CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-HW5F-6WVV-XCRH
Vulnerability from github – Published: 2024-06-20 16:11 – Updated: 2024-06-20 19:16Impact
SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.
Patches
Fixed in v2.6.1.
Workarounds
The following workarounds are available:
- keep the password reset feature disabled.
- Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/drakkan/sftpgo/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37897"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-20T16:11:48Z",
"nvd_published_at": "2024-06-20T18:15:13Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nSFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration.\nIn SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in.\n\n### Patches\n\nFixed in v2.6.1.\n\n### Workarounds\n\nThe following workarounds are available:\n\n- keep the password reset feature disabled.\n- Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.\n\n",
"id": "GHSA-hw5f-6wvv-xcrh",
"modified": "2024-06-20T19:16:28Z",
"published": "2024-06-20T16:11:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-hw5f-6wvv-xcrh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37897"
},
{
"type": "WEB",
"url": "https://github.com/drakkan/sftpgo/commit/1f8ac8bfe16100b0484d6c91e1e8361687324423"
},
{
"type": "WEB",
"url": "https://github.com/drakkan/sftpgo/commit/3462bba3f41cbc75486474991b9e3ac1b5f1e583"
},
{
"type": "PACKAGE",
"url": "https://github.com/drakkan/sftpgo"
},
{
"type": "WEB",
"url": "https://github.com/drakkan/sftpgo/releases/tag/v2.6.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SFTPGo has insufficient access control for password reset"
}
GHSA-HW5P-4JGW-WR5W
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations (specifically file uploads) that they should not be allowed to perform.
{
"affected": [],
"aliases": [
"CVE-2021-36132"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-02T13:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the FileImporter extension in MediaWiki through 1.36. For certain relaxed configurations of the $wgFileImporterRequiredRight variable, it might not validate all appropriate user rights, thus allowing a user with insufficient rights to perform operations (specifically file uploads) that they should not be allowed to perform.",
"id": "GHSA-hw5p-4jgw-wr5w",
"modified": "2022-05-24T19:06:52Z",
"published": "2022-05-24T19:06:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36132"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/I8ff2a67abd2c118a3469e4410eac2a451bfa76c3"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T280590"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HW9R-H9MR-4JFF
Vulnerability from github – Published: 2026-07-02 16:06 – Updated: 2026-07-02 16:06Summary
Some internal command handlers require operator.approvals or operator.admin scopes. In affected releases, a scoped Gateway chat.send request delivered through an inherited external route could be evaluated as an external-channel command while still carrying the lower Gateway client scopes.
This issue affects scoped Gateway clients. It does not apply to shared-secret bearer HTTP compatibility endpoints, which are documented as full operator surfaces under OpenClaw's trust model.
Affected configurations
This affects deployments where a scoped Gateway caller with operator.write can use chat.send with delivery into a session that has an inherited external delivery route.
Impact
Commands that should have required operator.approvals or operator.admin could run with only operator.write in this routed context. Affected command families included approval resolution and selected administrative commands such as plugin, config, MCP, allowlist, and ACP mutations.
Patched Versions
The first stable patched version is 2026.5.18.
Mitigations
Upgrade to openclaw@2026.5.18 or later. Before upgrading, avoid granting operator.write tokens to clients that can deliver commands into sessions with external routes unless those clients are trusted with admin-like command effects.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.5.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T16:06:00Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nSome internal command handlers require `operator.approvals` or `operator.admin` scopes. In affected releases, a scoped Gateway `chat.send` request delivered through an inherited external route could be evaluated as an external-channel command while still carrying the lower Gateway client scopes.\n\nThis issue affects scoped Gateway clients. It does not apply to shared-secret bearer HTTP compatibility endpoints, which are documented as full operator surfaces under OpenClaw\u0027s trust model.\n\n### Affected configurations\n\nThis affects deployments where a scoped Gateway caller with `operator.write` can use `chat.send` with delivery into a session that has an inherited external delivery route.\n\n### Impact\n\nCommands that should have required `operator.approvals` or `operator.admin` could run with only `operator.write` in this routed context. Affected command families included approval resolution and selected administrative commands such as plugin, config, MCP, allowlist, and ACP mutations.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.18`.\n\n### Mitigations\n\nUpgrade to `openclaw@2026.5.18` or later. Before upgrading, avoid granting `operator.write` tokens to clients that can deliver commands into sessions with external routes unless those clients are trusted with admin-like command effects.",
"id": "GHSA-hw9r-h9mr-4jff",
"modified": "2026-07-02T16:06:00Z",
"published": "2026-07-02T16:06:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hw9r-h9mr-4jff"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates"
}
GHSA-HWC4-VQRX-2XC8
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker can retrieve an issue description without appropriate access.
{
"affected": [],
"aliases": [
"CVE-2020-24618"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-27T20:15:00Z",
"severity": "MODERATE"
},
"details": "In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker can retrieve an issue description without appropriate access.",
"id": "GHSA-hwc4-vqrx-2xc8",
"modified": "2022-05-24T17:26:50Z",
"published": "2022-05-24T17:26:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24618"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/2020/11/16/jetbrains-security-bulletin-q3-2020"
},
{
"type": "WEB",
"url": "https://youtrack.jetbrains.com/issue/JT-59265"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HWF5-6844-RPXJ
Vulnerability from github – Published: 2026-03-31 12:31 – Updated: 2026-03-31 12:31OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.
