CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5537 vulnerabilities reference this CWE, most recent first.
CVE-2025-31481 (GCVE-0-2025-31481)
Vulnerability from cvelistv5 – Published: 2025-04-03 19:20 – Updated: 2025-04-08 13:14- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/api-platform/core/security/adv… | x_refsource_CONFIRM |
| https://github.com/api-platform/core/commit/55712… | x_refsource_MISC |
| https://github.com/api-platform/core/commit/60747… | x_refsource_MISC |
| https://github.com/api-platform/core/releases/tag… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| api-platform | core |
Affected:
>= 4.0.0, < 4.0.22
Affected: < 3.4.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31481",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T19:39:57.000917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:40:10.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "api-platform",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.22"
},
{
"status": "affected",
"version": "\u003c 3.4.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Using the Relay special node type you can bypass the configured security on an operation. This vulnerability is fixed in 4.0.22 and 3.4.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T13:14:36.379Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/api-platform/core/security/advisories/GHSA-cg3c-245w-728m"
},
{
"name": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/55712452b4f630978537bdb2a07dc958202336bb"
},
{
"name": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/commit/60747cc8c2fb855798c923b5537888f8d0969568"
},
{
"name": "https://github.com/api-platform/core/releases/tag/v3.4.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
}
],
"source": {
"advisory": "GHSA-cg3c-245w-728m",
"discovery": "UNKNOWN"
},
"title": "GraphQL query operations security can be bypassed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31481",
"datePublished": "2025-04-03T19:20:22.916Z",
"dateReserved": "2025-03-28T13:36:51.297Z",
"dateUpdated": "2025-04-08T13:14:36.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31331 (GCVE-0-2025-31331)
Vulnerability from cvelistv5 – Published: 2025-04-08 07:15 – Updated: 2025-04-08 13:15- CWE-863 - Incorrect Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP NetWeaver |
Affected:
SAP_ABA 700
Affected: 701 Affected: 702 Affected: 731 Affected: 740 Affected: 750 Affected: 751 Affected: 752 Affected: 75C Affected: 75D Affected: 75E Affected: 75F Affected: 75G Affected: 75H Affected: 75I |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T13:15:47.307694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T13:15:55.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_ABA 700"
},
{
"status": "affected",
"version": "701"
},
{
"status": "affected",
"version": "702"
},
{
"status": "affected",
"version": "731"
},
{
"status": "affected",
"version": "740"
},
{
"status": "affected",
"version": "750"
},
{
"status": "affected",
"version": "751"
},
{
"status": "affected",
"version": "752"
},
{
"status": "affected",
"version": "75C"
},
{
"status": "affected",
"version": "75D"
},
{
"status": "affected",
"version": "75E"
},
{
"status": "affected",
"version": "75F"
},
{
"status": "affected",
"version": "75G"
},
{
"status": "affected",
"version": "75H"
},
{
"status": "affected",
"version": "75I"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code without proper authorization. This vulnerability compromises the confidentiality.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code without proper authorization. This vulnerability compromises the confidentiality."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T07:15:23.750Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3577131"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authorization Bypass vulnerability in SAP NetWeaver",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-31331",
"datePublished": "2025-04-08T07:15:23.750Z",
"dateReserved": "2025-03-27T23:02:06.907Z",
"dateUpdated": "2025-04-08T13:15:55.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30741 (GCVE-0-2025-30741)
Vulnerability from cvelistv5 – Published: 2025-03-25 00:00 – Updated: 2025-03-26 14:44- CWE-863 - Incorrect Authorization
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T14:43:56.787673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T14:44:04.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pixelfed",
