CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5550 vulnerabilities reference this CWE, most recent first.
GHSA-CXRJ-66C5-9FMH
Vulnerability from github – Published: 2018-10-17 20:05 – Updated: 2024-03-14 21:08Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.5.RELEASE"
},
{
"fixed": "5.0.6.RELEASE"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"5.0.5.RELEASE"
]
}
],
"aliases": [
"CVE-2018-1258"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:33:19Z",
"nvd_published_at": "2018-05-11T20:29:00Z",
"severity": "HIGH"
},
"details": "Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.",
"id": "GHSA-cxrj-66c5-9fmh",
"modified": "2024-03-14T21:08:21Z",
"published": "2018-10-17T20:05:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1258"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/commit/7b8fa90d96aaf751a3256fa755d5f17e081c20f1"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200807033751/http://www.securitytracker.com/id/1041896"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227032934/http://www.securityfocus.com/bid/104222"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20181018-0002"
},
{
"type": "WEB",
"url": "https://pivotal.io/security/cve-2018-1258"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-framework"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-cxrj-66c5-9fmh"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2413"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass"
}
GHSA-F238-RGGP-82M3
Vulnerability from github – Published: 2025-05-29 22:36 – Updated: 2025-05-30 21:42Summary
A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings.
Details
Navidrome supports transcoding functionality which, although disabled by default, should restrict configuration operations to administrators only. However, the application fails to properly validate whether a user has administrative privileges when handling transcoding configuration requests.
The vulnerability exists in the API endpoints that manage transcoding settings. When a regular user sends requests to these endpoints, the application processes them without verifying if the user has administrative privileges, despite the JWT token clearly indicating the user is not an administrator ("adm":false).
The affected endpoints include:
- POST /api/transcoding (Create transcoding configuration)
- PUT /api/transcoding/:id (Update transcoding configuration)
- DELETE /api/transcoding/:id (Delete transcoding configuration)
- GET /api/transcoding (List transcoding configurations)
PoC
- Set up Navidrome with transcoding enabled
- Log in as a regular user (non-administrator)
- Send the following HTTP request:
POST /api/transcoding HTTP/1.1
Host: 192.168.199.134:4533
Content-Length: 81
x-nd-client-unique-id: e559d130-4295-401e-b65f-be7fdd564e
accept: application/json
x-nd-authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG0iOmZhbHNlLCJleHAiOjE3NDY2MzIyNDEsImlhdCI6MTc0NjQ1ODk5NiwiaXNzIjoiTkQiLCJzdWIiOiJ1c2VyMSIsInVpZCI6InV3THJGcWxXNHhnNEt4QjNxMk85eTYifQ.jqv2eESY8QTAHY-oLbBmO0v8IyDXrofvXqQgXSrJ6SM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
content-type: application/json
Origin: http://192.168.199.134:4533
Referer: http://192.168.199.134:4533/app/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
{"defaultBitRate":192,"name":"trans6","command":"tran6","targetFormat":"tran6"}
- The request will succeed despite the JWT token clearly indicating the user is not an administrator (
"adm":false) - The same operation can be performed with administrator credentials, confirming that no authorization check is being performed
Impact
This vulnerability allows regular users to modify critical system configurations that should be restricted to administrators only. While Navidrome does not recommend enabling transcoding in production environments, when it is enabled, proper authorization checks should still be enforced.
