CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5518 vulnerabilities reference this CWE, most recent first.
GHSA-G4J9-PMF2-PRRV
Vulnerability from github – Published: 2023-02-01 15:30 – Updated: 2023-02-08 21:30Last Yard 22.09.8-1 does not enforce HSTS headers
{
"affected": [],
"aliases": [
"CVE-2022-47714"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Last Yard 22.09.8-1 does not enforce HSTS headers",
"id": "GHSA-g4j9-pmf2-prrv",
"modified": "2023-02-08T21:30:19Z",
"published": "2023-02-01T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47714"
},
{
"type": "WEB",
"url": "https://github.com/l00neyhacker/CVE-2022-47714"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G4M8-6XWJ-MC45
Vulnerability from github – Published: 2024-03-08 03:31 – Updated: 2026-04-02 21:31This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 1.1, iOS 17.4 and iPadOS 17.4, iOS 16.7.6 and iPadOS 16.7.6. An app may be able to spoof system notifications and UI.
{
"affected": [],
"aliases": [
"CVE-2024-23262"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-08T02:15:48Z",
"severity": "LOW"
},
"details": "This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 1.1, iOS 17.4 and iPadOS 17.4, iOS 16.7.6 and iPadOS 16.7.6. An app may be able to spoof system notifications and UI.",
"id": "GHSA-g4m8-6xwj-mc45",
"modified": "2026-04-02T21:31:37Z",
"published": "2024-03-08T03:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23262"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120880"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120883"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120893"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214081"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214082"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214087"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214081"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214082"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214087"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/26"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G4V2-QX3Q-4P64
Vulnerability from github – Published: 2026-04-08 00:14 – Updated: 2026-04-15 21:17Impact
The GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields.
Patches
The GET /sessions/me handler now re-fetches the session with the caller's auth context after validating the session token, ensuring protectedFields and CLP apply consistently with other session endpoints.
Workarounds
None.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64
- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10406
- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10407
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.8.0-alpha.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "8.6.75"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39381"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T00:14:50Z",
"nvd_published_at": "2026-04-07T20:16:32Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe `GET /sessions/me` endpoint returns `_Session` fields that the server operator explicitly configured as protected via the `protectedFields` server option. Any authenticated user can retrieve their own session\u0027s protected fields with a single request. The equivalent `GET /sessions` and `GET /sessions/:objectId` endpoints correctly strip protected fields.\n\n### Patches\n\nThe `GET /sessions/me` handler now re-fetches the session with the caller\u0027s auth context after validating the session token, ensuring `protectedFields` and CLP apply consistently with other session endpoints.\n\n### Workarounds\n\nNone.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10406\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10407",
"id": "GHSA-g4v2-qx3q-4p64",
"modified": "2026-04-15T21:17:24Z",
"published": "2026-04-08T00:14:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39381"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10406"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10407"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Server\u0027s Endpoint `/sessions/me` bypasses `_Session` `protectedFields`"
}
GHSA-G4W6-VMGF-XQVX
Vulnerability from github – Published: 2026-06-30 18:09 – Updated: 2026-06-30 18:09Summary
@cedar-policy/authorization-for-expressjs is an open-source Express.js middleware that integrates Cedar authorization into Express applications by mapping HTTP requests to Cedar actions and evaluating authorization policies before allowing requests to proceed. An issue exists where, under certain circumstances, the middleware matches incoming requests against Cedar action mappings using req.originalUrl, which includes the query string, while Express routes requests using only the path component.
Impact
The middleware uses req.originalUrl to match incoming requests against Cedar action mappings. In Express, req.originalUrl includes the query string, while route matching uses only the path. This creates a divergence between what Cedar authorizes and what Express executes.
When an application defines separate actions for overlapping path prefixes with different authorization requirements (for example, GET /users for listing all users with admin-only access, and GET /users/{id} for retrieving a single user with any authenticated user access), an actor can append a query string to bypass the more restrictive policy. Sending GET /users/?x=1 causes the middleware to match against /users/{id} (with id parameter set to ?x=1) and evaluate the less restrictive action, while Express routes the request to the /users list handler. This allows inappropriate access to the more restrictive endpoint.
Impacted versions
<= 0.2.0
Patches
This issue has been addressed in @cedar-policy/authorization-for-expressjs version 0.3. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds
Validate and sanitize incoming request paths before they reach the authorization middleware. Ensure that applications do not rely solely on the middleware for authorization when defining multiple actions on overlapping path prefixes with different permission levels.
