CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-Q859-FFV8-VCMH
Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.
{
"affected": [],
"aliases": [
"CVE-2026-47996"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T20:17:04Z",
"severity": "HIGH"
},
"details": "Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.",
"id": "GHSA-q859-ffv8-vcmh",
"modified": "2026-07-14T21:32:17Z",
"published": "2026-07-14T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47996"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb26-73.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q86R-GWQC-JX85
Vulnerability from github – Published: 2025-09-12 03:33 – Updated: 2025-09-15 13:46JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies to get executed.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay:com.liferay.comment.web"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.2"
},
{
"fixed": "6.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43789"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-15T13:46:34Z",
"nvd_published_at": "2025-09-12T03:15:41Z",
"severity": "LOW"
},
"details": "JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies to get executed.",
"id": "GHSA-q86r-gwqc-jx85",
"modified": "2025-09-15T13:46:52Z",
"published": "2025-09-12T03:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43789"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/576039619a12f28304c5153ad3fa5e39f00548b3"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/cb349be999396e97883e5fa7ccf2d226737779ac"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/dfdd81d51808e38098e9a3250f3c8819e0761377"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/e91daba3736ea30674f0beb5f6622c6df057d18b"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43789"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution"
}
GHSA-Q87W-GH3F-77P7
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2024-04-04 03:04A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity.
{
"affected": [],
"aliases": [
"CVE-2021-20179"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-15T13:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity.",
"id": "GHSA-q87w-gh3f-77p7",
"modified": "2024-04-04T03:04:55Z",
"published": "2022-05-24T17:44:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20179"
},
{
"type": "WEB",
"url": "https://github.com/dogtagpki/pki/pull/3474"
},
{
"type": "WEB",
"url": "https://github.com/dogtagpki/pki/pull/3475"
},
{
"type": "WEB",
"url": "https://github.com/dogtagpki/pki/pull/3476"
},
{
"type": "WEB",
"url": "https://github.com/dogtagpki/pki/pull/3477"
},
{
"type": "WEB",
"url": "https://github.com/dogtagpki/pki/pull/3478"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1914379"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDOLFOLEIV7I4EUC3SCZBXL6E2ER7ZEN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRE44N6P24AEDKRMWK7RPRLMCUUBRJII"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R3I7BRAHLE2WWSY76W3CKFCF5WSSAE24"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDOLFOLEIV7I4EUC3SCZBXL6E2ER7ZEN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HRE44N6P24AEDKRMWK7RPRLMCUUBRJII"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3I7BRAHLE2WWSY76W3CKFCF5WSSAE24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q886-75M2-VFF8
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2024-04-29 09:49Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mp9m-g7qj-6vqr. This link is maintained to preserve external references.
Original Description
Red Discord Bot before version 3.4.1 has an unauthorized privilege escalation exploit in the Mod module. This exploit allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user's control. By abusing this exploit, it is possible to perform destructive actions within the guild the user has high privileges in. This exploit has been fixed in version 3.4.1. As a workaround, unloading the Mod module with unload mod or, disabling the massban command with command disable global massban can render this exploit not accessible. We still highly recommend updating to 3.4.1 to completely patch this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "red-discordbot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-29T09:49:55Z",
"nvd_published_at": "2020-10-28T17:15:00Z",
"severity": "HIGH"
},
"details": "# Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-mp9m-g7qj-6vqr. This link is maintained to preserve external references.\n\n# Original Description\n\nRed Discord Bot before version 3.4.1 has an unauthorized privilege escalation exploit in the Mod module. This exploit allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user\u0027s control. By abusing this exploit, it is possible to perform destructive actions within the guild the user has high privileges in. This exploit has been fixed in version 3.4.1. As a workaround, unloading the Mod module with unload mod or, disabling the massban command with command disable global massban can render this exploit not accessible. We still highly recommend updating to 3.4.1 to completely patch this issue.",
"id": "GHSA-q886-75m2-vff8",
"modified": "2024-04-29T09:49:55Z",
"published": "2022-05-24T17:32:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-mp9m-g7qj-6vqr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15278"
},
{
"type": "WEB",
"url": "https://github.com/Cog-Creators/Red-DiscordBot/commit/726bfd38adfdfaef760412a68e01447b470f438b"
},
{
"type": "WEB",
"url": "https://github.com/Cog-Creators/Red-DiscordBot/releases/tag/3.4.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Unauthorized privilege escalation in Mod module",
"withdrawn": "2024-04-29T09:49:55Z"
}
GHSA-Q8FG-CP3Q-5JWM
Vulnerability from github – Published: 2025-01-09 09:31 – Updated: 2025-01-16 14:03Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.11.0"
},
{
"fixed": "9.11.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20250102081831-64c566a8280b"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-22449"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-09T17:37:53Z",
"nvd_published_at": "2025-01-09T07:15:28Z",
"severity": "LOW"
},
"details": "Mattermost versions 9.11.x \u003c= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the \"allow_open_invite\" field via making their team public.",
"id": "GHSA-q8fg-cp3q-5jwm",
"modified": "2025-01-16T14:03:58Z",
