CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-XRQ9-JM7V-G9H7
Vulnerability from github – Published: 2026-04-25 23:49 – Updated: 2026-04-25 23:49Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.20 - Patched version:
2026.4.20
Impact
A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.
This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.
Fix
Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests.
Fix commit:
5a12f30441d5b0b151f550daa2c5c9e8db61e2e6
Release
Fixed in OpenClaw 2026.4.20.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-25T23:49:00Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.20`\n- Patched version: `2026.4.20`\n\n## Impact\n\nA paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.\n\nThis is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.\n\n## Fix\n\nPairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests.\n\nFix commit:\n\n- `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6`\n\n## Release\n\nFixed in OpenClaw `2026.4.20`.",
"id": "GHSA-xrq9-jm7v-g9h7",
"modified": "2026-04-25T23:49:00Z",
"published": "2026-04-25T23:49:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/5a12f30441d5b0b151f550daa2c5c9e8db61e2e6"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Paired-device pairing actions were not limited to the caller device"
}
GHSA-XRRV-GJCC-H93V
Vulnerability from github – Published: 2022-12-01 15:30 – Updated: 2022-12-05 21:30Symantec Endpoint Protection (Windows) agent, prior to 14.3 RU6/14.3 RU5 Patch 1, may be susceptible to a Security Control Bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing security controls. This CVE applies narrowly to the Client User Interface Password protection and Policy Import/Export Password protection, if it has been enabled.
{
"affected": [],
"aliases": [
"CVE-2022-37017"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-01T14:15:00Z",
"severity": "HIGH"
},
"details": "Symantec Endpoint Protection (Windows) agent, prior to 14.3 RU6/14.3 RU5 Patch 1, may be susceptible to a Security Control Bypass vulnerability, which is a type of issue that can potentially allow a threat actor to circumvent existing security controls. This CVE applies narrowly to the Client User Interface Password protection and Policy Import/Export Password protection, if it has been enabled.",
"id": "GHSA-xrrv-gjcc-h93v",
"modified": "2022-12-05T21:30:42Z",
"published": "2022-12-01T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37017"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/21014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XRVG-VG5W-7CH7
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44Memory write mechanism in NCR S1 Dispenser controller before firmware version 0x0156 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.
{
"affected": [],
"aliases": [
"CVE-2017-17668"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-20T14:29:00Z",
"severity": "HIGH"
},
"details": "Memory write mechanism in NCR S1 Dispenser controller before firmware version 0x0156 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.",
"id": "GHSA-xrvg-vg5w-7ch7",
"modified": "2022-05-13T01:44:27Z",
"published": "2022-05-13T01:44:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17668"
},
{
"type": "WEB",
"url": "https://www.ncr.com/sites/default/files/ncr_security_alert_-_2018-04_v3.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XV24-HXH9-2HH9
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-07-02 18:50In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "neutron"
},
"ranges": [
{
"events": [
{
"introduced": "28.0.0"
},
{
"fixed": "28.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "neutron"
},
"ranges": [
{
"events": [
{
"introduced": "27.0.0"
},
{
"fixed": "27.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "neutron"
},
"ranges": [
{
"events": [
{
"introduced": "26.0.0"
},
{
"fixed": "26.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49299"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T18:50:58Z",
"nvd_published_at": "2026-05-28T22:17:02Z",
"severity": "MODERATE"
},
"details": "In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.",
"id": "GHSA-xv24-hxh9-2hh9",
"modified": "2026-07-02T18:50:58Z",
"published": "2026-05-29T00:38:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49299"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/bugs/2150132"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/neutron"
},
{
"type": "WEB",
"url": "https://review.opendev.org/c/openstack/neutron/+/989099"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/05/28/8"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/02/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Neutron has an Incorrect Authorization issue"
}
GHSA-XV46-HHWP-VF34
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2.
