CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5503 vulnerabilities reference this CWE, most recent first.
GHSA-HVHQ-MCXW-W38R
Vulnerability from github – Published: 2024-09-03 12:30 – Updated: 2024-09-03 21:31This vulnerability exists due to improper access controls on APIs in the Authentication module of Symphony XTS Web Trading and Mobile Trading platforms (version 2.0.0.1_P160). An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to unauthorized account take over belonging to other users.
{
"affected": [],
"aliases": [
"CVE-2024-45586"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-03T10:15:06Z",
"severity": "HIGH"
},
"details": "This vulnerability exists due to improper access controls on APIs in the Authentication module of Symphony XTS Web Trading and Mobile Trading platforms (version 2.0.0.1_P160). An authenticated remote attacker could exploit this vulnerability by manipulating parameters through HTTP request which could lead to unauthorized account take over belonging to other users.",
"id": "GHSA-hvhq-mcxw-w38r",
"modified": "2024-09-03T21:31:12Z",
"published": "2024-09-03T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45586"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0281"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HVM4-MC7M-22W4
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2024-10-03 21:25OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the hardware addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "neutron"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "neutron"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0"
},
{
"fixed": "17.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "neutron"
},
"versions": [
"18.0.0"
]
}
],
"aliases": [
"CVE-2021-38598"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-23T21:31:08Z",
"nvd_published_at": "2021-08-23T05:15:00Z",
"severity": "HIGH"
},
"details": "OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the hardware addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations.",
"id": "GHSA-hvm4-mc7m-22w4",
"modified": "2024-10-03T21:25:51Z",
"published": "2022-05-24T19:11:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38598"
},
{
"type": "WEB",
"url": "https://github.com/openstack/neutron/commit/0a931391d8990f3e654b4bfda24ae4119c609bbf"
},
{
"type": "WEB",
"url": "https://github.com/openstack/neutron/commit/cc0d28a3e2ccfad6fc2ff24d78f009cbe3992575"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/neutron"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/neutron/PYSEC-2021-360.yaml"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/1938670"
},
{
"type": "WEB",
"url": "https://opendev.org/openstack/neutron/commit/fafa5dacd5057120562184a734e7345e7c0e9639"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Neutron vulnerable to hardware address impersonation"
}
GHSA-HVM9-WC8J-MGRC
Vulnerability from github – Published: 2024-12-18 18:19 – Updated: 2024-12-18 18:19Impact
An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects.
Because of this, if the following conditions are met a player may assume the login state of a previously connected player:
1. The server has UUID login enabled
2. An authenticated player disconnects
3. A subsequent player connects with a modified client that does not send the ClientUUID#68 packet during connection
4. The server assigns the same RemoteClient object that belonged to the originally authenticated player to the newly connected player
Patches
TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.
Workarounds
Implement a RemoteClient reset event handler in a plugin like so:
public override void Initialize()
{
On.Terraria.RemoteClient.Reset += RemoteClient_Reset;
}
private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)
{
client.ClientUUID = null;
orig(client);
}
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "TShock"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.21"
},
{
"fixed": "5.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-305",
"CWE-613",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-18T18:19:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nAn issue with the way OTAPI manages client connections results in stale UUIDs remaining on `RemoteClient` instances after a player disconnects.\n\nBecause of this, if the following conditions are met a player may assume the login state of a previously connected player:\n1. The server has UUID login enabled\n2. An authenticated player disconnects\n3. A subsequent player connects with a modified client that does not send the `ClientUUID#68` packet during connection\n4. The server assigns the same `RemoteClient` object that belonged to the originally authenticated player to the newly connected player\n\n\n### Patches\nTShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.\n\n### Workarounds\nImplement a RemoteClient reset event handler in a plugin like so:\n```csharp\npublic override void Initialize()\n{\n On.Terraria.RemoteClient.Reset += RemoteClient_Reset;\n}\n\nprivate static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)\n{\n\tclient.ClientUUID = null;\n orig(client);\n}\n```\n\n",
"id": "GHSA-hvm9-wc8j-mgrc",
"modified": "2024-12-18T18:19:12Z",
"published": "2024-12-18T18:19:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Pryaxis/TShock/security/advisories/GHSA-hvm9-wc8j-mgrc"
},
{
"type": "WEB",
"url": "https://github.com/Pryaxis/TShock/commit/5075997264b48e27960e3446a948ecb0ea0f5a03"
},
{
"type": "PACKAGE",
"url": "https://github.com/Pryaxis/TShock"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "TShock Security Escalation Exploit"
}
GHSA-HVMP-W9JW-P62G
Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2024-10-15 21:30Vulnerability in the Oracle Work in Process product of Oracle E-Business Suite (component: Messages). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Work in Process. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Work in Process accessible data as well as unauthorized access to critical data or complete access to all Oracle Work in Process accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2024-21276"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T20:15:19Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Work in Process product of Oracle E-Business Suite (component: Messages). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Work in Process. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Work in Process accessible data as well as unauthorized access to critical data or complete access to all Oracle Work in Process accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
"id": "GHSA-hvmp-w9jw-p62g",
"modified": "2024-10-15T21:30:39Z",
"published": "2024-10-15T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21276"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HVPC-5783-4997
Vulnerability from github – Published: 2023-04-25 21:30 – Updated: 2023-04-25 21:30Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.
