Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5510 vulnerabilities reference this CWE, most recent first.

GHSA-G623-JCGG-MHMM

Vulnerability from github – Published: 2024-03-15 16:33 – Updated: 2025-06-04 00:32
VLAI
Summary
Users with `create` but not `override` privileges can perform local sync
Details

Impact

"Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git.

An improper validation bug allows users who have create privileges but not override privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source.

The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added.

Patches

The bug has been patched in the following versions:

  • 2.10.3
  • 2.9.8
  • 2.8.12

Workarounds

To immediately mitigate the risk of branch protection bypass, remove applications, create RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.

Branch protection rules and review requirements are a great way to enforce security constraints in a GitOps environment, but they should be just one layer in a multi-layered approach. Make sure your AppProject and RBAC restrictions are as thorough as possible to prevent a review bypass vulnerability from permitting excessive damage.

References

For more information

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0-rc1"
            },
            {
              "last_affected": "1.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-rc3"
            },
            {
              "fixed": "2.8.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-15T16:33:19Z",
    "nvd_published_at": "2024-03-13T21:15:54Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n\"Local sync\" is an Argo CD feature that allows developers to temporarily override an Application\u0027s manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git.\n\nAn improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is _not_ enforced is that the manifests come from some approved git/Helm/OCI source.\n\nThe bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added.\n\n### Patches\n\nThe bug has been patched in the following versions:\n\n* 2.10.3\n* 2.9.8\n* 2.8.12\n\n### Workarounds\n\nTo immediately mitigate the risk of branch protection bypass, remove `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.\n\nBranch protection rules and review requirements are a great way to enforce security constraints in a GitOps environment, but they should be just one layer in a multi-layered approach. Make sure your AppProject and RBAC restrictions are as thorough as possible to prevent a review bypass vulnerability from permitting excessive damage.\n\n### References\n\n* [Argo CD RBAC documentation](https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/)\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd",
  "id": "GHSA-g623-jcgg-mhmm",
  "modified": "2025-06-04T00:32:10Z",
  "published": "2024-03-15T16:33:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50726"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978"
    },
    {
      "type": "WEB",
      "url": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Users with `create` but not `override` privileges can perform local sync"
}

GHSA-G627-R579-RW35

Vulnerability from github – Published: 2024-03-12 21:30 – Updated: 2025-02-13 19:07
VLAI
Summary
Apache Pulsar: Improper Authorization For Topic-Level Policy Management
Details

The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.

This issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.

2.10 Apache Pulsar users should upgrade to at least 2.10.6. 2.11 Apache Pulsar users should upgrade to at least 2.11.4. 3.0 Apache Pulsar users should upgrade to at least 3.0.3. 3.1 Apache Pulsar users should upgrade to at least 3.1.3. 3.2 Apache Pulsar users should upgrade to at least 3.2.1.

Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-broker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-broker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-broker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-broker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.0"
            },
            {
              "fixed": "2.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.10.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.pulsar:pulsar-broker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.1"
            },
            {
              "fixed": "2.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-13T20:40:35Z",
    "nvd_published_at": "2024-03-12T19:15:48Z",
    "severity": "MODERATE"
  },
  "details": "The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role.\n\nThis issue affects Apache Pulsar versions from 2.7.1 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0. \n\n2.10 Apache Pulsar users should upgrade to at least 2.10.6.\n2.11 Apache Pulsar users should upgrade to at least 2.11.4.\n3.0 Apache Pulsar users should upgrade to at least 3.0.3.\n3.1 Apache Pulsar users should upgrade to at least 3.1.3.\n3.2 Apache Pulsar users should upgrade to at least 3.2.1.\n\nUsers operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.",
  "id": "GHSA-g627-r579-rw35",
  "modified": "2025-02-13T19:07:58Z",
  "published": "2024-03-12T21:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28098"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/pulsar"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/3m6923y3wxpdcs9346sjvt8ql9swqc2z"
    },
    {
      "type": "WEB",
      "url": "https://pulsar.apache.org/security/CVE-2024-28098"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/12/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Pulsar: Improper Authorization For Topic-Level Policy Management"
}

