Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5491 vulnerabilities reference this CWE, most recent first.

GHSA-H8RM-272H-GC9P

Vulnerability from github – Published: 2023-10-18 00:31 – Updated: 2025-11-04 00:30
VLAI
Details

Vulnerability in Oracle Java SE (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381 and 8u381-perf. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-17T22:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in Oracle Java SE (component: CORBA).  Supported versions that are affected are Oracle Java SE: 8u381 and  8u381-perf. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).",
  "id": "GHSA-h8rm-272h-gc9p",
  "modified": "2025-11-04T00:30:40Z",
  "published": "2023-10-18T00:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22067"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231027-0006"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241108-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5537"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2023.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H8VQ-8GPG-MHCG

Vulnerability from github – Published: 2026-06-30 18:43 – Updated: 2026-06-30 18:43
VLAI
Summary
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
Details

Description

This is a residual bypass of CVE-2026-46635 / GHSA-vcc8-phrv-43wj that only affects sandboxing enabled through SourcePolicyInterface (and not the regular global sandbox mode).

CoreExtension::column() receives the active sandbox state via the needs_is_sandboxed channel as a boolean $isSandboxed, but then routes the per-element property reads through SandboxExtension::checkPropertyAllowed() without forwarding the current Source. SandboxExtension::checkPropertyAllowed() re-evaluates isSandboxed($source) internally; with $source = null the SourcePolicyInterface-driven decision is lost, the method short-circuits to "not sandboxed", and the property allowlist is never consulted.

A template author whose sandbox is gated by a SourcePolicyInterface and who has column on their allowedFilters list can therefore read any public or magic property of any object reachable in the render context, regardless of SecurityPolicy::$allowedProperties. Direct attribute access to the same property is blocked, and the same payload is also blocked under global sandbox mode, which makes this a clear policy enforcement gap rather than a configuration issue.

Resolution

CoreExtension::column() no longer goes through the SandboxExtension wrapper for the property check. It calls the security policy directly: the per-source decision is already captured by the $isSandboxed boolean computed at the call site, so the property allowlist is enforced consistently for both global and source-policy sandboxing.

Credits

Twig would like to thank Vincent55 Yang for reporting the issue and Fabien Potencier for providing the fix.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.26.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "twig/twig"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T18:43:45Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Description\n\nThis is a residual bypass of CVE-2026-46635 / GHSA-vcc8-phrv-43wj that only affects sandboxing enabled through `SourcePolicyInterface` (and not the regular global sandbox mode).\n\n`CoreExtension::column()` receives the active sandbox state via the `needs_is_sandboxed` channel as a boolean `$isSandboxed`, but then routes the per-element property reads through `SandboxExtension::checkPropertyAllowed()` without forwarding the current `Source`. `SandboxExtension::checkPropertyAllowed()` re-evaluates `isSandboxed($source)` internally; with `$source = null` the `SourcePolicyInterface`-driven decision is lost, the method short-circuits to \"not sandboxed\", and the property allowlist is never consulted.\n\nA template author whose sandbox is gated by a `SourcePolicyInterface` and who has `column` on their `allowedFilters` list can therefore read any public or magic property of any object reachable in the render context, regardless of `SecurityPolicy::$allowedProperties`. Direct attribute access to the same property is blocked, and the same payload is also blocked under global sandbox mode, which makes this a clear policy enforcement gap rather than a configuration issue.\n\n### Resolution\n\n`CoreExtension::column()` no longer goes through the `SandboxExtension` wrapper for the property check. It calls the security policy directly: the per-source decision is already captured by the `$isSandboxed` boolean computed at the call site, so the property allowlist is enforced consistently for both global and source-policy sandboxing.\n\n### Credits\n\nTwig would like to thank Vincent55 Yang for reporting the issue and Fabien Potencier for providing the fix.",
  "id": "GHSA-h8vq-8gpg-mhcg",
  "modified": "2026-06-30T18:43:45Z",
  "published": "2026-06-30T18:43:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/twigphp/Twig/security/advisories/GHSA-h8vq-8gpg-mhcg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2026-48808.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/twigphp/Twig"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twigphp/Twig/releases/tag/v3.27.0"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/blog/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`"
}

GHSA-H8WC-8HMG-PCC9

Vulnerability from github – Published: 2026-06-11 12:32 – Updated: 2026-06-11 12:32
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to access confidential issue details due to incorrect authorization checks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3553"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T12:16:31Z",
    "severity": "LOW"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to access confidential issue details due to incorrect authorization checks.",
  "id": "GHSA-h8wc-8hmg-pcc9",
  "modified": "2026-06-11T12:32:45Z",
  "published": "2026-06-11T12:32:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3553"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3578216"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/592295"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H8WH-F7GW-FWPR

