CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5556 vulnerabilities reference this CWE, most recent first.
GHSA-P5H8-CWCQ-Q5G2
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 21:31An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.
{
"affected": [],
"aliases": [
"CVE-2022-31744"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page\u0027s Content Security Policy. This vulnerability affects Firefox ESR \u003c 91.11, Thunderbird \u003c 102, Thunderbird \u003c 91.11, and Firefox \u003c 101.",
"id": "GHSA-p5h8-cwcq-q5g2",
"modified": "2025-04-15T21:31:24Z",
"published": "2022-12-22T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31744"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1757604"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-25"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-26"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5MG-83XJ-VFQ6
Vulnerability from github – Published: 2025-01-27 18:32 – Updated: 2025-01-27 18:32IBM Sterling File Gateway 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1 could allow an authenticated user to perform unauthorized actions to another user's data due to improper access controls.
{
"affected": [],
"aliases": [
"CVE-2024-22316"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T16:15:30Z",
"severity": "MODERATE"
},
"details": "IBM Sterling File Gateway 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1 could allow an authenticated user to perform unauthorized actions to another user\u0027s data due to improper access controls.",
"id": "GHSA-p5mg-83xj-vfq6",
"modified": "2025-01-27T18:32:00Z",
"published": "2025-01-27T18:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22316"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7176083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5Q4-94MG-325P
Vulnerability from github – Published: 2026-06-08 15:32 – Updated: 2026-06-30 03:36A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.
{
"affected": [],
"aliases": [
"CVE-2026-11577"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-08T13:16:32Z",
"severity": "HIGH"
},
"details": "A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.",
"id": "GHSA-p5q4-94mg-325p",
"modified": "2026-06-30T03:36:56Z",
"published": "2026-06-08T15:32:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11577"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/9387"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-11577"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459993"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11577.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P5VV-WVGC-88QH
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVMAP_IOC_WRITE* paths, where improper access controls may lead to code execution, complete denial of service, and seriously compromised integrity of all system components.
{
"affected": [],
"aliases": [
"CVE-2021-1107"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-11T22:15:00Z",
"severity": "HIGH"
},
"details": "NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVMAP_IOC_WRITE* paths, where improper access controls may lead to code execution, complete denial of service, and seriously compromised integrity of all system components.",
"id": "GHSA-p5vv-wvgc-88qh",
"modified": "2022-05-24T19:11:03Z",
"published": "2022-05-24T19:11:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1107"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5216"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5259"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P5WH-M4GJ-X2MR
Vulnerability from github – Published: 2022-02-25 00:01 – Updated: 2022-03-17 00:05An issue was discovered in USBGuard before 1.1.0. On systems with the usbguard-dbus daemon running, an unprivileged user could make USBGuard allow all USB devices to be connected in the future.
{
"affected": [],
"aliases": [
"CVE-2019-25058"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-24T15:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in USBGuard before 1.1.0. On systems with the usbguard-dbus daemon running, an unprivileged user could make USBGuard allow all USB devices to be connected in the future.",
"id": "GHSA-p5wh-m4gj-x2mr",
"modified": "2022-03-17T00:05:17Z",
"published": "2022-02-25T00:01:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25058"
},
{
"type": "WEB",
"url": "https://github.com/USBGuard/usbguard/issues/273"
},
{
"type": "WEB",
"url": "https://github.com/USBGuard/usbguard/issues/403"
},
{
"type": "WEB",
"url": "https://github.com/USBGuard/usbguard/pull/531"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00010.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B2ET6DU4IA64M6TMQ4X3SG2L6TRPLDN6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B3HQVTHHJFQLSWSXA7W3ZHRF72YMPI46"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4QO5J5YEWVX27QXYOGL3BDRV3KXNRQI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P63H-VPC2-P933
Vulnerability from github – Published: 2022-07-17 00:00 – Updated: 2022-07-23 00:00An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script.
