match the access control directives on the referenced fields.
If you are using the Apollo Studio build pipeline with Federation version 2.9 or above, then this patch version update is automatic and you only need to adjust the access control requirements in your subgraph schemas as mentioned above.
If you are using Apollo Rover for local composition, you will need to update its composition version (after updating Apollo Router, if necessary) to one of the following versions:
- 2.9.5+
- 2.10.4+
- 2.11.5+
- 2.12.1+
You will then need to adjust the access control requirements in your subgraph schemas as mentioned above.
Workarounds
- If you are using Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below, you should review your schema for any sensitive fields that are accessed via
@requiresor@fromContextand explicitly apply matching access control directives on those transitive fields. Alternatively, consider restructuring your schema so that protected fields are queried directly. - Customers not using Apollo Router access control features (
@authenticated,@requiresScopes, or@policydirectives) or not using@requiresor@fromContextdirectives in combination with field-level access control are not affected and do not need to take action.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@apollo/composition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@apollo/composition"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0-alpha.3"
},
{
"fixed": "2.10.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@apollo/composition"
},
"ranges": [
{
"events": [
{
"introduced": "2.11.0-preview.1"
},
{
"fixed": "2.11.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@apollo/composition"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0-preview.0"
},
{
"fixed": "2.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-14T21:49:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# Summary\nA vulnerability in Apollo Federation\u0027s composition logic did not enforce that fields depending on protected data through `@requires` and/or `@fromContext` directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields indirectly through their dependencies, bypassing access control checks. A fix to composition logic in Federation now enforces that dependent fields match the access control requirements from of the fields they reference.\n\n## Details\nApollo Federation allows users to specify [`@authenticated`, `@requiresScopes`, and `@policy` directives](https://www.apollographql.com/docs/graphos/routing/security/authorization#authorization-directives) to protect fields at the field level. The `@requires` directive allows a field to depend on data from other fields in the schema, and `@fromContext` allows a field to use values from the execution context. However, Apollo Router does not enforce access control requirements on these transitively-accessed fields, and Apollo Federation did not require that fields using `@requires` or `@fromContext` have the same access control as the fields they depend on. \n\nAt execution time, when a field decorated with `@requires` or `@fromContext` was resolved, the Router would fetch the required dependency fields from subgraphs without checking whether those fields had their own access control requirements. Access control directives applied to these dependency fields were only enforced when those fields appeared explicitly in the query. If the protected fields were accessed solely as transitive dependencies (in other words, fetched to satisfy `@requires` or `@fromContext` but not directly requested) their access control requirements were silently ignored.\n\nThis discrepancy between where access controls could be defined (on any field) and where it was enforced (only on explicitly queried fields) leads to unexpected runtime security gaps.\n\n## Who is impacted\nThis vulnerability impacts Apollo Federation customers with supergraphs defining `@authenticated`, `@requiresScopes`, or `@policy` directives on fields that are also specified as dependencies in `@requires` or `@fromContext` directives.\n\n### Scope of Impact\nThe vulnerability could allow a malicious actor to craft a query that indirectly accesses protected fields, allowing them to bypass field-level access control. By querying only fields that depend on protected data (via `@requires` or `@fromContext`) without explicitly requesting the protected fields themselves, an attacker could retrieve sensitive information without meeting the access control requirements. \n\n## Patches\nThis vulnerability has been fixed in Apollo Federation by updating composition logic to validate that access control requirements on `@requires` and `@fromContext` dependency fields match the resolving field\u0027s requirements.\n\n_Note that this is a breaking change to Apollo Federation, as it no longer allows fields using `@requires` or `@fromContext` to have different access control directives from the fields they depend on. You will need to update your subgraphs to ensure that the access control requirements on fields using `@requires` or `@fromContext` match the access control directives on the referenced fields._\n\nIf you are using the Apollo Studio build pipeline with Federation version 2.9 or above, then this patch version update is automatic and you only need to adjust the access control requirements in your subgraph schemas as mentioned above.\n\nIf you are using Apollo Rover for local composition, you will need to update its composition version (after updating Apollo Router, [if necessary](https://www.apollographql.com/docs/graphos/platform/graph-management/updates#recommended-update-order)) to one of the following versions:\n\n- 2.9.5+\n- 2.10.4+\n- 2.11.5+\n- 2.12.1+\n\nYou will then need to adjust the access control requirements in your subgraph schemas as mentioned above.\n\n## Workarounds\n- If you are using Apollo Rover with an unpatched composition version or are using the Apollo Studio build pipeline with Federation version 2.8 or below, you should review your schema for any sensitive fields that are accessed via `@requires` or `@fromContext` and explicitly apply matching access control directives on those transitive fields. Alternatively, consider restructuring your schema so that protected fields are queried directly.\n* Customers not using Apollo Router access control features (`@authenticated`, `@requiresScopes`, or `@policy` directives) or not using `@requires` or `@fromContext` directives in combination with field-level access control are not affected and do not need to take action.",
"id": "GHSA-m8jr-fxqx-8xx6",
"modified": "2025-11-14T21:50:07Z",
"published": "2025-11-14T21:49:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apollographql/federation/security/advisories/GHSA-m8jr-fxqx-8xx6"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/federation/commit/09e596e6a0c753071ca822e84f525d73ada395cf"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/federation/commit/0d8fca1c8cc375bb8486f11f339984b69267417d"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/federation/commit/20c75d1d60a48fc289d88c8d29652f1afc7553e4"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/federation/commit/e1c58611c3c996b4fff98a54e49f00549ff2115d"
},
{
"type": "PACKAGE",
"url": "https://github.com/apollographql/federation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apollo Federation has Improper Enforcement of Access Control on Transitive Fields"
}
GHSA-M8MF-8J96-PH83
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:38A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creation of unauthorized chat sessions, due to insufficient access controls. A successful exploit could allow execution of arbitrary commands.
{
"affected": [],
"aliases": [
"CVE-2018-18819"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creation of unauthorized chat sessions, due to insufficient access controls. A successful exploit could allow execution of arbitrary commands.",
"id": "GHSA-m8mf-8j96-ph83",
"modified": "2024-04-04T02:38:45Z",
"published": "2022-05-24T17:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18819"
},
{
"type": "WEB",
"url": "https://www.mitel.com/support/security-advisories"
},
{
"type": "WEB",
"url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0012"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M8MG-9JXC-QMQ4
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Digital Balance limit after a series of operations. Affected product versions include: Hulk-AL00C 9.1.1.201(C00E201R8P1);Jennifer-AN00C 10.1.1.171(C00E170R6P3);Jenny-AL10B 10.1.0.228(C00E220R5P1) and OxfordPL-AN10B 10.1.0.116(C00E110R2P1).
{
"affected": [],
"aliases": [
"CVE-2021-22398"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-02T17:15:00Z",
"severity": "MODERATE"
},
"details": "There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Digital Balance limit after a series of operations. Affected product versions include: Hulk-AL00C 9.1.1.201(C00E201R8P1);Jennifer-AN00C 10.1.1.171(C00E170R6P3);Jenny-AL10B 10.1.0.228(C00E220R5P1) and OxfordPL-AN10B 10.1.0.116(C00E110R2P1).",
"id": "GHSA-m8mg-9jxc-qmq4",
"modified": "2022-05-24T19:09:33Z",
"published": "2022-05-24T19:09:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22398"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210714-01-smartphone-en"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.