CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-QFXW-V8QX-VJ3V
Vulnerability from github – Published: 2026-05-11 15:18 – Updated: 2026-06-08 23:48Summary
A radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio.
Impact
Downlink user-plane traffic for the targeted UE is redirected to the attacker's radio.
Fix
UE context lookups are now scoped to the sending radio's SCTP association.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ellanetworks/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44473"
],
"database_specific": {
"cwe_ids": [
"CWE-358",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T15:18:47Z",
"nvd_published_at": "2026-05-27T17:16:39Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE\u0027s AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE\u0027s logical NG-connection, then creates a GTP tunnel towards that radio.\n\n## Impact\n\nDownlink user-plane traffic for the targeted UE is redirected to the attacker\u0027s radio.\n\n## Fix\n\nUE context lookups are now scoped to the sending radio\u0027s SCTP association.",
"id": "GHSA-qfxw-v8qx-vj3v",
"modified": "2026-06-08T23:48:51Z",
"published": "2026-05-11T15:18:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ellanetworks/core/security/advisories/GHSA-qfxw-v8qx-vj3v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44473"
},
{
"type": "PACKAGE",
"url": "https://github.com/ellanetworks/core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse"
}
GHSA-QG4C-F5H3-4H6Q
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow local attackers on the OBR host to execute code with escalated privileges.
{
"affected": [],
"aliases": [
"CVE-2020-11855"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-22T14:15:00Z",
"severity": "HIGH"
},
"details": "An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow local attackers on the OBR host to execute code with escalated privileges.",
"id": "GHSA-qg4c-f5h3-4h6q",
"modified": "2022-05-24T17:28:52Z",
"published": "2022-05-24T17:28:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11855"
},
{
"type": "WEB",
"url": "https://softwaresupport.softwaregrp.com/doc/KM03710590"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1217"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QGP3-3RJ7-QQQ4
Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-05-04 21:58Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-rvvf-6vh3-9j43. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted group DM channels.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T21:58:42Z",
"nvd_published_at": "2026-04-23T22:16:41Z",
"severity": "LOW"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rvvf-6vh3-9j43. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted group DM channels.",
"id": "GHSA-qgp3-3rj7-qqq4",
"modified": "2026-05-04T21:58:42Z",
"published": "2026-04-24T00:31:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rvvf-6vh3-9j43"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41348"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/8fdb19676ab44cf85d47ee13c578195f2e527591"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-group-dm-channel-allowlist-bypass-via-discord-slash-commands"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist",
"withdrawn": "2026-05-04T21:58:42Z"
}
GHSA-QGRQ-CX4C-2RMM
Vulnerability from github – Published: 2022-02-15 01:39 – Updated: 2022-06-24 01:24A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.6.7"
},
"package": {
"ecosystem": "Maven",
"name": "org.wildfly.security:wildfly-elytron"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-1748"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-24T01:24:56Z",
"nvd_published_at": "2020-09-16T16:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.",
"id": "GHSA-qgrq-cx4c-2rmm",
"modified": "2022-06-24T01:24:56Z",
"published": "2022-02-15T01:39:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1748"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807707"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201001-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Authorization in WildFly Elytron"
}
GHSA-QGX9-6PX9-7P75
Vulnerability from github – Published: 2026-04-23 18:33 – Updated: 2026-05-04 21:04Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-v8qf-fr4g-28p2. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T21:04:44Z",
"nvd_published_at": "2026-04-23T18:16:29Z",
"severity": "LOW"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-v8qf-fr4g-28p2. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.",
"id": "GHSA-qgx9-6px9-7p75",
"modified": "2026-05-04T21:04:44Z",
"published": "2026-04-23T18:33:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8qf-fr4g-28p2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41908"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/99ef3a63c58440d53f8e45ad861b846032fcb036"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-scope-enforcement-bypass-in-assistant-media-route"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization",
"withdrawn": "2026-05-04T21:04:44Z"
}
GHSA-QH6Q-598W-W6M2
Vulnerability from github – Published: 2026-03-09 17:24 – Updated: 2026-03-10 18:43Summary
The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse.