The security impact includes: 1. Privilege Escalation: Regular users can perform administrator-only actions 2. System Configuration Tampering: Unauthorized users can modify transcoding settings, potentially affecting system performance or functionality 3. Potential Command Injection: Since transcoding settings include command parameters, this could potentially lead to command injection if not properly sanitized
In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.55.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/navidrome/navidrome"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.56.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48948"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-29T22:36:49Z",
"nvd_published_at": "2025-05-30T20:15:43Z",
"severity": "HIGH"
},
"details": "### Summary\nA permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings.\n\n### Details\nNavidrome supports transcoding functionality which, although disabled by default, should restrict configuration operations to administrators only. However, the application fails to properly validate whether a user has administrative privileges when handling transcoding configuration requests.\n\nThe vulnerability exists in the API endpoints that manage transcoding settings. When a regular user sends requests to these endpoints, the application processes them without verifying if the user has administrative privileges, despite the JWT token clearly indicating the user is not an administrator (`\"adm\":false`).\n\nThe affected endpoints include:\n- `POST /api/transcoding` (Create transcoding configuration)\n- `PUT /api/transcoding/:id` (Update transcoding configuration)\n- `DELETE /api/transcoding/:id` (Delete transcoding configuration)\n- `GET /api/transcoding` (List transcoding configurations)\n\n### PoC\n1. Set up Navidrome with transcoding enabled\n2. Log in as a regular user (non-administrator)\n3. Send the following HTTP request:\n\n```\nPOST /api/transcoding HTTP/1.1\nHost: 192.168.199.134:4533\nContent-Length: 81\nx-nd-client-unique-id: e559d130-4295-401e-b65f-be7fdd564e\naccept: application/json\nx-nd-authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG0iOmZhbHNlLCJleHAiOjE3NDY2MzIyNDEsImlhdCI6MTc0NjQ1ODk5NiwiaXNzIjoiTkQiLCJzdWIiOiJ1c2VyMSIsInVpZCI6InV3THJGcWxXNHhnNEt4QjNxMk85eTYifQ.jqv2eESY8QTAHY-oLbBmO0v8IyDXrofvXqQgXSrJ6SM\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36\ncontent-type: application/json\nOrigin: http://192.168.199.134:4533\nReferer: http://192.168.199.134:4533/app/\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\n\n{\"defaultBitRate\":192,\"name\":\"trans6\",\"command\":\"tran6\",\"targetFormat\":\"tran6\"}\n```\n\n4. The request will succeed despite the JWT token clearly indicating the user is not an administrator (`\"adm\":false`)\n5. The same operation can be performed with administrator credentials, confirming that no authorization check is being performed\n\n### Impact\nThis vulnerability allows regular users to modify critical system configurations that should be restricted to administrators only. While Navidrome does not recommend enabling transcoding in production environments, when it is enabled, proper authorization checks should still be enforced.\n\nThe security impact includes:\n1. **Privilege Escalation**: Regular users can perform administrator-only actions\n2. **System Configuration Tampering**: Unauthorized users can modify transcoding settings, potentially affecting system performance or functionality\n3. **Potential Command Injection**: Since transcoding settings include command parameters, this could potentially lead to command injection if not properly sanitized\n\nIn the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled.",
"id": "GHSA-f238-rggp-82m3",
"modified": "2025-05-30T21:42:28Z",
"published": "2025-05-29T22:36:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48948"
},
{
"type": "WEB",
"url": "https://github.com/navidrome/navidrome/pull/4096"
},
{
"type": "WEB",
"url": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8"
},
{
"type": "PACKAGE",
"url": "https://github.com/navidrome/navidrome"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Navidrome Transcoding Permission Bypass Vulnerability Report"
}
GHSA-F263-C949-W85G
Vulnerability from github – Published: 2021-09-28 16:16 – Updated: 2021-09-28 16:17PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.google.oauth-client:google-oauth-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.31.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7692"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-28T16:16:34Z",
"nvd_published_at": "2020-07-09T14:15:00Z",
"severity": "HIGH"
},
"details": "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.",
"id": "GHSA-f263-c949-w85g",
"modified": "2021-09-28T16:17:25Z",
"published": "2021-09-28T16:16:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692"
},
{
"type": "WEB",
"url": "https://github.com/googleapis/google-oauth-java-client/issues/469"
},
{
"type": "WEB",
"url": "https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824"
},
{
"type": "PACKAGE",
"url": "https://github.com/googleapis/google-oauth-java-client"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276"
},
{
"type": "WEB",
"url": "https://tools.ietf.org/html/rfc7636%23section-1"
},
{
"type": "WEB",
"url": "https://tools.ietf.org/html/rfc8252%23section-8.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Authorization in Google OAuth Client"
}
GHSA-F275-5H5C-5WG5
Vulnerability from github – Published: 2026-03-31 15:31 – Updated: 2026-04-06 22:39Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hc5h-pmr3-3497. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T22:39:00Z",
"nvd_published_at": "2026-03-31T15:16:14Z",
"severity": "HIGH"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hc5h-pmr3-3497. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.",
"id": "GHSA-f275-5h5c-5wg5",
"modified": "2026-04-06T22:39:00Z",
"published": "2026-03-31T15:31:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33579"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation",
"withdrawn": "2026-04-06T22:39:00Z"
}
GHSA-F28H-HCXC-R39X
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page.
