Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5541 vulnerabilities reference this CWE, most recent first.

GHSA-W65P-8M9J-6PM4

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-31 18:31
VLAI
Details

Incorrect Authorization vulnerability in Drupal Freelinking allows Forceful Browsing.This issue affects Freelinking: from 0.0.0 before 4.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T20:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect Authorization vulnerability in Drupal Freelinking allows Forceful Browsing.This issue affects Freelinking: from 0.0.0 before 4.0.1.",
  "id": "GHSA-w65p-8m9j-6pm4",
  "modified": "2025-01-31T18:31:04Z",
  "published": "2025-01-09T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13270"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2024-034"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W65R-3XH2-3PJ4

Vulnerability from github – Published: 2025-09-16 00:30 – Updated: 2025-11-03 21:34
VLAI
Details

This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T23:15:33Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.",
  "id": "GHSA-w65r-3xh2-3pj4",
  "modified": "2025-11-03T21:34:30Z",
  "published": "2025-09-16T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43307"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125110"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Sep/53"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W65V-2JVX-6697

Vulnerability from github – Published: 2023-06-02 12:30 – Updated: 2024-04-04 04:28
VLAI
Details

Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-02T11:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service.",
  "id": "GHSA-w65v-2jvx-6697",
  "modified": "2024-04-04T04:28:38Z",
  "published": "2023-06-02T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28698"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7101-f88db-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W66P-78G4-MR7G

Vulnerability from github – Published: 2022-05-17 01:39 – Updated: 2024-09-27 18:07
VLAI
Summary
OpenStack Keystone Insufficient token expiration
Details

OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2012-5563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-324",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-14T00:53:23Z",
    "nvd_published_at": "2012-12-18T01:55:00Z",
    "severity": "HIGH"
  },
  "details": "OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining.  NOTE: this issue exists because of a CVE-2012-3426 regression.",
  "id": "GHSA-w66p-78g4-mr7g",
  "modified": "2024-09-27T18:07:52Z",
  "published": "2022-05-17T01:39:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5563"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1079216"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80370"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/keystone"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2012-20.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20121201003009/http://secunia.com/advisories/51423"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20140802122732/http://secunia.com/advisories/51436"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228144943/http://www.securityfocus.com/bid/56727"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2012-1557.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/11/28/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/11/28/6"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1641-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenStack Keystone Insufficient token expiration"
}

GHSA-W67P-2W4G-FGJP

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22
VLAI
Details

The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-01T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.",
  "id": "GHSA-w67p-2w4g-fgjp",
  "modified": "2022-05-24T17:22:14Z",
  "published": "2022-05-24T17:22:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4029"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/JRASERVER-70926"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W68R-5P45-5RQP

Vulnerability from github – Published: 2021-05-06 18:54 – Updated: 2021-05-04 22:46
VLAI
Summary
Improper Input Validation in Laravel
Details

An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laravel/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.18.35"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laravel/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-24941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-04T22:46:50Z",
    "nvd_published_at": "2020-09-04T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.",
  "id": "GHSA-w68r-5p45-5rqp",
  "modified": "2021-05-04T22:46:50Z",
  "published": "2021-05-06T18:54:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24941"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laravel/framework/commit/897d107775737a958dbd0b2f3ea37877c7526371"
    },
    {
      "type": "WEB",
      "url": "https://blog.laravel.com/security-release-laravel-61835-7240"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Input Validation in Laravel"
}

GHSA-W6C7-J32F-RQ8J

Vulnerability from github – Published: 2025-05-13 09:31 – Updated: 2025-07-16 21:02
VLAI
Summary
Apache Superset Allows Ownership Takeover
Details

Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.

This issue affects Apache Superset: through 4.1.1.

Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-superset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-13T20:23:45Z",
    "nvd_published_at": "2025-05-13T09:15:20Z",
    "severity": "MODERATE"
  },
  "details": "Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.\n\nThis issue affects Apache Superset: through 4.1.1.\n\nUsers are recommended to upgrade to version 4.1.2 or above, which fixes the issue.",
  "id": "GHSA-w6c7-j32f-rq8j",
  "modified": "2025-07-16T21:02:59Z",
  "published": "2025-05-13T09:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27696"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/superset"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/05/12/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Superset Allows Ownership Takeover"
}

GHSA-W6F2-8WX4-47R5

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-06-22 18:13
VLAI
Summary
Incorrect Authorization in MySQL Connector Java
Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.26"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "mysql:mysql-connector-java"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-2471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-22T18:13:52Z",
    "nvd_published_at": "2021-10-20T11:16:00Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).",
  "id": "GHSA-w6f2-8wx4-47r5",
  "modified": "2022-06-22T18:13:52Z",
  "published": "2022-05-24T19:18:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2471"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in MySQL Connector Java"
}

GHSA-W6F7-PJ3M-833J

Vulnerability from github – Published: 2026-07-06 21:30 – Updated: 2026-07-08 12:30
VLAI
Details

Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14536"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-06T20:16:29Z",
    "severity": "HIGH"
  },
  "details": "Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.",
  "id": "GHSA-w6f7-pj3m-833j",
  "modified": "2026-07-08T12:30:24Z",
  "published": "2026-07-06T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14536"
    },
    {
      "type": "WEB",
      "url": "https://devolutions.net/security/advisories/DEVO-2026-0023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6FV-6GCC-X825

Vulnerability from github – Published: 2025-03-17 14:46 – Updated: 2025-03-19 15:00
VLAI
Summary
Zincati allows unprivileged access to rpm-ostree D-Bus `Deploy()` and `FinalizeDeployment()` methods
Details

Impact

Zincati ships a polkit rule which allows the zincati system user to use the following actions: - org.projectatomic.rpmostree1.deploy: used to deploy updates to the system - org.projectatomic.rpmostree1.finalize-deployment: used to reboot the system into the deployed update

Since Zincati v0.0.24, this polkit rule contains a logic error which broadens access of those polkit actions to any unprivileged user rather than just the zincati system user.