Details
backend/internal/service/oidc_service.go:407
if authorizationCodeMetaData.ClientID != input.ClientID && authorizationCodeMetaData.ExpiresAt.ToTime().Before(time.Now()) {
return CreatedTokens{}, &common.OidcInvalidAuthorizationCodeError{}
}
&& should be ||. Current behavior:
| Condition | Expected | Actual |
|---|---|---|
| Wrong client + valid code | Reject | Accept |
| Correct client + expired code | Reject | Accept |
PoC
Prerequisite: pocket-id running with APP_ENV=test and BUILD_TAGS=e2etest. The test user (Tim Cook) must have authorized both Nextcloud and Immich OIDC clients (i.e., user_authorized_oidc_clients records exist for both). The seed data includes an authorization code auth-code issued for the Nextcloud client.
# 1. Seed test data
curl -X POST "http://localhost:1411/api/test/reset?skip-ldap=true"
# 2. Exchange Nextcloud's auth code using Immich's credentials
curl -X POST http://localhost:1411/api/oidc/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "code=auth-code" \
-d "client_id=606c7782-f2b1-49e5-8ea9-26eb1b06d018" \
-d "client_secret=PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x" \
-d "redirect_uri=http://immich/auth/callback"
# Expected: 400 (wrong client)
# Actual: 200 with tokens — access_token.aud = Immich client ID
Verified result: HTTP 200 with tokens. The access_token audience is 606c7782-... (Immich), despite the authorization code being issued for 3654a746-... (Nextcloud).
Impact
Any OIDC client operator can exchange authorization codes issued for other clients, obtaining tokens for users who never authorized that client. Expired authorization codes can also be reused with the correct client until the 24-hour cleanup job runs.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/pocket-id/pocket-id/backend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260307173642-b59e35cb59ae"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28513"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-09T17:24:49Z",
"nvd_published_at": "2026-03-10T17:38:50Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe OIDC token endpoint rejects an authorization code only when **both** the client ID is wrong **and** the code is expired. This allows cross-client code exchange and expired code reuse.\n\n### Details\n\n`backend/internal/service/oidc_service.go:407`\n\n```go\nif authorizationCodeMetaData.ClientID != input.ClientID \u0026\u0026 authorizationCodeMetaData.ExpiresAt.ToTime().Before(time.Now()) {\n return CreatedTokens{}, \u0026common.OidcInvalidAuthorizationCodeError{}\n}\n```\n\n`\u0026\u0026` should be `||`. Current behavior:\n\n| Condition | Expected | Actual |\n|-----------|----------|--------|\n| Wrong client + valid code | Reject | **Accept** |\n| Correct client + expired code | Reject | **Accept** |\n\n### PoC\n\n**Prerequisite:** pocket-id running with `APP_ENV=test` and `BUILD_TAGS=e2etest`. The test user (Tim Cook) must have authorized both Nextcloud and Immich OIDC clients (i.e., `user_authorized_oidc_clients` records exist for both). The seed data includes an authorization code `auth-code` issued for the Nextcloud client.\n\n```bash\n# 1. Seed test data\ncurl -X POST \"http://localhost:1411/api/test/reset?skip-ldap=true\"\n\n# 2. Exchange Nextcloud\u0027s auth code using Immich\u0027s credentials\ncurl -X POST http://localhost:1411/api/oidc/token \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n -d \"grant_type=authorization_code\" \\\n -d \"code=auth-code\" \\\n -d \"client_id=606c7782-f2b1-49e5-8ea9-26eb1b06d018\" \\\n -d \"client_secret=PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x\" \\\n -d \"redirect_uri=http://immich/auth/callback\"\n# Expected: 400 (wrong client)\n# Actual: 200 with tokens \u2014 access_token.aud = Immich client ID\n```\n\n**Verified result:** HTTP 200 with tokens. The `access_token` audience is `606c7782-...` (Immich), despite the authorization code being issued for `3654a746-...` (Nextcloud).\n\n### Impact\n\nAny OIDC client operator can exchange authorization codes issued for other clients, obtaining tokens for users who never authorized that client. Expired authorization codes can also be reused with the correct client until the 24-hour cleanup job runs.",
"id": "GHSA-qh6q-598w-w6m2",
"modified": "2026-03-10T18:43:07Z",
"published": "2026-03-09T17:24:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pocket-id/pocket-id/security/advisories/GHSA-qh6q-598w-w6m2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28513"
},
{
"type": "PACKAGE",
"url": "https://github.com/pocket-id/pocket-id"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange"
}
GHSA-QH7G-57WW-6FQ4
Vulnerability from github – Published: 2024-10-24 18:30 – Updated: 2024-10-24 18:30A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream.