"vendor": "Pixelfed",
"versions": [
{
"lessThan": "0.12.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pixelfed:pixelfed:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instance."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T20:57:41.881Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://fokus.cool/2025/03/25/pixelfed-vulnerability.html"
},
{
"url": "https://github.com/pixelfed/pixelfed/releases/tag/v0.12.5"
},
{
"url": "https://mastodon.social/@pixelfed/114215925957179498"
},
{
"url": "https://news.ycombinator.com/item?id=43474425"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-30741",
"datePublished": "2025-03-25T00:00:00.000Z",
"dateReserved": "2025-03-25T00:00:00.000Z",
"dateUpdated": "2025-03-26T14:44:04.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30209 (GCVE-0-2025-30209)
Vulnerability from cvelistv5 – Published: 2025-03-31 15:53 – Updated: 2025-03-31 18:19- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/Enalean/tuleap/security/adviso… | x_refsource_CONFIRM |
| https://github.com/Enalean/tuleap/commit/34af2d5d… | x_refsource_MISC |
| https://tuleap.net/plugins/git/tuleap/tuleap/stab… | x_refsource_MISC |
| https://tuleap.net/plugins/tracker/?aid=42251 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T18:19:28.519330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T18:19:35.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tuleap",
"vendor": "Enalean",
"versions": [
{
"status": "affected",
"version": "\u003c 16.5.99.1742812323"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker can access release notes content or information via the FRS REST endpoints it should not have access to. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742812323 and Tuleap Enterprise Edition 16.5-6 and 16.4-10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T15:53:46.455Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-hcp5-pmpm-mgwh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-hcp5-pmpm-mgwh"
},
{
"name": "https://github.com/Enalean/tuleap/commit/34af2d5d10b0349967129f53427f495815e5bbcc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Enalean/tuleap/commit/34af2d5d10b0349967129f53427f495815e5bbcc"
},
{
"name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit\u0026h=34af2d5d10b0349967129f53427f495815e5bbcc",
"tags": [
"x_refsource_MISC"
],
"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit\u0026h=34af2d5d10b0349967129f53427f495815e5bbcc"
},
{
"name": "https://tuleap.net/plugins/tracker/?aid=42251",
"tags": [
"x_refsource_MISC"
],
"url": "https://tuleap.net/plugins/tracker/?aid=42251"
}
],
"source": {
"advisory": "GHSA-hcp5-pmpm-mgwh",
"discovery": "UNKNOWN"
},
"title": "Tuleap has improper permission handling in the REST endpoints and release notes display of the FRS plugin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30209",
"datePublished": "2025-03-31T15:53:46.455Z",
"dateReserved": "2025-03-18T18:15:13.849Z",
"dateUpdated": "2025-03-31T18:19:35.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30179 (GCVE-0-2025-30179)
Vulnerability from cvelistv5 – Published: 2025-03-21 08:24 – Updated: 2025-03-21 17:27- CWE-863 - Incorrect Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
10.4.0 , ≤ 10.4.2
(semver)
Affected: 10.3.0 , ≤ 10.3.3 (semver) Affected: 9.11.0 , ≤ 9.11.8 (semver) Unaffected: 10.5.0 Unaffected: 10.4.3 Unaffected: 10.3.4 Unaffected: 9.11.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T17:27:22.831583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T17:27:31.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.4.2",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.3.3",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.11.8",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.5.0"
},
{
"status": "unaffected",
"version": "10.4.3"
},
{
"status": "unaffected",
"version": "10.3.4"
},
{
"status": "unaffected",
"version": "9.11.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "A_osman123"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 10.4.x \u0026lt;= 10.4.2, 10.3.x \u0026lt;= 10.3.3, 9.11.x \u0026lt;= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.\u003c/p\u003e"
}
],
"value": "Mattermost versions 10.4.x \u003c= 10.4.2, 10.3.x \u003c= 10.3.3, 9.11.x \u003c= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T08:24:57.929Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.5.0, 10.4.3, 10.3.4, 9.11.9 or higher."