In practice, this means that any unprivileged user with access to the system D-Bus socket is able to deploy older Fedora CoreOS versions (which may have other known vulnerabilities). Note that rpm-ostree enforces that the selected version must be from the same branch the system is currently on so this cannot directly be used to deploy an attacker-controlled update payload.

This primarily impacts users running untrusted workloads with access to the system D-Bus socket. Note that in general, untrusted workloads should not be given this access, whether containerized or not. By default, containers do not have access to the system D-Bus socket.

Patches

The logic error is fixed in Zincati v0.0.30. The fix is included in the following FCOS releases: - On the stable stream: 41.20250302.3.2 - On the testing stream: 41.20250315.2.0 - On the next stream: 42.20250316.1.0

Workarounds

A workaround is to add the following polkit rule:

polkit.addRule(function(action, subject) {
    if (action.id == "org.projectatomic.rpmostree1.deploy" ||
        action.id == "org.projectatomic.rpmostree1.finalize-deployment" ||
        action.id == "org.projectatomic.rpmostree1.cleanup") {
        if (subject.user != "zincati") {
                return polkit.Result.NO;
        }
    }
});

to e.g. /etc/polkit-1/rules.d/00-zincati-fix.rules (it must sort earlier than zincati.rules lexicographically).

Note that this rule will deny all non-root users other than zincati from using those actions. If you've added polkit rules to allow e.g. the core user or other users, you will need to adjust the policy (or make sure the ordering is appropriate).

References

This issue was introduced by this commit, and is fixed in v0.0.30.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.29"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zincati"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.24"
            },
            {
              "fixed": "0.0.30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27512"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-783",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-17T14:46:56Z",
    "nvd_published_at": "2025-03-17T15:15:44Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nZincati ships a polkit rule which allows the `zincati` system user to use the following actions:\n- `org.projectatomic.rpmostree1.deploy`: used to deploy updates to the system\n- `org.projectatomic.rpmostree1.finalize-deployment`: used to reboot the system into the deployed update\n\nSince Zincati [v0.0.24](https://github.com/coreos/zincati/releases/tag/v0.0.24), this polkit rule contains a logic error which broadens access of those polkit actions to any unprivileged user rather than just the `zincati` system user.\n\nIn practice, this means that any unprivileged user with access to the system D-Bus socket is able to deploy older Fedora CoreOS versions (which may have other known vulnerabilities). Note that rpm-ostree enforces that the selected version must be from the same branch the system is currently on so this cannot directly be used to deploy an attacker-controlled update payload.\n\nThis primarily impacts users running untrusted workloads with access to the system D-Bus socket. Note that in general, untrusted workloads should not be given this access, whether containerized or not. By default, containers do not have access to the system D-Bus socket.\n\n### Patches\n\nThe logic error is fixed in Zincati v0.0.30. The fix is included in the following FCOS releases:\n- On the `stable` stream: 41.20250302.3.2\n- On the `testing` stream: 41.20250315.2.0\n- On the `next` stream: 42.20250316.1.0\n\n### Workarounds\n\nA workaround is to add the following polkit rule:\n\n```javascript\npolkit.addRule(function(action, subject) {\n    if (action.id == \"org.projectatomic.rpmostree1.deploy\" ||\n        action.id == \"org.projectatomic.rpmostree1.finalize-deployment\" ||\n        action.id == \"org.projectatomic.rpmostree1.cleanup\") {\n        if (subject.user != \"zincati\") {\n                return polkit.Result.NO;\n        }\n    }\n});\n```\n\nto e.g. `/etc/polkit-1/rules.d/00-zincati-fix.rules` (it must sort earlier than `zincati.rules` lexicographically).\n\nNote that this rule will deny all non-root users other than `zincati` from using those actions. If you\u0027ve added polkit rules to allow e.g. the `core` user or other users, you will need to adjust the policy (or make sure the ordering is appropriate).\n\n### References\n\nThis issue was introduced by [this commit](https://github.com/coreos/zincati/commit/28a43aa2c1edda091ba659677d73c13e6e3ea99d), and is fixed in [v0.0.30](https://github.com/coreos/zincati/releases/tag/v0.0.30).",
  "id": "GHSA-w6fv-6gcc-x825",
  "modified": "2025-03-19T15:00:20Z",
  "published": "2025-03-17T14:46:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coreos/zincati/security/advisories/GHSA-w6fv-6gcc-x825"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27512"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/zincati/commit/01d8e89f799e6ba21bdf7dc668abce23bd0d8f78"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/zincati/commit/28a43aa2c1edda091ba659677d73c13e6e3ea99d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coreos/zincati"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/zincati/releases/tag/v0.0.24"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/zincati/releases/tag/v0.0.30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Zincati allows unprivileged access to rpm-ostree D-Bus `Deploy()` and `FinalizeDeployment()` methods"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.