"published": "2025-01-09T09:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22449"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost Incorrect Authorization vulnerability"
}
GHSA-Q8P2-2HWC-JW64
Vulnerability from github – Published: 2025-02-24 09:35 – Updated: 2025-02-24 18:28Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20250110161910-96195f1bd746"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.11.0-rc1"
},
{
"fixed": "9.11.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.2.0-rc1"
},
{
"fixed": "10.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0-rc1"
},
{
"fixed": "10.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.4.0-rc1"
},
{
"fixed": "10.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24526"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-24T18:28:19Z",
"nvd_published_at": "2025-02-24T08:15:10Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 10.1.x \u003c= 10.1.3, 10.4.x \u003c= 10.4.1, 9.11.x \u003c= 9.11.7, 10.3.x \u003c= 10.3.2, 10.2.x \u003c= 10.2.2 fail to restrict channel export of archived channels when the \"Allow users to view archived channels\" is disabled\u00a0which allows a user to export channel contents when they shouldn\u0027t have access to it",
"id": "GHSA-q8p2-2hwc-jw64",
"modified": "2025-02-24T18:28:19Z",
"published": "2025-02-24T09:35:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24526"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-plugin-channel-export/issues/51"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-plugin-channel-export/commit/3c052b66207fb734bfc4c948941e7f7522a82550"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/96195f1bd7467f572525c35b5087acaeb53daa63"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost fails to restrict channel export of archived channels"
}
GHSA-Q8P2-XPPF-9G83
Vulnerability from github – Published: 2022-07-13 00:00 – Updated: 2022-07-13 00:00Windows Boot Manager Security Feature Bypass Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-30203"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T23:15:00Z",
"severity": "HIGH"
},
"details": "Windows Boot Manager Security Feature Bypass Vulnerability.",
"id": "GHSA-q8p2-xppf-9g83",
"modified": "2022-07-13T00:00:39Z",
"published": "2022-07-13T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30203"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30203"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30203"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q8WP-G4VF-63P9
Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2023-03-29 03:30In multiple functions of SensorService.cpp, there is a possible access of accurate sensor data due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-230358834
{
"affected": [],
"aliases": [
"CVE-2023-21034"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-24T20:15:00Z",
"severity": "HIGH"
},
"details": "In multiple functions of SensorService.cpp, there is a possible access of accurate sensor data due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-230358834",
"id": "GHSA-q8wp-g4vf-63p9",
"modified": "2023-03-29T03:30:25Z",
"published": "2023-03-24T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21034"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2023-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q923-3693-7XR9
Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-07-13 00:01Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Incorrect Access Control. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts. A broken access control vulnerability has been found while using a temporary generated token in order to consume api resources. The vulnerability allows an unauthenticated attacker to use an api endpoint to generate a temporary JWT token that is designed to reference the correct tenant prior to authentication, to request system configuration parameters using direct api requests. The correct exploitation of this vulnerability causes sensitive information exposure. In case the tenant has an smtp credential set, the full credential information is disclosed.
{
"affected": [],
"aliases": [
"CVE-2021-44877"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-21T17:15:00Z",
"severity": "HIGH"
},
"details": "Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Incorrect Access Control. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts. A broken access control vulnerability has been found while using a temporary generated token in order to consume api resources. The vulnerability allows an unauthenticated attacker to use an api endpoint to generate a temporary JWT token that is designed to reference the correct tenant prior to authentication, to request system configuration parameters using direct api requests. The correct exploitation of this vulnerability causes sensitive information exposure. In case the tenant has an smtp credential set, the full credential information is disclosed.",
"id": "GHSA-q923-3693-7xr9",
"modified": "2022-07-13T00:01:49Z",
"published": "2021-12-22T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44877"
},
{
"type": "WEB",
"url": "https://www.systeam.com.br/cve/broken-access-control-en.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q932-85W6-FMXR
Vulnerability from github – Published: 2026-07-14 00:31 – Updated: 2026-07-14 00:31OpenClaw versions 2026.3.22 before 2026.6.6 contain an authorization bypass vulnerability where WhatsApp group IDs can satisfy elevated sender allowlists. Attackers with lower-trust access can perform actions requiring stronger authorization by leveraging group ID validation in the affected feature.
{
"affected": [],
"aliases": [
"CVE-2026-62196"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T22:16:51Z",
"severity": "HIGH"
},
"details": "OpenClaw versions 2026.3.22 before 2026.6.6 contain an authorization bypass vulnerability where WhatsApp group IDs can satisfy elevated sender allowlists. Attackers with lower-trust access can perform actions requiring stronger authorization by leveraging group ID validation in the affected feature.",
"id": "GHSA-q932-85w6-fmxr",
"modified": "2026-07-14T00:31:04Z",
"published": "2026-07-14T00:31:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fh38-965w-f6c3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-62196"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-whatsapp-group-ids"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.