CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
GHSA-J346-H5WC-RW2M
Vulnerability from github – Published: 2022-02-09 23:19 – Updated: 2025-11-10 15:24In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 6.6.6 and 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-parent"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-11802"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-14T18:11:26Z",
"nvd_published_at": "2020-04-01T22:15:00Z",
"severity": "MODERATE"
},
"details": "In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 6.6.6 and 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).",
"id": "GHSA-j346-h5wc-rw2m",
"modified": "2025-11-10T15:24:29Z",
"published": "2022-02-09T23:19:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11802"
},
{
"type": "WEB",
"url": "https://github.com/apache/lucene-solr/commit/add003f217806afb4e1604f697cdb0a5a7115895"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/lucene-solr"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/SOLR-12514"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2019/04/24/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Authorization in Apache Solr"
}
GHSA-J34F-V6R4-25VH
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16Missing access control in GitLab version 13.10 and above with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page
{
"affected": [],
"aliases": [
"CVE-2021-22262"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-05T14:15:00Z",
"severity": "MODERATE"
},
"details": "Missing access control in GitLab version 13.10 and above with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page",
"id": "GHSA-j34f-v6r4-25vh",
"modified": "2022-05-24T19:16:34Z",
"published": "2022-05-24T19:16:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22262"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1147812"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22262.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/327062"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J36M-HV43-7W7M
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2024-11-26 16:57An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"last_affected": "9.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.1"
},
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"11.0.0"
]
}
],
"aliases": [
"CVE-2017-2673"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-14T17:26:51Z",
"nvd_published_at": "2018-07-19T13:29:00Z",
"severity": "HIGH"
},
"details": "An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles.",
"id": "GHSA-j36m-hv43-7w7m",
"modified": "2024-11-26T16:57:13Z",
"published": "2022-05-13T01:07:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2673"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/05a129e54573b6cbda1ec095f4526f2b9ba90a90"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/2139639eeabc8f6941f4461fc87d609cde3118c2"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1461"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1597"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-2673"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/1677723"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1439586"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2673"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/keystone"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2018-152.yaml"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2017/q2/125"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98032"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Identity service (keystone) Incorrect Authorization"
}
GHSA-J37W-8JCG-6MCP
Vulnerability from github – Published: 2022-04-05 00:00 – Updated: 2022-04-14 00:00After Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, the unlocked state does not timeout. If the programming software is interrupted, the PLC remains unlocked. All subsequent programming connections are allowed without authorization. The PLC is only relocked by a power cycle, or when the programming software disconnects correctly.
{
"affected": [],
"aliases": [
"CVE-2021-32986"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-04T20:15:00Z",
"severity": "CRITICAL"
},
"details": "After Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, the unlocked state does not timeout. If the programming software is interrupted, the PLC remains unlocked. All subsequent programming connections are allowed without authorization. The PLC is only relocked by a power cycle, or when the programming software disconnects correctly.",
"id": "GHSA-j37w-8jcg-6mcp",
"modified": "2022-04-14T00:00:44Z",
"published": "2022-04-05T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32986"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J3HM-2GX9-6X67
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains an authorization bypass vulnerability within the workflow architect component (ACM). A remote authenticated malicious user with non-admin privileges could potentially bypass the Java Security Policies. Once bypassed, a malicious user could potentially run arbitrary system commands at the OS level with application owner privileges on the affected system.
{
"affected": [],
"aliases": [
"CVE-2018-1245"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-13T17:29:00Z",
"severity": "HIGH"
},
"details": "RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains an authorization bypass vulnerability within the workflow architect component (ACM). A remote authenticated malicious user with non-admin privileges could potentially bypass the Java Security Policies. Once bypassed, a malicious user could potentially run arbitrary system commands at the OS level with application owner privileges on the affected system.",
"id": "GHSA-j3hm-2gx9-6x67",
"modified": "2022-05-13T01:33:26Z",
"published": "2022-05-13T01:33:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1245"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Jul/46"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041287"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J3JP-5CVM-4WVF
Vulnerability from github – Published: 2023-09-13 18:31 – Updated: 2024-01-25 18:30A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected device.
This vulnerability is due to incorrect destination address range encoding in the compression module of an ACL that is applied to an interface of an affected device. An attacker could exploit this vulnerability by sending traffic through the affected device that should be denied by the configured ACL. A successful exploit could allow the attacker to bypass configured ACL protections on the affected device, allowing the attacker to access trusted networks that the device might be protecting.
There are workarounds that address this vulnerability.
This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication .
{
"affected": [],
"aliases": [
"CVE-2023-20190"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-13T17:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the classic access control list (ACL) compression feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected device.\n\n This vulnerability is due to incorrect destination address range encoding in the compression module of an ACL that is applied to an interface of an affected device. An attacker could exploit this vulnerability by sending traffic through the affected device that should be denied by the configured ACL. A successful exploit could allow the attacker to bypass configured ACL protections on the affected device, allowing the attacker to access trusted networks that the device might be protecting.\n\n There are workarounds that address this vulnerability.\n\n \n\n \n This advisory is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication .",
"id": "GHSA-j3jp-5cvm-4wvf",
"modified": "2024-01-25T18:30:43Z",
"published": "2023-09-13T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20190"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-comp3acl-vGmp6BQ3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J3JW-5W88-CQXR
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privilege users to update models they should not have access to modify. This vulnerability could lead to unauthorized changes in critical resources, affecting the integrity and reliability of the system.
