Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5537 vulnerabilities reference this CWE, most recent first.

GHSA-FVQW-WG8V-HMCW

Vulnerability from github – Published: 2024-06-10 21:30 – Updated: 2026-04-02 21:31
VLAI
Details

This issue was addressed with improved permissions checking. This issue is fixed in macOS Sonoma 14.5, iOS 17.5 and iPadOS 17.5. A malicious app may be able to gain root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27848"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-10T21:15:51Z",
    "severity": "HIGH"
  },
  "details": "This issue was addressed with improved permissions checking. This issue is fixed in macOS Sonoma 14.5, iOS 17.5 and iPadOS 17.5. A malicious app may be able to gain root privileges.",
  "id": "GHSA-fvqw-wg8v-hmcw",
  "modified": "2026-04-02T21:31:46Z",
  "published": "2024-06-10T21:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27848"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120903"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120905"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214101"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214106"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214101"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214106"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FW62-7JCP-752G

Vulnerability from github – Published: 2025-11-11 21:30 – Updated: 2025-11-11 21:30
VLAI
Details

Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T19:15:35Z",
    "severity": "HIGH"
  },
  "details": "Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK.",
  "id": "GHSA-fw62-7jcp-752g",
  "modified": "2025-11-11T21:30:27Z",
  "published": "2025-11-11T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61830"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/pass/apsb25-112.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FWCM-GWWR-6JW8

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28050"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-05T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.",
  "id": "GHSA-fwcm-gwwr-6jw8",
  "modified": "2022-05-24T17:43:43Z",
  "published": "2022-05-24T17:43:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28050"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/desktop-central/cve-2020-28050.html"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/desktop-central/fixing-multiple-vulnerabilities.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FWCM-RQVW-J3P7

Vulnerability from github – Published: 2026-05-26 23:41 – Updated: 2026-05-26 23:41
VLAI
Summary
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
Details

Summary

An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist.

### Details The issue is caused by the combination of these code paths:

  • server/api/apikeys/verify-api-or-token.js:45 sends requests without x-api-key to authJwt.verifyToken(req, res, next).
  • server/api/jwt-helper.js:46-64 creates a signed guest token when no x-access-token is provided: if (!token) { token = getGuestToken(); } and then populates req.userId / req.userGroups from that guest token.
  • server/api/command/index.js:76-105 exposes /api/getTagValue.
  • server/runtime/scripts/index.js:106-111 returns true when the referenced script does not exist: if (!script) { return true; }

As a result, an unauthenticated request reaches /api/getTagValue as guest, and the authorization check is bypassed because isAuthorisedByScriptName() returns true when sourceScriptName is omitted or does not match a real script. The endpoint then returns arbitrary tag values by ID.

### PoC

Requests to /api/getTagValue without authentication could succeed when the authorization logic evaluated a non-existent sourceScriptName as authorized.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fuxa-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.3.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-26T23:41:45Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist.\n\n  ### Details\n  The issue is caused by the combination of these code paths:\n\n  - `server/api/apikeys/verify-api-or-token.js:45` sends requests without `x-api-key` to `authJwt.verifyToken(req, res, next)`.\n  - `server/api/jwt-helper.js:46-64` creates a signed guest token when no `x-access-token` is provided:\n    `if (!token) { token = getGuestToken(); }`\n    and then populates `req.userId` / `req.userGroups` from that guest token.\n  - `server/api/command/index.js:76-105` exposes `/api/getTagValue`.\n  - `server/runtime/scripts/index.js:106-111` returns `true` when the referenced script does not exist:\n    `if (!script) { return true; }`\n\n  As a result, an unauthenticated request reaches `/api/getTagValue` as `guest`, and the authorization check is bypassed because `isAuthorisedByScriptName()` returns `true` when `sourceScriptName` is omitted or does not match a real script. The endpoint then returns arbitrary tag values by ID.\n\n  ### PoC\n\nRequests to /api/getTagValue without authentication could succeed when the authorization logic evaluated a non-existent sourceScriptName as authorized.",
  "id": "GHSA-fwcm-rqvw-j3p7",
  "modified": "2026-05-26T23:41:45Z",
  "published": "2026-05-26T23:41:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-fwcm-rqvw-j3p7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/pull/2260"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/commit/78534da61a91613712b44bb63c8d7da8c5df5ca4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/frangoteam/FUXA"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue"
}