References
If you have any questions or comments about this advisory, AWS asks that you contact AWS Security via the vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.2.0"
},
"package": {
"ecosystem": "npm",
"name": "@cedar-policy/authorization-for-expressjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49473"
],
"database_specific": {
"cwe_ids": [
"CWE-436",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:09:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n@cedar-policy/authorization-for-expressjs is an open-source Express.js middleware that integrates Cedar authorization into Express applications by mapping HTTP requests to Cedar actions and evaluating authorization policies before allowing requests to proceed. An issue exists where, under certain circumstances, the middleware matches incoming requests against Cedar action mappings using req.originalUrl, which includes the query string, while Express routes requests using only the path component.\n\n### Impact\nThe middleware uses req.originalUrl to match incoming requests against Cedar action mappings. In Express, req.originalUrl includes the query string, while route matching uses only the path. This creates a divergence between what Cedar authorizes and what Express executes.\n\nWhen an application defines separate actions for overlapping path prefixes with different authorization requirements (for example, GET /users for listing all users with admin-only access, and GET /users/{id} for retrieving a single user with any authenticated user access), an actor can append a query string to bypass the more restrictive policy. Sending GET /users/?x=1 causes the middleware to match against /users/{id} (with id parameter set to ?x=1) and evaluate the less restrictive action, while Express routes the request to the /users list handler. This allows inappropriate access to the more restrictive endpoint.\n\n### Impacted versions\n\u003c= 0.2.0\n\n### Patches\nThis issue has been addressed in @cedar-policy/authorization-for-expressjs version 0.3. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.\n\n### Workarounds\nValidate and sanitize incoming request paths before they reach the authorization middleware. Ensure that applications do not rely solely on the middleware for authorization when defining multiple actions on overlapping path prefixes with different permission levels.\n\n### References\nIf you have any questions or comments about this advisory, AWS asks that you contact AWS Security via the vulnerability reporting page or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
"id": "GHSA-g4w6-vmgf-xqvx",
"modified": "2026-06-30T18:09:13Z",
"published": "2026-06-30T18:09:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cedar-policy/authorization-for-expressjs/security/advisories/GHSA-g4w6-vmgf-xqvx"
},
{
"type": "PACKAGE",
"url": "https://github.com/cedar-policy/authorization-for-expressjs"
},
{
"type": "WEB",
"url": "https://github.com/cedar-policy/authorization-for-expressjs/releases/tag/v0.3.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation"
}
GHSA-G52X-WVQ2-4H58
Vulnerability from github – Published: 2026-05-13 00:48 – Updated: 2026-05-13 00:48PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.
{
"affected": [],
"aliases": [
"CVE-2026-33570"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T22:16:33Z",
"severity": "MODERATE"
},
"details": "PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.",
"id": "GHSA-g52x-wvq2-4h58",
"modified": "2026-05-13T00:48:11Z",
"published": "2026-05-13T00:48:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33570"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G594-FQ98-W6PJ
Vulnerability from github – Published: 2025-06-11 00:30 – Updated: 2025-06-11 00:30The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements (e.g., microphone, camera, automation, network client). Since Rocket.Chat was not signed with the Hardened Runtime nor set to enforce Library Validation, it is vulnerable to DYLIB injection attacks, which can lead to unauthorized actions or escalation of permissions. Consequently, an attacker gains capabilities that are not permitted by default under the Sandbox and its application profile.
{
"affected": [],
"aliases": [
"CVE-2024-8270"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-11T00:15:23Z",
"severity": "MODERATE"
},
"details": "The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control (TCC) policies, enabling the exploitation or abuse of permissions specified in its entitlements (e.g., microphone, camera, automation, network client). Since Rocket.Chat was not signed with the Hardened Runtime nor set to enforce Library Validation, it is vulnerable to DYLIB injection attacks, which can lead to unauthorized actions or escalation of permissions. Consequently, an attacker gains capabilities that are not permitted by default under the Sandbox and its application profile.",
"id": "GHSA-g594-fq98-w6pj",
"modified": "2025-06-11T00:30:48Z",
"published": "2025-06-11T00:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8270"
},
{
"type": "WEB",
"url": "https://pentraze.com"
},
{
"type": "WEB",
"url": "https://pentraze.com/vulnerability-reports"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G5CG-8X5W-7JPM
Vulnerability from github – Published: 2026-04-02 20:59 – Updated: 2026-04-21 00:01Summary
Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation
Current Maintainer Triage
- Status: open
- Normalized severity: Critical
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
a30214a624946fc5c85c9558a27c1580172374fd— 2026-03-31T09:06:51+09:00
OpenClaw thanks @AntAISecurityLab for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41329"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T20:59:29Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\nHeartbeat context inheritance bypasses sandbox via senderIsOwner escalation\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: Critical\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `a30214a624946fc5c85c9558a27c1580172374fd` \u2014 2026-03-31T09:06:51+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
"id": "GHSA-g5cg-8x5w-7jpm",
"modified": "2026-04-21T00:01:01Z",
"published": "2026-04-02T20:59:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/a30214a624946fc5c85c9558a27c1580172374fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation"
}
GHSA-G5FP-9V3P-VV34
Vulnerability from github – Published: 2025-01-21 21:30 – Updated: 2025-01-21 21:30Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Install). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
{
"affected": [],
"aliases": [
"CVE-2025-21565"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T21:15:23Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Install). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
"id": "GHSA-g5fp-9v3p-vv34",
"modified": "2025-01-21T21:30:56Z",
"published": "2025-01-21T21:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21565"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G5HJ-6P24-45C3
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-16 21:30Canlineapp Online 1.1 is vulnerable to Broken Access Control and allows users with the Auditor role to create an audit template as a result of improper authorization checks. This feature is designated for supervisor role, but auditors have been able to successfully create audit templates from their account.
{
"affected": [],
"aliases": [
"CVE-2024-56114"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:39Z",
"severity": "MODERATE"
},
"details": "Canlineapp Online 1.1 is vulnerable to Broken Access Control and allows users with the Auditor role to create an audit template as a result of improper authorization checks. This feature is designated for supervisor role, but auditors have been able to successfully create audit templates from their account.",
"id": "GHSA-g5hj-6p24-45c3",
"modified": "2025-01-16T21:30:55Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56114"
},
{
"type": "WEB",
"url": "https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2024-56114"
},
{
"type": "WEB",
"url": "https://www.e-connectsolutions.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G5JC-27J7-J57C
Vulnerability from github – Published: 2022-08-09 00:00 – Updated: 2022-08-13 00:00Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.
{
"affected": [],
"aliases": [
"CVE-2022-35487"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-08T14:15:00Z",
"severity": "HIGH"
},
"details": "Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.",
"id": "GHSA-g5jc-27j7-j57c",
"modified": "2022-08-13T00:00:53Z",
"published": "2022-08-09T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35487"
},
{
"type": "WEB",
"url": "https://zammad.com/de/advisories/zaa-2022-08"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.