GHSA-G63J-C9M2-FJM9

Vulnerability from github – Published: 2026-07-08 15:32 – Updated: 2026-07-08 15:32
VLAI
Details

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3_path values that are served to devices via the unauthenticated /updates endpoint, enabling OTA metadata poisoning and potential malicious asset delivery.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T14:17:15Z",
    "severity": "HIGH"
  },
  "details": "Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3_path values that are served to devices via the unauthenticated /updates endpoint, enabling OTA metadata poisoning and potential malicious asset delivery.",
  "id": "GHSA-g63j-c9m2-fjm9",
  "modified": "2026-07-08T15:32:00Z",
  "published": "2026-07-08T15:32:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-vmgg-crr8-887p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56220"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/capgo-unauthorized-manifest-insertion-via-read-only-org-member"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G699-3X6G-WM3G

Vulnerability from github – Published: 2026-03-17 18:37 – Updated: 2026-03-20 21:21
VLAI
Summary
Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)
Details

Summary

A vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the egress-policy: block network restriction using DNS queries over TCP.

Harden-Runner enforces egress policies on GitHub runners by filtering outbound connections at the network layer. When egress-policy: block is enabled with a restrictive allowed-endpoints list (e.g., only github.com:443), all non-compliant traffic should be denied. However, DNS queries over TCP, commonly used for large responses or fallback from UDP, are not adequately restricted. Tools like dig can explicitly initiate TCP-based DNS queries (+tcp flag) without being blocked.

This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow.

The Enterprise Tier of Harden-Runner is not affected by this vulnerability.

Impact

When Harden-Runner is configured with egress-policy: block and a restrictive allowed-endpoints list, an attacker with existing code execution capabilities within a GitHub Actions workflow can bypass the egress block policy by initiating DNS queries over TCP to external resolvers. This allows outbound network communication that evades the configured network restrictions.

This vulnerability affects only the Community Tier. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow.

Remediation

For Community Tier Users

Upgrade to Harden-Runner v2.16.0 or later.

For Enterprise Tier Users

No action required. Enterprise tier customers are not affected by this vulnerability.

Credit

We would like to thank Devansh Batham for responsibly disclosing this vulnerability through our security reporting process.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.15.1"
      },
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "step-security/harden-runner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T18:37:46Z",
    "nvd_published_at": "2026-03-20T04:16:50Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the `egress-policy: block` network restriction using DNS queries over TCP.\n\nHarden-Runner enforces egress policies on GitHub runners by filtering outbound connections at the network layer. When `egress-policy: block` is enabled with a restrictive allowed-endpoints list (e.g., only `github.com:443`), all non-compliant traffic should be denied. However, DNS queries over TCP, commonly used for large responses or fallback from UDP, are not adequately restricted. Tools like `dig` can explicitly initiate TCP-based DNS queries (`+tcp` flag) without being blocked. \n\nThis vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow.\n\nThe Enterprise Tier of Harden-Runner is **not affected** by this vulnerability.\n\n## Impact\n\nWhen Harden-Runner is configured with `egress-policy: block` and a restrictive `allowed-endpoints` list, an attacker with existing code execution capabilities within a GitHub Actions workflow can bypass the egress block policy by initiating DNS queries over TCP to external resolvers. This allows outbound network communication that evades the configured network restrictions.\n\nThis vulnerability affects only the Community Tier. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow.\n\n## Remediation\n\n### For Community Tier Users\n\nUpgrade to Harden-Runner v2.16.0 or later. \n\n### For Enterprise Tier Users\n\nNo action required. Enterprise tier customers are not affected by this vulnerability.\n\n## Credit \n\nWe would like to thank [Devansh Batham](https://github.com/devanshbatham) for responsibly disclosing this vulnerability through our security reporting process.",
  "id": "GHSA-g699-3x6g-wm3g",
  "modified": "2026-03-20T21:21:27Z",
  "published": "2026-03-17T18:37:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-g699-3x6g-wm3g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32946"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/step-security/harden-runner"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/releases/tag/v2.16.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)"
}

