CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5556 vulnerabilities reference this CWE, most recent first.
GHSA-R3J2-7G54-8MXW
Vulnerability from github – Published: 2023-01-09 21:30 – Updated: 2023-01-13 18:30A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The name of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2015-10033"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, was found in jvvlee MerlinsBoard. This affects an unknown part of the component Grade Handler. The manipulation leads to improper authorization. The name of the patch is 134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5. It is recommended to apply a patch to fix this issue. The identifier VDB-217713 was assigned to this vulnerability.",
"id": "GHSA-r3j2-7g54-8mxw",
"modified": "2023-01-13T18:30:18Z",
"published": "2023-01-09T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10033"
},
{
"type": "WEB",
"url": "https://github.com/jvvlee/MerlinsBoard/commit/134f5481e2914b7f096cd92a22b1e6bcb8e6dfe5"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217713"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217713"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3JC-HF4V-62FG
Vulnerability from github – Published: 2022-07-02 00:00 – Updated: 2022-07-12 00:00On Ampere Altra and AltraMax devices before SRP 1.09, the the Altra reference design of UEFI accesses allows insecure access to SPI-NOR by the OS/hypervisor component.
{
"affected": [],
"aliases": [
"CVE-2022-32295"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-01T00:15:00Z",
"severity": "CRITICAL"
},
"details": "On Ampere Altra and AltraMax devices before SRP 1.09, the the Altra reference design of UEFI accesses allows insecure access to SPI-NOR by the OS/hypervisor component.",
"id": "GHSA-r3jc-hf4v-62fg",
"modified": "2022-07-12T00:00:54Z",
"published": "2022-07-02T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32295"
},
{
"type": "WEB",
"url": "https://amperecomputing.com"
},
{
"type": "WEB",
"url": "https://amperecomputing.com/products/security-bulletins/altra-spi-nor-smc-protection-for-ampere-website.html"
},
{
"type": "WEB",
"url": "https://amperecomputing.com/products/security-bulletins/altra-spi-nor-smc.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R3XW-GCPR-RF26
Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-15 12:32PraisonAI before 1.6.78 caches tool approval decisions by tool name only, allowing attackers to reuse initial approvals for subsequent calls with arbitrary arguments. Attackers can exploit this by obtaining approval for a benign operation and then executing dangerous file write operations with unreviewed parameters in the same session.
{
"affected": [],
"aliases": [
"CVE-2026-60087"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-15T12:18:18Z",
"severity": "MODERATE"
},
"details": "PraisonAI before 1.6.78 caches tool approval decisions by tool name only, allowing attackers to reuse initial approvals for subsequent calls with arbitrary arguments. Attackers can exploit this by obtaining approval for a benign operation and then executing dangerous file write operations with unreviewed parameters in the same session.",
"id": "GHSA-r3xw-gcpr-rf26",
"modified": "2026-07-15T12:32:03Z",
"published": "2026-07-15T12:32:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-29r9-67vg-qj56"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60087"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/praisonai-before-tool-approval-cache-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R447-VFQG-5642
Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-19 00:00Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other participants, can admit themselves into the meeting from the waiting room, and can become host and cause other meeting disruptions.
{
"affected": [],
"aliases": [
"CVE-2022-28753"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other participants, can admit themselves into the meeting from the waiting room, and can become host and cause other meeting disruptions.",
"id": "GHSA-r447-vfqg-5642",
"modified": "2022-08-19T00:00:21Z",
"published": "2022-08-12T00:01:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28753"
},
{
"type": "WEB",
"url": "https://explore.zoom.us/en/trust/security/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R44R-X7Q4-8HXR
Vulnerability from github – Published: 2022-08-31 00:00 – Updated: 2022-09-07 00:01Incorrect access control in the install directory (C:\RailsInstaller) of Rubyinstaller2 v3.1.2 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.