{
"affected": [],
"aliases": [
"CVE-2024-10295"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-24T18:15:05Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Gateway. Sending a non-base64 \u0027basic\u0027 auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream.",
"id": "GHSA-qh7g-57ww-6fq4",
"modified": "2024-10-24T18:30:44Z",
"published": "2024-10-24T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10295"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-10295"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2321258"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QHFJ-5GCR-FPXQ
Vulnerability from github – Published: 2026-07-17 03:31 – Updated: 2026-07-17 03:31OpenClaw versions 2026.6.1 before 2026.6.9 contain a privilege escalation vulnerability in isolated cron jobs that allows lower-trust callers to regain denied execution tools. Attackers can execute or persist actions beyond their intended authorization by leveraging misconfigured input paths in the affected cron feature.
{
"affected": [],
"aliases": [
"CVE-2026-62202"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-17T02:18:06Z",
"severity": "HIGH"
},
"details": "OpenClaw versions 2026.6.1 before 2026.6.9 contain a privilege escalation vulnerability in isolated cron jobs that allows lower-trust callers to regain denied execution tools. Attackers can execute or persist actions beyond their intended authorization by leveraging misconfigured input paths in the affected cron feature.",
"id": "GHSA-qhfj-5gcr-fpxq",
"modified": "2026-07-17T03:31:20Z",
"published": "2026-07-17T03:31:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mm9g-83wh-mhwj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-62202"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-cron"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QHHH-GXXV-PG3H
Vulnerability from github – Published: 2023-06-07 03:30 – Updated: 2024-04-04 04:37The WPS Hide Login plugin for WordPress is vulnerable to login page disclosure even when the settings of the plugin are set to hide the login page making it possible for unauthenticated attackers to brute force credentials on sites in versions up to, and including, 1.5.4.2.
{
"affected": [],
"aliases": [
"CVE-2020-36710"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-07T02:15:11Z",
"severity": "HIGH"
},
"details": "The WPS Hide Login plugin for WordPress is vulnerable to login page disclosure even when the settings of the plugin are set to hide the login page making it possible for unauthenticated attackers to brute force credentials on sites in versions up to, and including, 1.5.4.2.",
"id": "GHSA-qhhh-gxxv-pg3h",
"modified": "2024-04-04T04:37:29Z",
"published": "2023-06-07T03:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36710"
},
{
"type": "WEB",
"url": "https://blog.nintechnet.com/wordpress-wps-hide-login-fixed-security-issue"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7808329f-1688-480c-a83c-c4ab2fa86da6?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QHMH-X535-R77M
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44Because of insufficient authorization checks it is possible for any authenticated user to change profile data of other users in Pleasant Password Server before 7.8.3.
{
"affected": [],
"aliases": [
"CVE-2017-17708"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-31T14:29:00Z",
"severity": "MODERATE"
},
"details": "Because of insufficient authorization checks it is possible for any authenticated user to change profile data of other users in Pleasant Password Server before 7.8.3.",
"id": "GHSA-qhmh-x535-r77m",
"modified": "2022-05-13T01:44:27Z",
"published": "2022-05-13T01:44:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17708"
},
{
"type": "WEB",
"url": "https://www.profundis-labs.com/advisories/CVE-2017-17708.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.