Vulnerability from github – Published: 2023-09-29 12:30 – Updated: 2023-10-03 21:25
VLAI
Summary
Mattermost Incorrect Authorization vulnerability
Details

Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.1.0"
            },
            {
              "fixed": "8.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "8.1.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server/v6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-5193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-29T20:37:29Z",
    "nvd_published_at": "2023-09-29T10:15:10Z",
    "severity": "LOW"
  },
  "details": "Mattermost fails to properly check permissions when retrieving a post allowing for\u00a0a System Role with the permission to manage channels to read the posts of a DM conversation.\n\n",
  "id": "GHSA-h8wh-f7gw-fwpr",
  "modified": "2023-10-03T21:25:26Z",
  "published": "2023-09-29T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5193"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost Incorrect Authorization vulnerability"
}

GHSA-H94G-97QR-74VM

Vulnerability from github – Published: 2023-12-05 00:31 – Updated: 2024-08-01 15:31
VLAI
Details

A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute force style attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T23:15:23Z",
    "severity": "CRITICAL"
  },
  "details": "A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute force style attacks.",
  "id": "GHSA-h94g-97qr-74vm",
  "modified": "2024-08-01T15:31:25Z",
  "published": "2023-12-05T00:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24051"
    },
    {
      "type": "WEB",
      "url": "https://research.nccgroup.com/2023/10/19/technical-advisory-multiple-vulnerabilities-in-connectize-g6-ac2100-dual-band-gigabit-wifi-router-cve-2023-24046-cve-2023-24047-cve-2023-24048-cve-2023-24049-cve-2023-24050-cve-2023-24051-cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H963-MPC3-J9G4

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-25T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.",
  "id": "GHSA-h963-mpc3-j9g4",
  "modified": "2022-05-24T19:12:11Z",
  "published": "2022-05-24T19:12:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22236"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22236.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/334925"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H97F-5258-5593

Vulnerability from github – Published: 2021-09-01 18:32 – Updated: 2023-09-05 23:13
VLAI
Summary
Incorrect Authorization in serverless-offline
Details

Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly greater than expected permissions).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "serverless-offline"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-38384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T20:31:00Z",
    "nvd_published_at": "2021-08-10T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing `/` character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly greater than expected permissions).",
  "id": "GHSA-h97f-5258-5593",
  "modified": "2023-09-05T23:13:23Z",
  "published": "2021-09-01T18:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38384"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dherault/serverless-offline/issues/1259"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dherault/serverless-offline"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in serverless-offline"
}

GHSA-H97W-PM3W-MWMC

Vulnerability from github – Published: 2026-04-18 09:30 – Updated: 2026-04-22 17:25
VLAI
Summary
Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions
Details

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T17:25:30Z",
    "nvd_published_at": "2026-04-18T07:16:10Z",
    "severity": "HIGH"
  },
  "details": "UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.",
  "id": "GHSA-h97w-pm3w-mwmc",
  "modified": "2026-04-22T17:25:30Z",
  "published": "2026-04-18T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32228"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/63338"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/s7c75txgt4qf2rofcn43szfwgcrzy0nj"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/17/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions"
}

GHSA-H9FC-695X-FC5X

Vulnerability from github – Published: 2023-07-17 18:31 – Updated: 2024-04-04 06:10
VLAI
Details

Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3590"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-17T16:15:10Z",
    "severity": "HIGH"
  },
  "details": "Mattermost\u00a0fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.\n\n",
  "id": "GHSA-h9fc-695x-fc5x",
  "modified": "2024-04-04T06:10:54Z",
  "published": "2023-07-17T18:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3590"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H9FM-VG9Q-642C

Vulnerability from github – Published: 2022-12-28 00:30 – Updated: 2023-01-05 06:30
VLAI
Details

https://www.hillstonenet.com.cn/ Hillstone Firewall SG-6000 <= 5.0.4.0 is vulnerable to Incorrect Access Control. There is a permission bypass vulnerability in the Hillstone WEB application firewall. An attacker can enter the background of the firewall with super administrator privileges through a configuration error in report.m.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-27T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "https://www.hillstonenet.com.cn/ Hillstone Firewall SG-6000 \u003c= 5.0.4.0 is vulnerable to Incorrect Access Control. There is a permission bypass vulnerability in the Hillstone WEB application firewall. An attacker can enter the background of the firewall with super administrator privileges through a configuration error in report.m.",
  "id": "GHSA-h9fm-vg9q-642c",
  "modified": "2023-01-05T06:30:23Z",
  "published": "2022-12-28T00:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45778"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/yinfei6/6ffff06db3f7d4c24de2f784c0db10df"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.