{
"affected": [],
"aliases": [
"CVE-2022-36563"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-30T21:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect access control in the install directory (C:\\RailsInstaller) of Rubyinstaller2 v3.1.2 and below allows authenticated attackers to execute arbitrary code via overwriting binaries located in the directory.",
"id": "GHSA-r44r-x7q4-8hxr",
"modified": "2022-09-07T00:01:53Z",
"published": "2022-08-31T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36563"
},
{
"type": "WEB",
"url": "https://github.com/ycdxsb/Vuln/blob/main/Railsinstaller-Vuln/Railsinstaller-Vuln.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R496-34W8-F379
Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2025-05-21 18:32Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to bypass content security policy via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-3056"
],
"database_specific": {
"cwe_ids": [
"CWE-693",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-26T16:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to bypass content security policy via a crafted HTML page.",
"id": "GHSA-r496-34w8-f379",
"modified": "2025-05-21T18:32:58Z",
"published": "2022-09-27T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3056"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1329460"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/40059762"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202209-23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R4CR-8P88-HQX6
Vulnerability from github – Published: 2023-10-07 00:30 – Updated: 2024-04-04 08:23An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request.
{
"affected": [],
"aliases": [
"CVE-2023-44860"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-06T23:15:11Z",
"severity": "HIGH"
},
"details": "An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request.",
"id": "GHSA-r4cr-8p88-hqx6",
"modified": "2024-04-04T08:23:55Z",
"published": "2023-10-07T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44860"
},
{
"type": "WEB",
"url": "https://github.com/adhikara13/CVE/blob/main/netis_N3/Improper%20Authentication%20Mechanism%20Leading%20to%20Denial-of-Service%20%28DoS%29.md"
},
{
"type": "WEB",
"url": "https://github.com/adhikara13/CVE/blob/main/netis_N3/Improper%20Authentication%20Mechanism%20Leading%20to%20Denial-of-Service%20(DoS).md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R4PF-QG69-H279
Vulnerability from github – Published: 2023-11-20 21:31 – Updated: 2023-11-27 18:31The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them
{
"affected": [],
"aliases": [
"CVE-2023-5799"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-20T19:15:10Z",
"severity": "MODERATE"
},
"details": "The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them",
"id": "GHSA-r4pf-qg69-h279",
"modified": "2023-11-27T18:31:13Z",
"published": "2023-11-20T21:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5799"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/3061f85e-a70e-49e5-bccf-ae9240f51178"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-R4V8-9HGX-VM6M
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2024-03-01 23:43Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc. However, if the user has been deleted or had groups removed, or the client was deleted, the refresh token will no longer be valid.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.6.0"
},
{
"fixed": "4.7.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.8.0"
},
{
"fixed": "4.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.11.0"
},
{
"fixed": "4.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.cloudfoundry.identity:cloudfoundry-identity-server"
},
"ranges": [
{
"events": [
{
"introduced": "4.13.0"
},
{
"fixed": "4.19.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-11047"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-01T23:43:02Z",
"nvd_published_at": "2018-07-24T19:29:00Z",
"severity": "HIGH"
},
"details": "Cloud Foundry UAA, versions 4.19 prior to 4.19.2 and 4.12 prior to 4.12.4 and 4.10 prior to 4.10.2 and 4.7 prior to 4.7.6 and 4.5 prior to 4.5.7, incorrectly authorizes requests to admin endpoints by accepting a valid refresh token in lieu of an access token. Refresh tokens by design have a longer expiration time than access tokens, allowing the possessor of a refresh token to authenticate longer than expected. This affects the administrative endpoints of the UAA. i.e. /Users, /Groups, etc. However, if the user has been deleted or had groups removed, or the client was deleted, the refresh token will no longer be valid.",
"id": "GHSA-r4v8-9hgx-vm6m",
"modified": "2024-03-01T23:43:03Z",
"published": "2022-05-13T01:49:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11047"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/0cd3c6fdd96206a1d6a376ac62e21e59e16cdcb1"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/2906057dae995024576ce6afdc20abd85569514"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/4cb1be404cf4a82e39cf2a6357aa17af8b33f2a1"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/4fa3e351ec0bface3b693810605905e29a9a8569"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/5d021e83ef143c64179d0da015aa76321ee40988"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/81aeb7a3aa048ea086c494f725d643e48dd9266"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/a1d523c7f150e56bf06df8b83ed1d416d6c1d3b"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/aba1fb5f18e0d628628b2d960fc6d0cc62d86f5"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/b37552d2bf084de059bc965b5ef5a45e64883904"
},
{
"type": "WEB",
"url": "https://github.com/cloudfoundry/uaa/commit/bbbba5aec514ad88e7d1e168a2519c80229f02f"
},
{
"type": "PACKAGE",
"url": "https://github.com/cloudfoundry/uaa"
},
{
"type": "WEB",
"url": "https://www.cloudfoundry.org/blog/cve-2018-11047"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cloud Foundry UAA accepts refresh token as access token on admin endpoints"
}
GHSA-R4WM-X892-VJMX
Vulnerability from github – Published: 2026-03-02 14:34 – Updated: 2026-03-02 14:34Impact
What kind of vulnerability is it? Who is impacted?