}
],
"source": {
"advisory": "MMSA-2025-00422",
"defect": [
"https://mattermost.atlassian.net/browse/MM-62501"
],
"discovery": "EXTERNAL"
},
"title": "MFA Enforcement Bypass in Search APIs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-30179",
"datePublished": "2025-03-21T08:24:57.929Z",
"dateReserved": "2025-03-20T08:20:28.171Z",
"dateUpdated": "2025-03-21T17:27:31.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30171 (GCVE-0-2025-30171)
Vulnerability from cvelistv5 – Published: 2025-05-22 17:41 – Updated: 2025-05-22 18:12- CWE-863 - Incorrect Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| ABB | ASPECT-Enterprise |
Affected:
0 , ≤ 3.08.03
(custom)
|
|
| ABB | NEXUS Series |
Affected:
0 , ≤ 3.08.03
(custom)
|
|
| ABB | MATRIX Series |
Affected:
0 , ≤ 3.08.03
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:11:55.520599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:12:01.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"platforms": [
"Linux"
],
"product": "ASPECT-Enterprise",
"vendor": "ABB",
"versions": [
{
"lessThanOrEqual": "3.08.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "NEXUS Series",
"vendor": "ABB",
"versions": [
{
"lessThanOrEqual": "3.08.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "MATRIX Series",
"vendor": "ABB",
"versions": [
{
"lessThanOrEqual": "3.08.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "System File Deletion vulnerabilities in ASPECT provide attackers access to delete system files if session administrator credentials become compromised.\u003cbr\u003e\u003cp\u003eThis issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.\u003c/p\u003e"
}
],
"value": "System File Deletion vulnerabilities in ASPECT provide attackers access to delete system files if session administrator credentials become compromised.\nThis issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/AU:N/R:U/V:C",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:41:18.754Z",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Admin Authorized System File Deletion",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2025-30171",
"datePublished": "2025-05-22T17:41:18.754Z",
"dateReserved": "2025-03-17T13:06:41.480Z",
"dateUpdated": "2025-05-22T18:12:01.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30163 (GCVE-0-2025-30163)
Vulnerability from cvelistv5 – Published: 2025-03-24 18:46 – Updated: 2025-03-24 19:29- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/cilium/cilium/security/advisor… | x_refsource_CONFIRM |
| https://github.com/cilium/cilium/pull/36657 | x_refsource_MISC |
| https://docs.cilium.io/en/stable/security/policy/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30163",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T19:29:35.777701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T19:29:46.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.16.0, \u003c 1.16.8"
},
{
"status": "affected",
"version": "\u003e= 1.17.0, \u003c 1.17.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T18:46:35.407Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-c6pf-2v8j-96mc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-c6pf-2v8j-96mc"
},
{
"name": "https://github.com/cilium/cilium/pull/36657",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/pull/36657"
},
{
"name": "https://docs.cilium.io/en/stable/security/policy/language/#node-based",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cilium.io/en/stable/security/policy/language/#node-based"
}
],
"source": {
"advisory": "GHSA-c6pf-2v8j-96mc",
"discovery": "UNKNOWN"
},
"title": "Node based network policies may incorrectly allow workload traffic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30163",
"datePublished": "2025-03-24T18:46:35.407Z",
"dateReserved": "2025-03-17T12:41:42.567Z",
"dateUpdated": "2025-03-24T19:29:46.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30162 (GCVE-0-2025-30162)
Vulnerability from cvelistv5 – Published: 2025-03-24 18:44 – Updated: 2025-03-24 19:30- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/cilium/cilium/security/advisor… | x_refsource_CONFIRM |
| https://github.com/cilium/proxy/pull/1172 | x_refsource_MISC |
| https://docs.cilium.io/en/stable/network/lb-ipam | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T19:30:05.274525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T19:30:18.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.16.0, \u003c 1.16.8"
},
{
"status": "affected",
"version": "\u003e= 1.17.0, \u003c 1.17.2"
},
{
"status": "affected",
"version": "\u003e= 1.15.0, \u003c 1.15.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T18:44:07.927Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-24qp-4xx8-3jvj"
