CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5528 vulnerabilities reference this CWE, most recent first.
GHSA-M9V7-79RJ-PQ3W
Vulnerability from github – Published: 2024-06-21 03:30 – Updated: 2026-04-08 18:33The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with admin dashboard access (contributors by default due to WooCommerce) to view arbitrary decrypted license keys. The functions contain a referrer nonce check. However, these can be retrieved via the dashboard through the "license" JS variable.
{
"affected": [],
"aliases": [
"CVE-2024-1639"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-21T02:15:10Z",
"severity": "MODERATE"
},
"details": "The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with admin dashboard access (contributors by default due to WooCommerce) to view arbitrary decrypted license keys. The functions contain a referrer nonce check. However, these can be retrieved via the dashboard through the \"license\" JS variable.",
"id": "GHSA-m9v7-79rj-pq3w",
"modified": "2026-04-08T18:33:26Z",
"published": "2024-06-21T03:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1639"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/license-manager-for-woocommerce/tags/3.0.5/includes/Controllers/License.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3106503%40license-manager-for-woocommerce\u0026new=3106503%40license-manager-for-woocommerce\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92e444db-72d5-444f-811e-ade0bc097769?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M9VQ-R8XH-F85J
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege escalation vulnerability due to multiple flaws in its implementation. It fails to properly authenticate clients over the XPC protocol and does not correctly enforce macOS’s authorization model, exposing privileged functionality to untrusted users. Although it invokes the AuthorizationCopyRights API, it does so using overly permissive custom rights that it registers in the system’s authorization database (/var/db/auth.db).
These rights can be requested and granted by the authorization daemon to any local user, regardless of privilege level. As a result, an attacker can exploit the vulnerable service to perform privileged operations such as executing arbitrary commands or installing system components without requiring administrative credentials.
{
"affected": [],
"aliases": [
"CVE-2025-4960"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T07:17:38Z",
"severity": "HIGH"
},
"details": "The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege escalation vulnerability due to multiple flaws in its implementation. It fails to properly authenticate clients over the XPC protocol and does not correctly enforce macOS\u2019s authorization model, exposing privileged functionality to untrusted users. Although it invokes the AuthorizationCopyRights API, it does so using overly permissive custom rights that it registers in the system\u2019s authorization database (/var/db/auth.db).\n\n\nThese rights can be requested and granted by the authorization daemon to any local user, regardless of privilege level. As a result, an attacker can exploit the vulnerable service to perform privileged operations such as executing arbitrary commands or installing system components without requiring administrative credentials.",
"id": "GHSA-m9vq-r8xh-f85j",
"modified": "2026-02-19T18:31:50Z",
"published": "2026-02-19T18:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4960"
},
{
"type": "WEB",
"url": "https://pentraze.com/vulnerability-reports"
},
{
"type": "WEB",
"url": "https://pentraze.com/vulnerability-reports/cve-2025-4960"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MC38-G3J7-HGWW
Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-05-19 00:00It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note.
{
"affected": [],
"aliases": [
"CVE-2022-1545"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note.",
"id": "GHSA-mc38-g3j7-hgww",
"modified": "2022-05-19T00:00:18Z",
"published": "2022-05-12T00:01:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1545"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1545.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/351030"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MC6M-JC2W-87WC
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-21182"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-09T18:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page.",
"id": "GHSA-mc6m-jc2w-87wc",
"modified": "2022-05-24T17:43:57Z",
"published": "2022-05-24T17:43:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21182"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1049265"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBT54RKAE5XLMWSHLVUKJ7T2XHHYMXLH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCIDZ77XUDMB2EBPPWCQXPEIJERDNSNT"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202104-08"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4886"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MC6V-G8QV-FWMP
Vulnerability from github – Published: 2026-01-08 18:30 – Updated: 2026-01-08 18:30OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.
{
"affected": [],
"aliases": [
"CVE-2026-22230"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-08T18:15:59Z",
"severity": "HIGH"
},
"details": "OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.",
"id": "GHSA-mc6v-g8qv-fwmp",
"modified": "2026-01-08T18:30:50Z",
"published": "2026-01-08T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22230"
},
{
"type": "WEB",
"url": "https://docs.opexustech.com/docs/eCase/11.14.X/eCASE_Release_Notes_11.14.1.0.pdf"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22230"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MCG6-H362-CMQ5
Vulnerability from github – Published: 2022-03-11 20:52 – Updated: 2024-11-18 16:26Impact
If PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places (Web UI, CLI & XMLRPC-API).
The same applies to user accounts with passwords set to be expired.
Patches
There is a patch for the latest Cobbler 3.3.2 available, however a backport will be done for 3.2.x.
Workarounds
- Delete expired accounts which are able to access Cobbler via PAM.
- Use
chage -l <username>to lock the account. If the account has SSH-Keys attached then remove them completely.
References
- Originally discovered by @ysf at https://www.huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d/
How to test if my Cobbler instance is affected?