GHSA-FWH6-GC6C-W62Q

Vulnerability from github – Published: 2025-11-12 18:31 – Updated: 2025-11-12 18:31
VLAI
Details

Fujitsu iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T18:15:36Z",
    "severity": "HIGH"
  },
  "details": "Fujitsu iRMC S6 on M5 before 1.37S mishandles Redfish/WebUI access if the length of a username is exactly 16 characters.",
  "id": "GHSA-fwh6-gc6c-w62q",
  "modified": "2025-11-12T18:31:26Z",
  "published": "2025-11-12T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65002"
    },
    {
      "type": "WEB",
      "url": "https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-ISS-2025-082610-Security-Notice.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FWJQ-XWFJ-GV75

Vulnerability from github – Published: 2026-04-07 18:11 – Updated: 2026-04-07 18:11
VLAI
Summary
OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations
Details

Summary

session_status still bypasses configured tools.sessions.visibility for unsandboxed invocations

Current Maintainer Triage

  • Status: narrow
  • Normalized severity: medium
  • Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • 4d369a3400dc9b737fbe8daa63f09d909ce7beb8 — 2026-03-30T16:48:12+02:00

Release Process Note

  • The fix is already present in released version 2026.3.31.
  • This draft looks ready for final maintainer disposition or publication, not additional code-fix work.

Thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-07T18:11:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n`session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d369a3400dc9b737fbe8daa63f09d909ce7beb8` \u2014 2026-03-30T16:48:12+02:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @tdjackey for reporting.",
  "id": "GHSA-fwjq-xwfj-gv75",
  "modified": "2026-04-07T18:11:09Z",
  "published": "2026-04-07T18:11:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fwjq-xwfj-gv75"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/4d369a3400dc9b737fbe8daa63f09d909ce7beb8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations "
}

GHSA-FWWQ-FJFJ-33CG

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have a race condition for RBAC bypass.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-23T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have a race condition for RBAC bypass.",
  "id": "GHSA-fwwq-fjfj-33cg",
  "modified": "2022-05-24T17:31:54Z",
  "published": "2022-05-24T17:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14711"
    },
    {
      "type": "WEB",
      "url": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2020-20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FX79-9VH5-XX87

Vulnerability from github – Published: 2024-12-26 12:30 – Updated: 2024-12-26 12:30
VLAI
Details

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-26T12:15:07Z",
    "severity": "LOW"
  },
  "details": "Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.",
  "id": "GHSA-fx79-9vh5-xx87",
  "modified": "2024-12-26T12:30:45Z",
  "published": "2024-12-26T12:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47157"
    },
    {
      "type": "WEB",
      "url": "https://www.honor.com/global/security/cve-2024-47157"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FX8Q-7873-HXRQ

Vulnerability from github – Published: 2026-02-08 09:30 – Updated: 2026-02-08 09:30
VLAI
Details

A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2141"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-08T08:15:52Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-fx8q-7873-hxrq",
  "modified": "2026-02-08T09:30:15Z",
  "published": "2026-02-08T09:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2141"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SourByte05/SourByte-Lab/issues/8"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344776"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344776"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.747264"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FXC7-FM93-6Q77

Vulnerability from github – Published: 2026-05-05 22:22 – Updated: 2026-05-13 16:28
VLAI
Summary
ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases
Details

Impact

Authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {"command":"create database X"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal.

Patches

Upgrade to version 26.4.2

Resources

https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.arcadedb:arcadedb-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44221"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T22:22:22Z",
    "nvd_published_at": "2026-05-12T20:16:43Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nAuthenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestAccessOnFile treated as allow-all; (2) ArcadeDBServer.createDatabase() omitted factory.setSecurity(...) so any database created via POST /api/v1/server {\"command\":\"create database X\"} had its entire record-level authorization system silently disabled. In combination, record-level and database-level authorization could be bypassed by any authenticated principal.\n\n### Patches\nUpgrade to version 26.4.2\n\n### Resources\n\nhttps://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8",
  "id": "GHSA-fxc7-fm93-6q77",
  "modified": "2026-05-13T16:28:38Z",
  "published": "2026-05-05T22:22:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-fxc7-fm93-6q77"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44221"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ArcadeData/arcadedb/commit/04110c06315da55604ac107f71fe7182f3a3deb8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ArcadeData/arcadedb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.