},
{
"name": "https://github.com/cilium/proxy/pull/1172",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/proxy/pull/1172"
},
{
"name": "https://docs.cilium.io/en/stable/network/lb-ipam",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.cilium.io/en/stable/network/lb-ipam"
}
],
"source": {
"advisory": "GHSA-24qp-4xx8-3jvj",
"discovery": "UNKNOWN"
},
"title": "East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30162",
"datePublished": "2025-03-24T18:44:07.927Z",
"dateReserved": "2025-03-17T12:41:42.567Z",
"dateUpdated": "2025-03-24T19:30:18.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30155 (GCVE-0-2025-30155)
Vulnerability from cvelistv5 – Published: 2025-03-31 15:58 – Updated: 2025-03-31 18:18- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/Enalean/tuleap/security/adviso… | x_refsource_CONFIRM |
| https://github.com/Enalean/tuleap/commit/0921df3a… | x_refsource_MISC |
| https://tuleap.net/plugins/git/tuleap/tuleap/stab… | x_refsource_MISC |
| https://tuleap.net/plugins/tracker/?aid=42237 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T18:18:05.404015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T18:18:13.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tuleap",
"vendor": "Enalean",
"versions": [
{
"status": "affected",
"version": "\u003c 16.5.99.1742392651"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap does not enforce read permissions on parent trackers in the REST API. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742392651 and Tuleap Enterprise Edition 16.5-5 and 16.4-8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T15:58:30.058Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Enalean/tuleap/security/advisories/GHSA-6hr4-h6px-7ppg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Enalean/tuleap/security/advisories/GHSA-6hr4-h6px-7ppg"
},
{
"name": "https://github.com/Enalean/tuleap/commit/0921df3a1c1aa20fc359b373f001a77c43b1b726",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Enalean/tuleap/commit/0921df3a1c1aa20fc359b373f001a77c43b1b726"
},
{
"name": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit\u0026h=0921df3a1c1aa20fc359b373f001a77c43b1b726",
"tags": [
"x_refsource_MISC"
],
"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit\u0026h=0921df3a1c1aa20fc359b373f001a77c43b1b726"
},
{
"name": "https://tuleap.net/plugins/tracker/?aid=42237",
"tags": [
"x_refsource_MISC"
],
"url": "https://tuleap.net/plugins/tracker/?aid=42237"
}
],
"source": {
"advisory": "GHSA-6hr4-h6px-7ppg",
"discovery": "UNKNOWN"
},
"title": "Tuleap does not enforce read permissions on parent trackers in the REST API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30155",
"datePublished": "2025-03-31T15:58:30.058Z",
"dateReserved": "2025-03-17T12:41:42.566Z",
"dateUpdated": "2025-03-31T18:18:13.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30074 (GCVE-0-2025-30074)
Vulnerability from cvelistv5 – Published: 2025-03-16 00:00 – Updated: 2025-03-17 16:03- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://kb.parallels.com/en/130944 |
| Vendor | Product | Version | |
|---|---|---|---|
| Parallels | Parallels Desktop |
Affected:
19.3.1 , < 19.4.2
(semver)
Affected: 20.0.0 , < 20.2.2 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T16:03:24.386795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T16:03:47.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Parallels Desktop",
"vendor": "Parallels",
"versions": [
{
"lessThan": "19.4.2",
"status": "affected",
"version": "19.3.1",
"versionType": "semver"
},
{
"lessThan": "20.2.2",
"status": "affected",
"version": "20.0.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:parallels:parallels_desktop:*:*:*:*:*:*:*:*",
"versionEndExcluding": "19.4.2",
"versionStartIncluding": "19.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:parallels:parallels_desktop:*:*:*:*:*:*:*:*",
"versionEndExcluding": "20.2.2",
"versionStartIncluding": "20.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Alludo Parallels Desktop before 19.4.2 and 20.x before 20.2.2 for macOS on Intel platforms allows privilege escalation to root via the VM creation routine."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-16T02:19:41.913Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://kb.parallels.com/en/130944"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-30074",
"datePublished": "2025-03-16T00:00:00.000Z",
"dateReserved": "2025-03-16T00:00:00.000Z",
"dateUpdated": "2025-03-17T16:03:47.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.