{
"affected": [],
"aliases": [
"CVE-2021-44465"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-25T19:15:09Z",
"severity": "MODERATE"
},
"details": "Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.",
"id": "GHSA-hvpc-5783-4997",
"modified": "2023-04-25T21:30:28Z",
"published": "2023-04-25T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44465"
},
{
"type": "WEB",
"url": "https://github.com/odoo/odoo/issues/107692"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HVRG-R7JP-HJ5P
Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-04-08 18:34The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form.
{
"affected": [],
"aliases": [
"CVE-2025-14352"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T12:16:54Z",
"severity": "MODERATE"
},
"details": "The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form.",
"id": "GHSA-hvrg-r7jp-hj5p",
"modified": "2026-04-08T18:34:02Z",
"published": "2026-01-07T12:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14352"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/awesome-hotel-booking/tags/1.0/admin/admin-shortcodes/inc/room-single.php#L67"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/awesome-hotel-booking/trunk/admin/admin-shortcodes/inc/room-single.php#L67"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3436372%40awesome-hotel-booking\u0026new=3436372%40awesome-hotel-booking"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fe0a08e-eee2-4d48-bb38-dd58bff79118?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HVVR-3HP7-3WJ6
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability, aka 'Microsoft Edge Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-0678"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-09T00:29:00Z",
"severity": "MODERATE"
},
"details": "An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability, aka \u0027Microsoft Edge Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-hvvr-3hp7-3wj6",
"modified": "2022-05-13T01:21:29Z",
"published": "2022-05-13T01:21:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0678"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0678"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HVW5-4G4Q-2H8P
Vulnerability from github – Published: 2025-02-10 21:31 – Updated: 2026-04-02 21:32An authorization issue was addressed with improved state management. This issue is fixed in iPadOS 17.7.5, iOS 18.3.1 and iPadOS 18.3.1. A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
{
"affected": [],
"aliases": [
"CVE-2025-24200"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-10T19:15:40Z",
"severity": "HIGH"
},
"details": "An authorization issue was addressed with improved state management. This issue is fixed in iPadOS 17.7.5, iOS 18.3.1 and iPadOS 18.3.1. A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.",
"id": "GHSA-hvw5-4g4q-2h8p",
"modified": "2026-04-02T21:32:11Z",
"published": "2025-02-10T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24200"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122173"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122174"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122345"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122346"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24200"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/7"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Feb/7"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Feb/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HW3H-GC2R-WHP8
Vulnerability from github – Published: 2024-01-16 18:31 – Updated: 2025-06-11 18:35The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
{
"affected": [],
"aliases": [
"CVE-2022-0775"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-16T16:15:09Z",
"severity": "MODERATE"
},
"details": "The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment",
"id": "GHSA-hw3h-gc2r-whp8",
"modified": "2025-06-11T18:35:37Z",
"published": "2024-01-16T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0775"
},
{
"type": "WEB",
"url": "https://developer.woocommerce.com/2022/02/22/woocommerce-6-2-1-security-fix"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2683324"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/b76dbf37-a0a2-48cf-bd85-3ebbc2f394dd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HW5F-6WVV-XCRH
Vulnerability from github – Published: 2024-06-20 16:11 – Updated: 2024-06-20 19:16Impact
SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.
Patches
Fixed in v2.6.1.
Workarounds
The following workarounds are available:
- keep the password reset feature disabled.
- Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/drakkan/sftpgo/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37897"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-20T16:11:48Z",
"nvd_published_at": "2024-06-20T18:15:13Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nSFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.\nIn SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.\n\n### Patches\n\nFixed in v2.6.1.\n\n### Workarounds\n\nThe following workarounds are available:\n\n- keep the password reset feature disabled.\n- Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.\n\n",
"id": "GHSA-hw5f-6wvv-xcrh",
"modified": "2024-06-20T19:16:28Z",
"published": "2024-06-20T16:11:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37897"
},
{
"type": "WEB",
"url": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423"
},
{
"type": "WEB",
"url": "https://github.com/drakkan/sftpgo/commit/3462bba3f41cbc75486474991b9e3ac1b5f1e583"
},
{
"type": "PACKAGE",
"url": "https://github.com/drakkan/sftpgo"
},
{
"type": "WEB",
"url": "https://github.com/drakkan/sftpgo/releases/tag/v2.6.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SFTPGo has insufficient access control for password reset"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.