{
"affected": [],
"aliases": [
"CVE-2020-13358"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-17T01:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: \u003e=13.4, \u003c13.4.5,\u003e=13.3, \u003c13.3.9,\u003e=13.5, \u003c13.5.2.",
"id": "GHSA-xv46-hhwp-vf34",
"modified": "2022-05-24T17:34:24Z",
"published": "2022-05-24T17:34:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13358"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13358.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/241674"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XV59-3GPF-C92H
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:14There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker could do a certain operation on certain step of setup wizard. Successful exploit could allow the attacker bypass the FRP protection. Affected products: Mate 20 X, versions earlier than Ever-AL00B 9.0.0.200(C00E200R2P1); Mate 20, versions earlier than Hima-AL00B/Hima-TL00B 9.0.0.200(C00E200R2P1); Honor Magic 2, versions earlier than Tony-AL00B/Tony-TL00B 9.0.0.182(C00E180R2P2).
{
"affected": [],
"aliases": [
"CVE-2019-5220"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-10T18:15:00Z",
"severity": "MODERATE"
},
"details": "There is a Factory Reset Protection (FRP) bypass vulnerability on several smartphones. The system does not sufficiently verify the permission, an attacker could do a certain operation on certain step of setup wizard. Successful exploit could allow the attacker bypass the FRP protection. Affected products: Mate 20 X, versions earlier than Ever-AL00B 9.0.0.200(C00E200R2P1); Mate 20, versions earlier than Hima-AL00B/Hima-TL00B 9.0.0.200(C00E200R2P1); Honor Magic 2, versions earlier than Tony-AL00B/Tony-TL00B 9.0.0.182(C00E180R2P2).",
"id": "GHSA-xv59-3gpf-c92h",
"modified": "2024-04-04T01:14:39Z",
"published": "2022-05-24T16:50:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5220"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190626-01-frp-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XV7J-WG82-2R7G
Vulnerability from github – Published: 2024-06-26 06:30 – Updated: 2024-10-29 00:31The Bookster WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved.
{
"affected": [],
"aliases": [
"CVE-2024-5071"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-26T06:15:16Z",
"severity": "MODERATE"
},
"details": "The Bookster WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved.",
"id": "GHSA-xv7j-wg82-2r7g",
"modified": "2024-10-29T00:31:14Z",
"published": "2024-06-26T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5071"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/07b293cf-5174-45de-8606-a782a96a35b3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XV97-C62V-4587
Vulnerability from github – Published: 2022-08-02 18:00 – Updated: 2022-08-11 22:13Impact
next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected.
If an attacker could forge a request that sent a comma-separated list of emails (eg.: attacker@attacker.com,victim@victim.com) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being attacker@attacker.com,victim@victim.com. This means that basic authorization like email.endsWith("@victim.com") in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.
Patches
We patched this vulnerability in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)
To upgrade, run one of the following:
npm i next-auth@latest
yarn add next-auth@latest
pnpm add next-auth@latest
(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)
Workarounds
If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:
// pages/api/auth/[...nextauth].ts
function normalize(identifier) {
// Get the first two elements only,
// separated by `@` from user input.
let [local, domain] = identifier.toLowerCase().trim().split("@")
// The part before "@" can contain a ","
// but we remove it on the domain part
domain = domain.split(",")[0]
return `${local}@${domain}`
}
export default async function handler(req, res) {
if (req.body.email) req.body.email = normalize(req.body.email)
return await NextAuth(req, res, {/* your options */ })
}
References
- EmailProvider: https://next-auth.js.org/providers/email
- Normalize the email address: https://next-auth.js.org/providers/email#normalizing-the-email-address
- Email syntax: https://en.wikipedia.org/wiki/Email_address#Local-part
signIncallback: https://next-auth.js.org/configuration/callbacks#sign-in-callback- Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization
nodemaileraddress: https://nodemailer.com/message/addresses
For more information
If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability
Timeline
The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.