GHSA-G6G4-XJV3-4FXG

Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2025-04-20 03:38
VLAI
Details

VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-4915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-22T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.",
  "id": "GHSA-g6g4-xjv3-4fxg",
  "modified": "2025-04-20T03:38:03Z",
  "published": "2022-05-13T01:45:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-4915"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/42045"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2017-0009.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98566"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038525"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6HF-3766-F3GV

Vulnerability from github – Published: 2025-05-21 18:33 – Updated: 2025-05-21 18:33
VLAI
Details

A vulnerability in an API subsystem of Cisco Secure Network Analytics Manager and Cisco Secure Network Analytics Virtual Manager could allow an authenticated, remote attacker with low privileges to generate fraudulent findings that are used to generate alarms and alerts on an affected product.

Thi vulnerability is due to insufficient authorization enforcement on a specific API. An attacker could exploit this vulnerability by authenticating as a low-privileged user and performing API calls with crafted input. A successful exploit could allow the attacker to obfuscate legitimate findings in analytics reports or create false indications with alarms and alerts on an affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-21T17:15:57Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in an API subsystem of Cisco Secure Network Analytics Manager and Cisco Secure Network Analytics Virtual Manager could allow an authenticated, remote attacker with low privileges to generate fraudulent findings that are used to generate alarms and alerts on an affected product.\n\nThi vulnerability is due to insufficient authorization enforcement on a specific API. An attacker could exploit this vulnerability by authenticating as a low-privileged user and performing API calls with crafted input. A successful exploit could allow the attacker to obfuscate legitimate findings in analytics reports or create false indications with alarms and alerts on an affected device.",
  "id": "GHSA-g6hf-3766-f3gv",
  "modified": "2025-05-21T18:33:31Z",
  "published": "2025-05-21T18:33:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20257"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sna-apiacv-4B6X5ysw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6PJ-GC3G-PF4Q

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2025-10-22 00:32
VLAI
Details

An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-26T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.",
  "id": "GHSA-g6pj-gc3g-pf4q",
  "modified": "2025-10-22T00:32:05Z",
  "published": "2022-05-24T17:45:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25369"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25369"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6W6-R76C-28J7

Vulnerability from github – Published: 2022-02-08 17:23 – Updated: 2023-08-08 20:44
VLAI
Summary
Incorrect Authorization in NATS nats-server
Details

(This advisory is canonically https://advisories.nats.io/CVE/CVE-2022-24450.txt)

Problem Description

NATS nats-server through 2022-02-04 has Incorrect Access Control, with unchecked ability for clients to authorize into any account, because of a coding error in a long-extant experimental feature.

A client crafting the initial protocol-level handshake could, with valid credentials for any account, specify a target account and switch into it immediately. This includes any other tenant, and includes the System account which controls nats-server core operations.

For deployments not using multi-tenancy through NATS Accounts, there is still a vulnerability: normal users are able to choose to be in the System account.

An experimental feature to provide dynamically provisioned sandbox accounts was designed to allow a server administrator to turn on an option to allow clients to dynamically request a brand new account inline at connection time. This feature went nowhere, but lived on in the code and was used by a number of tests; support was never added to any client libraries or to the documentation.

A bug in handling the feature meant that if someone did in fact have valid account credentials, then they could specify any other existing account and they would be assigned into that account.

Release 2.7.2 of nats-server removes the feature. Because of the lack of client support and absence from protocol documentation, we feel this is safe operationally as well as the safest fix for the code.

Affected versions

NATS Server

  • All 2.x versions up to and including 2.7.1.
  • Fixed with nats-io/nats-server: 2.7.2
  • NATS Server 1.x did not have accounts.
  • Docker image: nats https://hub.docker.com/_/nats

NATS Streaming Server

  • All versions embedding affected NATS Server:
  • Affected: v0.15.0 up to and including v0.24.0
  • Fixed with nats-io/nats-streaming-server: 0.24.1
  • Docker image: nats-streaming https://hub.docker.com/_/nats-streaming

Impact

Existing users could act in any account, including the System account.

