Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5548 vulnerabilities reference this CWE, most recent first.

GHSA-F7P4-692G-F4W7

Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21
VLAI
Details

A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins, aka 'Microsoft Browsers Security Feature Bypass Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-09T02:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins, aka \u0027Microsoft Browsers Security Feature Bypass Vulnerability\u0027.",
  "id": "GHSA-f7p4-692g-f4w7",
  "modified": "2022-05-13T01:21:32Z",
  "published": "2022-05-13T01:21:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0762"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0762"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F7WF-M2QG-R9RX

Vulnerability from github – Published: 2025-08-29 18:30 – Updated: 2025-10-22 00:33
VLAI
Details

Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T16:15:36Z",
    "severity": "HIGH"
  },
  "details": "Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target\u2019s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.",
  "id": "GHSA-f7wf-m2qg-r9rx",
  "modified": "2025-10-22T00:33:20Z",
  "published": "2025-08-29T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55177"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2025-55177"
    },
    {
      "type": "WEB",
      "url": "https://www.whatsapp.com/security/advisories/2025"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F82V-JWR5-MFFW

Vulnerability from github – Published: 2025-03-21 15:20 – Updated: 2026-03-02 16:59
VLAI
Summary
Authorization Bypass in Next.js Middleware
Details

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

  • For Next.js 15.x, this issue is fixed in 15.2.3
  • For Next.js 14.x, this issue is fixed in 14.2.25
  • For Next.js 13.x, this issue is fixed in 13.5.9
  • For Next.js 12.x, this issue is fixed in 12.3.5
  • For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

  • Allam Rachid (zhero;)
  • Allam Yasser (inzo_)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.5.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "15.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-29927"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T15:20:12Z",
    "nvd_published_at": "2025-03-21T15:15:42Z",
    "severity": "CRITICAL"
  },
  "details": "# Impact\nIt is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.\n\n# Patches\n* For Next.js 15.x, this issue is fixed in `15.2.3`\n* For Next.js 14.x, this issue is fixed in `14.2.25`\n* For Next.js 13.x, this issue is fixed in 13.5.9\n* For Next.js 12.x, this issue is fixed in 12.3.5\n* For Next.js 11.x, consult the below workaround.\n\n_Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability._\n\n# Workaround\nIf patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the `x-middleware-subrequest` header from reaching your Next.js application.\n\n## Credits\n\n- Allam Rachid (zhero;)\n- Allam Yasser (inzo_)",
  "id": "GHSA-f82v-jwr5-mffw",
  "modified": "2026-03-02T16:59:03Z",
  "published": "2025-03-21T15:20:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29927"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v12.3.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v13.5.9"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250328-0002"
    },
    {
      "type": "WEB",
      "url": "https://vercel.com/changelog/vercel-firewall-proactively-protects-against-vulnerability-with-middleware"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/03/23/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/03/23/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authorization Bypass in Next.js Middleware"
}

GHSA-F834-HXF4-WMXM

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Multiple vulnerabilities in the authorization process of Cisco ASR 5000 Series Software (StarOS) could allow an authenticated, remote attacker to bypass authorization and execute a subset of CLI commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-04T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple vulnerabilities in the authorization process of Cisco ASR 5000 Series Software (StarOS) could allow an authenticated, remote attacker to bypass authorization and execute a subset of CLI commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.",
  "id": "GHSA-f834-hxf4-wmxm",
  "modified": "2022-05-24T19:04:04Z",
  "published": "2022-05-24T19:04:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1540"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr5k-autho-bypass-mJDF5S7n"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F842-4GQM-2CPG

Vulnerability from github – Published: 2023-04-28 15:30 – Updated: 2024-04-04 03:43
VLAI
Details

Insecure Permissions vulnerability found in MagicJack A921 USB Phone Jack Rev 3.0 v.1.4 allows a physically proximate attacker to escalate privileges and gain access to sensitive information via the NAND flash memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-28T13:15:13Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Permissions vulnerability found in MagicJack A921 USB Phone Jack Rev 3.0 v.1.4 allows a physically proximate attacker to escalate privileges and gain access to sensitive information via the NAND flash memory.",
  "id": "GHSA-f842-4gqm-2cpg",
  "modified": "2024-04-04T03:43:33Z",
  "published": "2023-04-28T15:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30024"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/drive/folders/1cKd8hksThK610GPtBQ3du8DEkwKywlAi?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://pastebin.com/raw/irWcawp8"
    },
    {
      "type": "WEB",
      "url": "https://samuraisecurity.co.uk/red-teaming-0x01-click-rce-via-voip-usb"
    },
    {
      "type": "WEB",
      "url": "https://www.magicjack.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8G9-H6RJ-MQ5J