{
"affected": [],
"aliases": [
"CVE-2020-21124"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-15T17:15:00Z",
"severity": "CRITICAL"
},
"details": "UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page.",
"id": "GHSA-f28h-hcxc-r39x",
"modified": "2022-05-24T19:14:38Z",
"published": "2022-05-24T19:14:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21124"
},
{
"type": "WEB",
"url": "https://github.com/youseries/ureport/issues/484"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F28V-QHMR-FHCX
Vulnerability from github – Published: 2025-07-15 21:31 – Updated: 2025-07-15 21:31Vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite (component: Multiplatform Sync Errors). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Mobile Field Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Mobile Field Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Mobile Field Service accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2025-30744"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-15T20:15:28Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite (component: Multiplatform Sync Errors). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Mobile Field Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Mobile Field Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Mobile Field Service accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"id": "GHSA-f28v-qhmr-fhcx",
"modified": "2025-07-15T21:31:39Z",
"published": "2025-07-15T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30744"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F2FJ-CJ3G-RJ2X
Vulnerability from github – Published: 2021-11-18 00:00 – Updated: 2022-06-29 00:00Improper access control in the software installer for the Intel(R) Serial IO driver for Intel(R) NUC 11 Gen before version 30.100.2104.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2021-33118"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-17T20:15:00Z",
"severity": "HIGH"
},
"details": "Improper access control in the software installer for the Intel(R) Serial IO driver for Intel(R) NUC 11 Gen before version 30.100.2104.1 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-f2fj-cj3g-rj2x",
"modified": "2022-06-29T00:00:52Z",
"published": "2021-11-18T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33118"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00560.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2G3-3C6Q-4478
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2025-02-10 20:39Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.4.0"
},
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-24401"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-13T21:51:10Z",
"nvd_published_at": "2020-11-09T01:15:00Z",
"severity": "MODERATE"
},
"details": "Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user\u0027s account.",
"id": "GHSA-f2g3-3c6q-4478",
"modified": "2025-02-10T20:39:13Z",
"published": "2022-05-24T17:33:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24401"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Magento 2 Community Edition Incorrect Authorization"
}
GHSA-F2HR-7WR3-RHJ7
Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-24 00:00The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.
{
"affected": [],
"aliases": [
"CVE-2021-46785"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-13T15:15:00Z",
"severity": "MODERATE"
},
"details": "The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.",
"id": "GHSA-f2hr-7wr3-rhj7",
"modified": "2022-05-24T00:00:29Z",
"published": "2022-05-14T00:01:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46785"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/5"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202205-0000001245813162"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F2J6-WRHH-V25M
Vulnerability from github – Published: 2018-10-10 16:10 – Updated: 2024-10-09 20:55Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.1"
},
{
"fixed": "2.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000805"
],
"database_specific": {
"cwe_ids": [
"CWE-732",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:33:26Z",
"nvd_published_at": "2018-10-08T15:29:00Z",
"severity": "HIGH"
},
"details": "Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.",
"id": "GHSA-f2j6-wrhh-v25m",
"modified": "2024-10-09T20:55:50Z",
"published": "2018-10-10T16:10:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000805"
},
{
"type": "WEB",
"url": "https://github.com/paramiko/paramiko/issues/1283"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2018:3497"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3347"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3406"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3505"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-f2j6-wrhh-v25m"
},
{
"type": "PACKAGE",
"url": "https://github.com/paramiko/paramiko"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2018-69.yaml"
},
{
"type": "WEB",
"url": "https://herolab.usd.de/wp-content/uploads/sites/4/usd20180023.txt"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00018.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00025.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3796-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3796-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3796-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Paramiko Authentication Bypass vulnerability"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.