Workaround

None.

Solution

Upgrade the NATS server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-streaming-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.15.0"
            },
            {
              "fixed": "0.24.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-08T17:23:16Z",
    "nvd_published_at": "2022-02-08T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "(This advisory is canonically \u003chttps://advisories.nats.io/CVE/CVE-2022-24450.txt\u003e)\n\n## Problem Description\n\nNATS nats-server through 2022-02-04 has Incorrect Access Control, with unchecked ability for clients to authorize into any account, because of a coding error in a long-extant experimental feature.\n\nA client crafting the initial protocol-level handshake could, with valid credentials for any account, specify a target account and switch into it immediately.  This includes any other tenant, and includes the System account which controls nats-server core operations.\n\nFor deployments not using multi-tenancy through NATS Accounts, there is still a vulnerability: normal users are able to choose to be in the System account.\n\nAn experimental feature to provide dynamically provisioned sandbox accounts was designed to allow a server administrator to turn on an option to allow clients to dynamically request a brand new account inline at connection time.  This feature went nowhere, but lived on in the code and was used by a number of tests; support was never added to any client libraries or to the documentation.\n\nA bug in handling the feature meant that if someone did in fact have valid account credentials, then they could specify any other existing account and they would be assigned into that account.\n\nRelease 2.7.2 of nats-server removes the feature.\nBecause of the lack of client support and absence from protocol documentation, we feel this is safe operationally as well as the safest fix for the code.\n\n\n## Affected versions\n\n#### NATS Server\n * All 2.x versions up to and including 2.7.1.\n * Fixed with nats-io/nats-server: 2.7.2\n * NATS Server 1.x did not have accounts.\n * Docker image:  nats \u003chttps://hub.docker.com/_/nats\u003e\n\n#### NATS Streaming Server\n * All versions embedding affected NATS Server:\n   + Affected: v0.15.0 up to and including v0.24.0\n   + Fixed with nats-io/nats-streaming-server: 0.24.1\n * Docker image:  nats-streaming \u003chttps://hub.docker.com/_/nats-streaming\u003e\n\n\n## Impact\n\nExisting users could act in any account, including the System account.\n\n## Workaround\n\nNone.\n\n## Solution\n\nUpgrade the NATS server.",
  "id": "GHSA-g6w6-r76c-28j7",
  "modified": "2023-08-08T20:44:45Z",
  "published": "2022-02-08T17:23:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-g6w6-r76c-28j7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24450"
    },
    {
      "type": "WEB",
      "url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nats-io/nats-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in NATS nats-server"
}

GHSA-G73J-H828-GG82

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29
VLAI
Details

bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-25T04:23:00Z",
    "severity": "HIGH"
  },
  "details": "bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as demonstrated by a root user in a container on an Intel system, who can gain privileges by modifying VMCS_HOST_RIP.",
  "id": "GHSA-g73j-h828-gg82",
  "modified": "2022-05-24T17:29:35Z",
  "published": "2022-05-24T17:29:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24718"
    },
    {
      "type": "WEB",
      "url": "https://github.com/illumos/illumos-gate/blob/84971882a96ac0fecd538b02208054a872ff8af3/usr/src/uts/i86pc/io/vmm/intel/vmcs.c#L246-L249"
    },
    {
      "type": "WEB",
      "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20201016-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G73P-MJXC-VHHV

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22
VLAI
Details

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop the network functions of the products or execute a malicious program via a specially crafted packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-07T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop the network functions of the products or execute a malicious program via a specially crafted packet.",
  "id": "GHSA-g73p-mjxc-vhhv",
  "modified": "2022-05-24T17:22:34Z",
  "published": "2022-05-24T17:22:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5598"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU95413676/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-005_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.