{
"affected": [],
"aliases": [
"CVE-2026-34509"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-31T12:16:30Z",
"severity": "LOW"
},
"details": "OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.",
"id": "GHSA-hwf5-6844-rpxj",
"modified": "2026-03-31T12:31:36Z",
"published": "2026-03-31T12:31:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34509"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HWF5-78M6-5M4P
Vulnerability from github – Published: 2022-08-27 00:00 – Updated: 2022-09-02 00:01An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circumvent access controls for the UpdateOfflineHelpData administrative function. Abusing this function will allow any Blue Prism user to change the offline help URL to one of their choice, opening the possibility of spoofing the help page or executing a local file.
{
"affected": [],
"aliases": [
"CVE-2022-36121"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-26T00:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circumvent access controls for the UpdateOfflineHelpData administrative function. Abusing this function will allow any Blue Prism user to change the offline help URL to one of their choice, opening the possibility of spoofing the help page or executing a local file.",
"id": "GHSA-hwf5-78m6-5m4p",
"modified": "2022-09-02T00:01:08Z",
"published": "2022-08-27T00:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36121"
},
{
"type": "WEB",
"url": "https://blueprism.com"
},
{
"type": "WEB",
"url": "https://community.blueprism.com/discussion/security-vulnerability-notification-ssc-blue-prism-enterprise"
},
{
"type": "WEB",
"url": "https://portal.blueprism.com/security-vulnerabilities-august-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HWPQ-RRPF-PGCQ
Vulnerability from github – Published: 2026-03-02 23:33 – Updated: 2026-03-30 13:44Summary
system.run approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.24 - Patched versions:
>= 2026.2.25
Impact
This is an approval-integrity bypass that can lead to unexpected command execution under the OpenClaw runtime user when an attacker can influence command argv and reuse/obtain a matching approval context.
Trust Model Note
OpenClaw does not treat adversarial multi-user sharing of one gateway host/config as a supported security boundary. This finding is still valid in supported deployments because it breaks the operator approval boundary itself (approved display command vs executed argv).
Fix Commit(s)
03e689fc89bbecbcd02876a95957ef1ad9caa176
Release Process Note
patched_versions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.24"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32065"
],
"database_specific": {
"cwe_ids": [
"CWE-436",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T23:33:08Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n`system.run` approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.24`\n- Patched versions: `\u003e= 2026.2.25`\n\n### Impact\nThis is an approval-integrity bypass that can lead to unexpected command execution under the OpenClaw runtime user when an attacker can influence `command` argv and reuse/obtain a matching approval context.\n\n### Trust Model Note\nOpenClaw does not treat adversarial multi-user sharing of one gateway host/config as a supported security boundary. This finding is still valid in supported deployments because it breaks the operator approval boundary itself (approved display command vs executed argv).\n\n### Fix Commit(s)\n- `03e689fc89bbecbcd02876a95957ef1ad9caa176`\n\n### Release Process Note\n`patched_versions` is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-hwpq-rrpf-pgcq",
"modified": "2026-03-30T13:44:16Z",
"published": "2026-03-02T23:33:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hwpq-rrpf-pgcq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32065"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/03e689fc89bbecbcd02876a95957ef1ad9caa176"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-approval-identity-mismatch-in-system-run-command-execution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: system.run approval identity mismatch could execute a different binary than displayed"
}
GHSA-HWV9-7VF2-6394
Vulnerability from github – Published: 2024-01-09 03:30 – Updated: 2024-01-09 03:30SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, resulting in escalation of privileges, which has High impact on confidentiality, integrity and availability of the system.
{
"affected": [],
"aliases": [
"CVE-2024-21735"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-09T01:15:39Z",
"severity": "HIGH"
},
"details": "SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, resulting in escalation of privileges, which has High impact on confidentiality, integrity and availability of the system.\n\n",
"id": "GHSA-hwv9-7vf2-6394",
"modified": "2024-01-09T03:30:22Z",
"published": "2024-01-09T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21735"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3407617"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HWVJ-32C7-GF4P
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-30539"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-07T20:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.",
"id": "GHSA-hwvj-32c7-gf4p",
"modified": "2022-05-24T19:04:10Z",
"published": "2022-05-24T19:04:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30539"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html"
},
{
"type": "WEB",
"url": "https://crbug.com/971231"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-06"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HWVV-438R-MHVJ
Vulnerability from github – Published: 2021-03-18 19:23 – Updated: 2022-04-22 16:50A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.elasticsearch:elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "7.6.0"
},
{
"fixed": "7.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-22134"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-12T21:17:57Z",
"nvd_published_at": "2021-03-08T21:15:00Z",
"severity": "MODERATE"
},
"details": "A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.",
"id": "GHSA-hwvv-438r-mhvj",
"modified": "2022-04-22T16:50:19Z",
"published": "2021-03-18T19:23:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22134"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210430-0006"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Sensitive Information to an Unauthorized Actor"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.