A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options (e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.
The bug is a path canonicalization mismatch between middleware matching and route matching in Nest’s Fastify adapter.
Nest passes Fastify routerOptions (such as ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.
But middleware execution is decided by a separate regex check over req.originalUrl in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.
If that regex does not match, Nest does next() and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.
This is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.
Patches
Fixed in @nestjs/platform-fastify@11.1.14
References
Credit goes to Fluidattacks (Cristian Vargas) https://fluidattacks.com/advisories/neton
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.1.13"
},
"package": {
"ecosystem": "npm",
"name": "@nestjs/platform-fastify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.1.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2293"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T14:34:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA NestJS application using `@nestjs/platform-fastify` can allow bypass of any middleware when Fastify path-normalization options (e.g., `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) are enabled. In affected route-scoped middleware setups, variant paths may skip middleware checks while still reaching the protected handler.\n\nThe bug is a path canonicalization mismatch between middleware matching and route matching in Nest\u2019s Fastify adapter.\n\nNest passes Fastify routerOptions (such as `ignoreTrailingSlash`, `ignoreDuplicateSlashes`, `useSemicolonDelimiter`) to the Fastify router in packages/platform-fastify/adapters/fastify-adapter.ts:253.\n\nBut middleware execution is decided by a separate regex check over `req.originalUrl` in packages/platform-fastify/adapters/fastify-adapter.ts:706 and packages/platform-fastify/adapters/fastify-adapter.ts:713.\n\nIf that regex does not match, Nest does `next()` and skips the middleware (packages/platform-fastify/adapters/fastify-adapter.ts:714), while Fastify may still normalize the same path and route it to the protected handler. So the vulnerability exists because security checks (middleware) and request dispatch(router) use different URL interpretations.\n\nThis is a fail-open design issue (inconsistent normalization), not just a bad app config: non-default router options make the mismatch reachable.\n\n### Patches\n\nFixed in `@nestjs/platform-fastify@11.1.14`\n\n### References\n\nCredit goes to Fluidattacks ([Cristian Vargas](https://www.linkedin.com/in/cvmiracle/)) https://fluidattacks.com/advisories/neton",
"id": "GHSA-r4wm-x892-vjmx",
"modified": "2026-03-02T14:34:12Z",
"published": "2026-03-02T14:34:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nestjs/nest/security/advisories/GHSA-r4wm-x892-vjmx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2293"
},
{
"type": "WEB",
"url": "https://github.com/nestjs/nest/commit/fd8d073e0e048b185147209338ca7042e52c10ba"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/neton"
},
{
"type": "PACKAGE",
"url": "https://github.com/nestjs/nest"
},
{
"type": "WEB",
"url": "https://github.com/nestjs/nest/releases/tag/v11.1.14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Nest has a Fastify URL Encoding Middleware Bypass "
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.