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-06T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs undesirable speculative loads, leading to disclosure of stack content via side-channel attacks, aka CID-801c6058d14a. The specific concern is not protecting the BPF stack area against speculative loads. Also, the BPF stack can contain uninitialized data that might represent sensitive information previously operated on by the kernel.",
  "id": "GHSA-f8g9-h6rj-mq5j",
  "modified": "2022-05-24T19:01:27Z",
  "published": "2022-05-24T19:01:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31829"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/801c6058d14a82179a7ee17a4b532cac6fad067f"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VWCZ6LJLENL2C3URW5ICARTACXPFCFN2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4X2G5YAPYJGI3PFEZZNOTRYI33GOCCZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZI7OBCJQDNWMKLBP6MZ5NV4EUTDAMX6Q"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/04/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F8G9-XX53-MGMC

Vulnerability from github – Published: 2024-01-09 03:30 – Updated: 2024-01-09 03:30
VLAI
Details

SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-09T02:15:45Z",
    "severity": "MODERATE"
  },
  "details": "SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application.\n\n",
  "id": "GHSA-f8g9-xx53-mgmc",
  "modified": "2024-01-09T03:30:22Z",
  "published": "2024-01-09T03:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21736"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3260667"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8J8-G2F7-722J

Vulnerability from github – Published: 2023-06-27 15:30 – Updated: 2024-04-04 05:11
VLAI
Details

Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-27T14:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect access control in the component /index.php?mod=system\u0026op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames.",
  "id": "GHSA-f8j8-g2f7-722j",
  "modified": "2024-04-04T05:11:51Z",
  "published": "2023-06-27T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30205"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zyx0814/dzzoffice/issues/184"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8MR-JV2C-V8MG

Vulnerability from github – Published: 2020-09-09 17:29 – Updated: 2024-11-18 22:41
VLAI
Summary
Invalid root may become trusted root in The Update Framework (TUF)
Details

Impact

The Python TUF reference implementation tuf<0.12 will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a man-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates.

While investigating the reported vulnerability, we discovered that the detailed client workflow was not fully implemented. Specifically, for step 1.3 the newly downloaded root metadata was not being verified with a threshold of keys specified in the new root metadata file. This missing step of the client workflow has been implemented in PR #1101, which is included in v0.14.0 of tuf.

Patches

A fix, is available in version 0.12 and newer.

Workarounds

No workarounds are known for this issue.

References

  • Pull request resolving the invalid root becoming trusted issue PR 885
  • Pull request implementing self verification of newly downloaded root metadata PR 1101
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-09-09T17:27:31Z",
    "nvd_published_at": "2020-09-09T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe Python TUF reference implementation `tuf\u003c0.12` will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a man-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates.\n\nWhile investigating the reported vulnerability, we discovered that the detailed client workflow was not fully implemented. Specifically, for step 1.3 the newly downloaded root metadata was not being verified with a threshold of keys specified in the new root metadata file.\nThis missing step of the client workflow has been implemented in [PR #1101](https://github.com/theupdateframework/tuf/pull/1101), which is included in [v0.14.0](https://github.com/theupdateframework/tuf/releases/tag/v0.14.0) of tuf.\n\n### Patches\nA [fix](https://github.com/theupdateframework/tuf/pull/885), is available in version [0.12](https://github.com/theupdateframework/tuf/releases/tag/v0.12.0) and newer.\n\n### Workarounds\nNo workarounds are known for this issue.\n\n### References\n* Pull request resolving the invalid root becoming trusted issue [PR 885](https://github.com/theupdateframework/tuf/pull/885)\n* Pull request implementing self verification of newly downloaded root metadata [PR 1101](https://github.com/theupdateframework/tuf/pull/1101)",
  "id": "GHSA-f8mr-jv2c-v8mg",
  "modified": "2024-11-18T22:41:33Z",
  "published": "2020-09-09T17:29:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/theupdateframework/tuf/security/advisories/GHSA-f8mr-jv2c-v8mg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15163"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theupdateframework/tuf/pull/885"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theupdateframework/tuf/commit/3d342e648fbacdf43a13d7ba8886aaaf07334af7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tuf/PYSEC-2020-145.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/theupdateframework/tuf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theupdateframework/tuf/releases/tag/v0.12.0"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/tuf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Invalid root may become trusted root in The Update Framework (TUF)"
}

GHSA-F8MV-JPHX-3R7G

Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-06-06 21:30
VLAI
Details

An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-06T19:16:04Z",
    "severity": "HIGH"
  },
  "details": "An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.",
  "id": "GHSA-f8mv-jphx-3r7g",
  "modified": "2024-06-06T21:30:37Z",
  "published": "2024-06-06T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5130"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/e81a9871-308d-4628-9726-af66643a16fe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.