CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-GHHM-XRWP-75M9
Vulnerability from github – Published: 2022-01-08 00:34 – Updated: 2022-01-07 22:38bookstack is vulnerable to Improper Access Control
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ssddanbrown/bookstack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "21.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4194"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-668",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-07T22:38:34Z",
"nvd_published_at": "2022-01-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "bookstack is vulnerable to Improper Access Control",
"id": "GHSA-ghhm-xrwp-75m9",
"modified": "2022-01-07T22:38:34Z",
"published": "2022-01-08T00:34:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4194"
},
{
"type": "WEB",
"url": "https://github.com/bookstackapp/bookstack/commit/cb0d674a71449de883713db2fcdccb6e108992ad"
},
{
"type": "PACKAGE",
"url": "https://github.com/bookstackapp/bookstack"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/0bc8b3f7-9057-4eb7-a989-24cd5689f114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "bookstack is vulnerable to Improper Access Control"
}
GHSA-GHM8-MMX7-XVG2
Vulnerability from github – Published: 2022-03-18 17:53 – Updated: 2022-03-18 17:53Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tapestry:tapestry-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.4.0"
},
{
"fixed": "5.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tapestry:tapestry-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.7.0"
},
{
"fixed": "5.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-30638"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T22:06:22Z",
"nvd_published_at": "2021-04-27T19:15:00Z",
"severity": "HIGH"
},
"details": "Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.",
"id": "GHSA-ghm8-mmx7-xvg2",
"modified": "2022-03-18T17:53:58Z",
"published": "2022-03-18T17:53:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30638"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210528-0004"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-491"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/04/27/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Information Exposure in Apache Tapestry"
}
GHSA-GHPP-72V8-MPMV
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.
{
"affected": [],
"aliases": [
"CVE-2018-5741"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-16T20:29:00Z",
"severity": "MODERATE"
},
"details": "To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.",
"id": "GHSA-ghpp-72v8-mpmv",
"modified": "2022-05-13T01:14:26Z",
"published": "2022-05-13T01:14:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5741"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2057"
},
{
"type": "WEB",
"url": "https://kb.isc.org/docs/cve-2018-5741"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201903-13"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190830-0001"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03927en_us"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105379"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041674"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GHPR-6QHR-RPP8
Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-02-28 02:45Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.7-beta1"
},
{
"fixed": "2.4.7-p4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.6-p1"
},
{
"fixed": "2.4.6-p9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.5-p1"
},
{
"fixed": "2.4.5-p11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.4-p12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.7"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.6"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.5"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.4"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.8-beta1"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24436"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-28T02:45:25Z",
"nvd_published_at": "2025-02-11T18:15:46Z",
"severity": "MODERATE"
},
"details": "Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.",
"id": "GHSA-ghpr-6qhr-rpp8",
"modified": "2025-02-28T02:45:26Z",
"published": "2025-02-11T18:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24436"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Magento Improper Access Control vulnerability"
}
GHSA-GHRJ-RQCW-5XQP
Vulnerability from github – Published: 2023-12-15 18:30 – Updated: 2023-12-15 18:30An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they're not a member of.
{
"affected": [],
"aliases": [
"CVE-2023-3511"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-15T16:15:43Z",
"severity": "LOW"
},
"details": "An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they\u0027re not a member of.",
"id": "GHSA-ghrj-rqcw-5xqp",
"modified": "2023-12-15T18:30:28Z",
"published": "2023-12-15T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3511"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2046752"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/416961"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GHRW-X6CV-MR95
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2023-09-27 15:30Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.
{
"affected": [],
"aliases": [
"CVE-2023-44154"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:37Z",
"severity": "LOW"
},
"details": "Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.",
"id": "GHSA-ghrw-x6cv-mr95",
"modified": "2023-09-27T15:30:39Z",
"published": "2023-09-27T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44154"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-2436"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GHVX-5V39-7HV5
Vulnerability from github – Published: 2023-10-20 06:30 – Updated: 2025-05-02 21:30VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
{
"affected": [],
"aliases": [
"CVE-2023-34051"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-20T05:15:07Z",
"severity": "CRITICAL"
},
"details": "VMware Aria Operations for Logs contains an authentication bypass vulnerability.\u00a0An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.",
"id": "GHSA-ghvx-5v39-7hv5",
"modified": "2025-05-02T21:30:41Z",
"published": "2023-10-20T06:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34051"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2023-0021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GJ39-FCFM-V6W8
Vulnerability from github – Published: 2023-05-12 00:30 – Updated: 2024-04-04 04:02An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room.
{
"affected": [],
"aliases": [
"CVE-2023-28325"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-287",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-11T22:15:09Z",
"severity": "MODERATE"
},
"details": "An improper authorization vulnerability exists in Rocket.Chat \u003c6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room.",
"id": "GHSA-gj39-fcfm-v6w8",
"modified": "2024-04-04T04:02:58Z",
"published": "2023-05-12T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28325"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1406479"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GJ3Q-P8CM-26RM
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2023-01-14 05:19Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:
- Crafted constructor calls and bodies (due to an incomplete fix of SECURITY-582)
- Crafted method calls on objects that implement GroovyInterceptable
This allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.
Script Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement GroovyInterceptable as calls to GroovyObject#invokeMethod(String, Object), which is on the list of dangerous signatures and should not be approved for use in the sandbox.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:script-security"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2134"
],
"database_specific": {
"cwe_ids": [
"CWE-693",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-14T05:19:37Z",
"nvd_published_at": "2020-03-09T16:15:00Z",
"severity": "HIGH"
},
"details": "Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:\n- Crafted constructor calls and bodies (due to an incomplete fix of [SECURITY-582](https://www.jenkins.io/security/advisory/2017-08-07/#super-constructor-calls))\n- Crafted method calls on objects that implement `GroovyInterceptable`\n\nThis allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.\n\nScript Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement `GroovyInterceptable` as calls to `GroovyObject#invokeMethod(String, Object)`, which is on the list of dangerous signatures and should not be approved for use in the sandbox.",
"id": "GHSA-gj3q-p8cm-26rm",
"modified": "2023-01-14T05:19:37Z",
"published": "2022-05-24T17:10:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2134"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/script-security-plugin/commit/5b1969e0bdf5cde04a165b847144756b28495788"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/script-security-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Sandbox bypass vulnerability in Script Security Plugin"
}
GHSA-GJ4F-PC42-QXG8
Vulnerability from github – Published: 2025-06-03 06:31 – Updated: 2025-10-22 00:33Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
{
"affected": [],
"aliases": [
"CVE-2025-21480"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-03T06:15:26Z",
"severity": "HIGH"
},
"details": "Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
"id": "GHSA-gj4f-pc42-qxg8",
"modified": "2025-10-22T00:33:19Z",
"published": "2025-06-03T06:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21480"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21480"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.