Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5504 vulnerabilities reference this CWE, most recent first.

GHSA-JP7H-4F3C-9RC7

Vulnerability from github – Published: 2025-10-23 16:01 – Updated: 2025-10-23 16:01
VLAI
Summary
OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method
Details

Impact

This is a cross-account impersonation vulnerability in the auth-aws plugin. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the same name in a trusted account, leading to unauthorized access.

This impacts all users of the auth-aws plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts.

The core of the vulnerability is a flawed caching mechanism that fails to validate the AWS Account ID during authentication. While the use of wildcards in a bound_iam_principal_arn configuration significantly increases the attack surface, wildcards are not a prerequisite for exploitation. The vulnerability can be exploited with specific ARN bindings if a role name collision occurs.

Successful exploitation can lead to unauthorized access to secrets, data exfiltration, and privilege escalation. Given that the only prerequisite is a duplicate role name, the severity is considered high.

Patches

This vulnerability has been patched in version 0.1.1 of the auth-aws plugin. Users are advised to upgrade to version 0.1.1 or later to remediate this vulnerability.

Workarounds

For users who are unable to upgrade to version 0.1.1 immediately, the most effective workaround is to guarantee that IAM role names are unique across all AWS accounts that could potentially interact with your OpenBao environment. This is the most critical mitigation step.

Primary Mitigation: Audit your AWS organizations to identify and rename any duplicate IAM role names. Enforce a naming convention that includes account-specific identifiers to prevent future collisions.

While removing wildcards from your bound_iam_principal_arn configuration is still recommended as a security best practice, it will not mitigate this vulnerability if duplicate role names exist.

Credits

This vulnerability was discovered and reported by Pavlos Karakalidis

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao-plugins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-694",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-23T16:01:27Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nThis is a cross-account impersonation vulnerability in the `auth-aws` plugin. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the **same name** in a trusted account, leading to unauthorized access.\n\nThis impacts all users of the `auth-aws` plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts.\n\nThe core of the vulnerability is a flawed caching mechanism that fails to validate the AWS Account ID during authentication. While the use of wildcards in a `bound_iam_principal_arn configuration` significantly increases the attack surface, **wildcards are not a prerequisite for exploitation**. The vulnerability can be exploited with specific ARN bindings if a role name collision occurs.\n\nSuccessful exploitation can lead to unauthorized access to secrets, data exfiltration, and privilege escalation. Given that the only prerequisite is a duplicate role name, the severity is considered **high**.\n\n### Patches\nThis vulnerability has been patched in version **0.1.1** of the `auth-aws` plugin.\nUsers are advised to upgrade to version **0.1.1** or later to remediate this vulnerability.\n\n### Workarounds\nFor users who are unable to upgrade to version **0.1.1** immediately, the most effective workaround is to **guarantee that IAM role names are unique across all AWS accounts** that could potentially interact with your OpenBao environment. This is the most critical mitigation step.\n\n**Primary Mitigation**: Audit your AWS organizations to identify and rename any duplicate IAM role names. Enforce a naming convention that includes account-specific identifiers to prevent future collisions.\n\nWhile removing wildcards from your `bound_iam_principal_arn` configuration is still recommended as a security best practice, it **will not** mitigate this vulnerability if duplicate role names exist.\n\n### Credits\nThis vulnerability was discovered and reported by [Pavlos Karakalidis](https://github.com/pkarakal/)",
  "id": "GHSA-jp7h-4f3c-9rc7",
  "modified": "2025-10-23T16:01:27Z",
  "published": "2025-10-23T16:01:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao-plugins/security/advisories/GHSA-jp7h-4f3c-9rc7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao-plugins/commit/2a77af36834746ca6d3ac9bd1049154c84b3efae"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao-plugins"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method"
}

GHSA-JP94-W382-QGWR

Vulnerability from github – Published: 2024-04-17 00:30 – Updated: 2024-04-17 00:30
VLAI
Details

Vulnerability in the Oracle Hospitality Simphony product of Oracle Food and Beverage Applications (component: Simphony Enterprise Server). Supported versions that are affected are 19.1.0-19.5.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Simphony. While the vulnerability is in Oracle Hospitality Simphony, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Simphony. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-16T22:15:15Z",
    "severity": "CRITICAL"
  },
  "details": "Vulnerability in the Oracle Hospitality Simphony product of Oracle Food and Beverage Applications (component: Simphony Enterprise Server).  Supported versions that are affected are 19.1.0-19.5.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Simphony.  While the vulnerability is in Oracle Hospitality Simphony, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Simphony. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).",
  "id": "GHSA-jp94-w382-qgwr",
  "modified": "2024-04-17T00:30:54Z",
  "published": "2024-04-17T00:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21010"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JPF7-FXP6-98PF

Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21
VLAI
Details

Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized locations and execute it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-23T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized locations and execute it.",
  "id": "GHSA-jpf7-fxp6-98pf",
  "modified": "2022-05-24T19:21:13Z",
  "published": "2022-05-24T19:21:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36311"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000192419"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JPF9-QWFV-JPP5

Vulnerability from github – Published: 2022-08-17 00:00 – Updated: 2022-08-18 00:00
VLAI
Details

Sequi PortBloque S has an improper authorization vulnerability, which may allow a low-privileged user to perform administrative functions using specifically crafted requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-16T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Sequi PortBloque S has an improper authorization vulnerability, which may allow a low-privileged user to perform administrative functions using specifically crafted requests.",
  "id": "GHSA-jpf9-qwfv-jpp5",
  "modified": "2022-08-18T00:00:17Z",
  "published": "2022-08-17T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2661"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JPQF-F2V3-PX9W

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-10-06 18:52
VLAI
Details

A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-10T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.",
  "id": "GHSA-jpqf-f2v3-px9w",
  "modified": "2022-10-06T18:52:11Z",
  "published": "2022-05-24T19:20:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40504"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3105728"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ88-5P5W-X8C3

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 02:00
VLAI
Details

OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-15941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-25T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.",
  "id": "GHSA-jq88-5p5w-x8c3",
  "modified": "2024-04-04T02:00:11Z",
  "published": "2022-05-24T16:56:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15941"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1881"
    },
    {
      "type": "WEB",
      "url": "https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-6-is-out"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Sep/46"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4533"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ8V-8C7P-26P2

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37
VLAI
Details

IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of service due to iimproper authorization checking. IBM X-Force ID: 189445.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-21T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of service due to iimproper authorization checking. IBM X-Force ID: 189445.",
  "id": "GHSA-jq8v-8c7p-26p2",
  "modified": "2022-05-24T17:37:11Z",
  "published": "2022-05-24T17:37:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4794"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/189445"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6359463"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JQ92-QVF9-X3JX

Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-06 00:01
VLAI
Details

In Settings, there is a possible way to read Bluetooth device names without proper permissions due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-172838801

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-30T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Settings, there is a possible way to read Bluetooth device names without proper permissions due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-172838801",
  "id": "GHSA-jq92-qvf9-x3jx",
  "modified": "2022-04-06T00:01:54Z",
  "published": "2022-03-31T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39751"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-12l"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ9F-GM9W-RWM9

Vulnerability from github – Published: 2026-02-05 21:46 – Updated: 2026-02-06 19:07
VLAI
Summary
OpenFGA Improper Policy Enforcement
Details

Impact

OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22 <= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed.

Affected Users

Users are affected by this vulnerability if all of the following preconditions are met: - OpenFGA v1.8.5 to v1.11.2 is being used - The model has a relation directly assignable by a type bound public access and assignable by type bound non-public access - A tuple is assigned for the relation that is a type bound public access - A tuple is assigned for the same object with the same relation that is not type bound public access - A tuple is assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access

Fix

Upgrade to v1.11.3. This upgrade is backwards compatible.

Workaround

None

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.11.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openfga/openfga"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.5"
            },
            {
              "fixed": "1.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-05T21:46:41Z",
    "nvd_published_at": "2026-02-06T18:15:58Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nOpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22 \u003c= Helm chart \u003c= openfga-0.2.51, v.1.8.5 \u003c= docker \u003c= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed.\n\n\n### Affected Users\nUsers are affected by this vulnerability if all of the following preconditions are met:\n- OpenFGA v1.8.5 to v1.11.2 is being used\n- The model has a relation directly assignable by a [type bound public access](https://openfga.dev/docs/concepts#what-is-type-bound-public-access) and assignable by type bound non-public access\n- A tuple is assigned for the relation that is a type bound public access\n- A tuple is assigned for the same object with the same relation that is not type bound public access\n- A tuple is assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access\n\n\n### Fix\nUpgrade to v1.11.3. This upgrade is backwards compatible.\n\n### Workaround\nNone",
  "id": "GHSA-jq9f-gm9w-rwm9",
  "modified": "2026-02-06T19:07:06Z",
  "published": "2026-02-05T21:46:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24851"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/commit/1bb5eddf4a3d2fc718aab7914b8f9a1200d2f7ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openfga/openfga"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/releases/tag/v1.11.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenFGA Improper Policy Enforcement"
}

GHSA-JQF5-5C3V-WJ97

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28
VLAI
Details

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-15T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can access a private repository within a public project.",
  "id": "GHSA-jqf5-5c3v-wj97",
  "modified": "2022-05-24T17:28:16Z",
  "published": "2022-05-24T17:28:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13303"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/962231"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13303.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/238887"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.