{
"affected": [],
"aliases": [
"CVE-2024-10273"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:15Z",
"severity": "MODERATE"
},
"details": "In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privilege users to update models they should not have access to modify. This vulnerability could lead to unauthorized changes in critical resources, affecting the integrity and reliability of the system.",
"id": "GHSA-j3jw-5w88-cqxr",
"modified": "2025-03-20T12:32:39Z",
"published": "2025-03-20T12:32:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10273"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/883d9fe2-5730-41e1-a5c2-59972489876e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J3M6-GVM8-MHVW
Vulnerability from github – Published: 2024-01-23 20:09 – Updated: 2024-01-29 14:21Impact
Users who don't have edit or delete permissions for records exposed in a ModelAdmin can still edit or delete records using the CSV import form, provided they have create permissions.
The likelyhood of a user having create permissions but not having edit or delete permissions is low, but it is possible.
Note that this doesn't affect any ModelAdmin which has had the import form disabled via the showImportForm public property, nor does it impact the SecurityAdmin section.
Action may be required
If you have a custom implementation of BulkLoader, you should update your implementation to respect permissions when the return value of getCheckPermissions() is true.
If you are using any BulkLoader in your own project logic, or maintain a module which uses it, you should consider passing true to setCheckPermissions() if the data is provided by users.
Base CVSS: 4.3 Reported by: Guy Sartorelli from Silverstripe
References
- https://www.silverstripe.org/download/security-releases/CVE-2023-49783
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/admin"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.13.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/admin"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49783"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-23T20:09:52Z",
"nvd_published_at": "2024-01-23T14:15:37Z",
"severity": "MODERATE"
},
"details": "### Impact\nUsers who don\u0027t have edit or delete permissions for records exposed in a `ModelAdmin` can still edit or delete records using the CSV import form, provided they have create permissions.\n\nThe likelyhood of a user having create permissions but _not_ having edit or delete permissions is low, but it _is_ possible.\n\nNote that this doesn\u0027t affect any `ModelAdmin` which has had the import form disabled via the [`showImportForm` public property](https://api.silverstripe.org/4/SilverStripe/Admin/ModelAdmin.html#property_showImportForm), nor does it impact the `SecurityAdmin` section.\n\n#### Action may be required\n\nIf you have a custom implementation of [`BulkLoader`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html), you should update your implementation to respect permissions when the return value of [`getCheckPermissions()`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html#method_getCheckPermissions) is true.\n\nIf you are using any `BulkLoader` in your own project logic, or maintain a module which uses it, you should consider passing `true` to [`setCheckPermissions()`](https://api.silverstripe.org/4/SilverStripe/Dev/BulkLoader.html#method_setCheckPermissions) if the data is provided by users.\n\n**Base CVSS:** [4.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C\u0026version=3.1)\n**Reported by:** Guy Sartorelli from Silverstripe\n\n### References\n- https://www.silverstripe.org/download/security-releases/CVE-2023-49783\n",
"id": "GHSA-j3m6-gvm8-mhvw",
"modified": "2024-01-29T14:21:39Z",
"published": "2024-01-23T20:09:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-admin/security/advisories/GHSA-j3m6-gvm8-mhvw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49783"
},
{
"type": "WEB",
"url": "https://github.com/silverstripe-security/security-issues/issues/177"
},
{
"type": "WEB",
"url": "https://github.com/silverstripeltd/product-issues/issues/832"
},
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-admin/commit/9693130a0a637cdf512277cf5f07e83250b191db"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/admin/CVE-2023-49783.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/silverstripe/silverstripe-admin"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/download/security-releases/CVE-2023-49783"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "No permission checks for editing/deleting records with CSV import form"
}
GHSA-J3P8-MM22-V647
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2024-10-08 18:32Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683, CVE-2021-1684.
{
"affected": [],
"aliases": [
"CVE-2021-1638"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-12T20:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Bluetooth Security Feature Bypass Vulnerability This CVE ID is unique from CVE-2021-1683, CVE-2021-1684.",
"id": "GHSA-j3p8-mm22-v647",
"modified": "2024-10-08T18:32:55Z",
"published": "2022-05-24T17:38:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1638"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1638"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1638"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J3R5-QJ7P-8499
Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-07-13 00:01There is a security protection bypass vulnerability with the modem.Successful exploitation of this vulnerability may cause memory protection failure.
{
"affected": [],
"aliases": [
"CVE-2021-37109"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T23:15:00Z",
"severity": "HIGH"
},
"details": "There is a security protection bypass vulnerability with the modem.Successful exploitation of this vulnerability may cause memory protection failure.",
"id": "GHSA-j3r5-qj7p-8499",
"modified": "2022-07-13T00:01:33Z",
"published": "2022-02-11T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37109"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.