The following pytest test assumes that your PAM setup is correct. In case the added user is not able to login, this test does not make sense to be executed.
def test_pam_login_with_expired_user():
# Arrange
# create pam testuser
test_username = "expired_user"
test_password = "password"
test_api = CobblerAPI()
subprocess_1 = subprocess.run(
["perl", "-e", "'print crypt(\"%s\", \"%s\")'" % (test_username, test_password)],
stdout=subprocess.PIPE
)
subprocess.run(["useradd", "-p", subprocess_1.stdout, test_username])
# change user to be expired
subprocess.run(["chage", "-E0", test_username])
# Act
result = pam.authenticate(test_api, test_username, test_password)
# Assert - login should fail
assert not result
For more information
If you have any questions or comments about this advisory: * Open an issue in the Cobbler repository * Ask in the Gitter/Matrix Chat * Email us at cobbler.project@gmail.com
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "cobbler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0860"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-11T20:52:04Z",
"nvd_published_at": "2022-03-11T13:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIf PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places (Web UI, CLI \u0026 XMLRPC-API).\n\nThe same applies to user accounts with passwords set to be expired.\n\n### Patches\n\nThere is a patch for the latest Cobbler `3.3.2` available, however a backport will be done for `3.2.x`.\n\n### Workarounds\n\n- Delete expired accounts which are able to access Cobbler via PAM.\n- Use `chage -l \u003cusername\u003e` to lock the account. If the account has SSH-Keys attached then remove them completely.\n\n### References\n\n- Originally discovered by @ysf at https://www.huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d/\n\n### How to test if my Cobbler instance is affected?\n\nThe following `pytest` test assumes that your PAM setup is correct. In case the added user is not able to login, this test does not make sense to be executed.\n\n```python\ndef test_pam_login_with_expired_user():\n # Arrange\n # create pam testuser\n test_username = \"expired_user\"\n test_password = \"password\"\n test_api = CobblerAPI()\n subprocess_1 = subprocess.run(\n [\"perl\", \"-e\", \"\u0027print crypt(\\\"%s\\\", \\\"%s\\\")\u0027\" % (test_username, test_password)],\n stdout=subprocess.PIPE\n )\n subprocess.run([\"useradd\", \"-p\", subprocess_1.stdout, test_username])\n # change user to be expired\n subprocess.run([\"chage\", \"-E0\", test_username])\n\n # Act\n result = pam.authenticate(test_api, test_username, test_password)\n\n # Assert - login should fail\n assert not result\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Cobbler repository](https://github.com/cobbler/cobbler/issues/new/choose)\n* Ask in the [Gitter/Matrix Chat](https://gitter.im/cobbler/community)\n* Email us at [cobbler.project@gmail.com](mailto:cobbler.project@gmail.com)\n",
"id": "GHSA-mcg6-h362-cmq5",
"modified": "2024-11-18T16:26:19Z",
"published": "2022-03-11T20:52:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/security/advisories/GHSA-mcg6-h362-cmq5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0860"
},
{
"type": "WEB",
"url": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-mcg6-h362-cmq5"
},
{
"type": "PACKAGE",
"url": "https://github.com/cobbler/cobbler"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2022-177.yaml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Improper Authorization in cobbler"
}
GHSA-MCHV-CCHF-G2QG
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-04-02 21:31An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.5. An attacker may be able to elevate privileges.
{
"affected": [],
"aliases": [
"CVE-2024-27798"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:13:03Z",
"severity": "HIGH"
},
"details": "An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.5. An attacker may be able to elevate privileges.",
"id": "GHSA-mchv-cchf-g2qg",
"modified": "2026-04-02T21:31:39Z",
"published": "2024-05-14T15:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27798"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120899"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120900"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120903"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214106"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214105"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214106"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214107"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/May/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MCJX-CWMM-G4G6
Vulnerability from github – Published: 2023-03-01 09:30 – Updated: 2023-03-10 15:30Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data without proper authorization.
{
"affected": [],
"aliases": [
"CVE-2023-0952"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-01T08:15:00Z",
"severity": "MODERATE"
},
"details": "Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data without proper authorization.",
"id": "GHSA-mcjx-cwmm-g4g6",
"modified": "2023-03-10T15:30:43Z",
"published": "2023-03-01T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0952"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2023-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MCM9-3RFG-2MQM
Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-10-30 21:30Insufficient access controls in ASP kernel may allow a privileged attacker with access to AMD signing keys and the BIOS menu or UEFI shell to map DRAM regions in protected areas, potentially leading to a loss of platform integrity.
{
"affected": [],
"aliases": [
"CVE-2021-26387"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T17:15:17Z",
"severity": "LOW"
},
"details": "Insufficient access controls in ASP kernel may allow a\nprivileged attacker with access to AMD signing keys and the BIOS menu or UEFI\nshell to map DRAM regions in protected areas,\u00a0potentially leading to a loss of platform integrity.",
"id": "GHSA-mcm9-3rfg-2mqm",
"modified": "2024-10-30T21:30:37Z",
"published": "2024-08-13T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26387"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-5002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MCWC-JFPX-GQ94
Vulnerability from github – Published: 2024-09-03 12:30 – Updated: 2024-09-03 21:31This vulnerability exists in Symphony XTS Web Trading platform version 2.0.0.1_P160 due to improper access controls on APIs in the Preference module of the application. An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to unauthorized access and modification of sensitive information belonging to other users.
{
"affected": [],
"aliases": [
"CVE-2024-45588"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-03T11:15:15Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in Symphony XTS Web Trading platform version 2.0.0.1_P160 due to improper access controls on APIs in the Preference module of the application. An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to unauthorized access and modification of sensitive information belonging to other users.",
"id": "GHSA-mcwc-jfpx-gq94",
"modified": "2024-09-03T21:31:12Z",
"published": "2024-09-03T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45588"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0281"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.