Acknowledgments
We would like to thank Socket for disclosing this vulnerability in a responsible manner and following up until it got published.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next-auth"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.29.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35924"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-02T18:00:33Z",
"nvd_published_at": "2022-08-02T18:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n`next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected.\n\nIf an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim\u0027s e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith(\"@victim.com\")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address.\n\n### Patches\nWe patched this vulnerability in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)\n\nTo upgrade, run one of the following:\n```sh\nnpm i next-auth@latest\n```\n```sh\nyarn add next-auth@latest\n```\n```sh\npnpm add next-auth@latest\n```\n\n(This will update to the latest v4 version, but you can change `latest` to `3` if you want to stay on v3. This is not recommended. v3 is unmaintained.)\n\n### Workarounds\nIf for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:\n```ts\n// pages/api/auth/[...nextauth].ts\n\nfunction normalize(identifier) {\n // Get the first two elements only,\n // separated by `@` from user input.\n let [local, domain] = identifier.toLowerCase().trim().split(\"@\")\n // The part before \"@\" can contain a \",\"\n // but we remove it on the domain part\n domain = domain.split(\",\")[0]\n return `${local}@${domain}`\n}\n\nexport default async function handler(req, res) {\n if (req.body.email) req.body.email = normalize(req.body.email)\n return await NextAuth(req, res, {/* your options */ })\n}\n```\n\n### References\n- EmailProvider: https://next-auth.js.org/providers/email\n- Normalize the email address: https://next-auth.js.org/providers/email#normalizing-the-email-address\n- Email syntax: https://en.wikipedia.org/wiki/Email_address#Local-part\n- `signIn` callback: https://next-auth.js.org/configuration/callbacks#sign-in-callback\n- Advanced Initialization: https://next-auth.js.org/configuration/initialization#advanced-initialization\n- `nodemailer` address: https://nodemailer.com/message/addresses\n\n### For more information\n\nIf you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability\n\n### Timeline\n\nThe issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.\n\n### Acknowledgments\n\nWe would like to thank [Socket](https://socket.dev) for disclosing this vulnerability in a responsible manner and following up until it got published.",
"id": "GHSA-xv97-c62v-4587",
"modified": "2022-08-11T22:13:10Z",
"published": "2022-08-02T18:00:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35924"
},
{
"type": "WEB",
"url": "https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003"
},
{
"type": "WEB",
"url": "https://en.wikipedia.org/wiki/Email_address#Local-part"
},
{
"type": "PACKAGE",
"url": "https://github.com/nextauthjs/next-auth"
},
{
"type": "WEB",
"url": "https://next-auth.js.org/configuration/callbacks#sign-in-callback"
},
{
"type": "WEB",
"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
},
{
"type": "WEB",
"url": "https://next-auth.js.org/providers/email"
},
{
"type": "WEB",
"url": "https://next-auth.js.org/providers/email#normalizing-the-e-mail-address"
},
{
"type": "WEB",
"url": "https://next-auth.js.org/providers/email#normalizing-the-email-address"
},
{
"type": "WEB",
"url": "https://nodemailer.com/message/addresses"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails"
}
GHSA-XVC2-6386-99X8
Vulnerability from github – Published: 2023-11-20 21:31 – Updated: 2023-11-27 18:31The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.
{
"affected": [],
"aliases": [
"CVE-2023-5509"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-20T19:15:09Z",
"severity": "MODERATE"
},
"details": "The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.",
"id": "GHSA-xvc2-6386-99x8",
"modified": "2023-11-27T18:31:12Z",
"published": "2023-11-20T21:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5509"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XVHP-XJ53-P6H7
Vulnerability from github – Published: 2024-06-06 18:30 – Updated: 2024-06-06 18:30An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.
{
"affected": [],
"aliases": [
"CVE-2024-3504"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-06T18:15:17Z",
"severity": "HIGH"
},
"details": "An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.",
"id": "GHSA-xvhp-xj53-p6h7",
"modified": "2024-06-06T18:30:58Z",
"published": "2024-06-06T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3504"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f76542901f"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/97958fe4-be21-4b63-966f-8337c72c8e28"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.