{
"affected": [],
"aliases": [
"CVE-2022-36126"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-16T19:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script.",
"id": "GHSA-p63h-vpc2-p933",
"modified": "2022-07-23T00:00:15Z",
"published": "2022-07-17T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36126"
},
{
"type": "WEB",
"url": "https://github.com/sourceincite/randy"
},
{
"type": "WEB",
"url": "https://srcincite.io/advisories/src-2022-0014"
},
{
"type": "WEB",
"url": "https://support.inductiveautomation.com/hc/en-us/articles/7625759776653"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P69W-MMFV-XRFJ
Vulnerability from github – Published: 2026-05-26 23:40 – Updated: 2026-05-26 23:40Pre-auth RCE in FUXA via Logic Bypass
Summary
A Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its most secure state (Secure Mode Enabled and Node-RED Secure Auth Enabled).
Details The vulnerability is a Path Confusion flaw in the authentication middleware. The server uses a substring match on the full URL (including query parameters) to exclude certain paths from authentication.
Involved Logic:
JavaScript:
const url = req.originalUrl || req.url || req.path;
if (url.includes('/socket.io')) return next();
By appending ?x=/socket.io to any administrative request, the middleware is "tricked" into treating the request as a public WebSocket handshake, bypassing the secureEnabled and nodeRedAuthMode checks entirely.
Proof of Concept
A specially crafted request containing manipulated query parameters could bypass authentication checks on protected /nodered/* endpoints.
In configurations where Node-RED exposed privileged or command-execution capable nodes, this could lead to remote code execution within the container context.
Impact Access Level: Unauthenticated / Remote.
Privilege Level: Access to Node-RED administrative endpoints. Remote code execution may be possible depending on the Node-RED configuration and installed nodes.
CVSS 3.1 Score: High severity.
Description: An attacker can gain total control over the SCADA server, allowing them to intercept industrial data (MQTT/OPC-UA), manipulate PLC tags, or pivot into the internal OT network.
Root Cause & Remediation The root cause is the reliance on req.originalUrl for security-critical routing decisions.
The Fix: The developer must use req.path (which Express pre-parses to remove query strings) or a formal URL parser to ensure that the security check is performed only against the pathname.
JavaScript
// Secure approach
const pathname = req.path;
if (pathname.startsWith('/socket.io/')) return next();
This issue affects only setups where Node-RED is enabled.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@frangoteam/fuxa"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.11"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43945"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-288",
"CWE-863",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-26T23:40:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "**Pre-auth** RCE in FUXA via Logic Bypass\n\nSummary\n\nA Critical vulnerability chain exists in FUXA (v.1.3.0-2706) that allows an unauthenticated remote attacker to achieve Full Remote Code Execution (RCE) as root. The exploit succeeds even when the platform is configured in its most secure state (Secure Mode Enabled and Node-RED Secure Auth Enabled).\n\nDetails\nThe vulnerability is a Path Confusion flaw in the authentication middleware. The server uses a substring match on the full URL (including query parameters) to exclude certain paths from authentication.\n\nInvolved Logic:\n\nJavaScript:\n```\nconst url = req.originalUrl || req.url || req.path;\nif (url.includes(\u0027/socket.io\u0027)) return next();\nBy appending ?x=/socket.io to any administrative request, the middleware is \"tricked\" into treating the request as a public WebSocket handshake, bypassing the secureEnabled and nodeRedAuthMode checks entirely.\n```\n\nProof of Concept\n\nA specially crafted request containing manipulated query parameters could bypass authentication checks on protected /nodered/* endpoints.\n\nIn configurations where Node-RED exposed privileged or command-execution capable nodes, this could lead to remote code execution within the container context.\n\nImpact\nAccess Level: Unauthenticated / Remote.\n\nPrivilege Level: Access to Node-RED administrative endpoints. \nRemote code execution may be possible depending on the Node-RED configuration and installed nodes.\n\nCVSS 3.1 Score: High severity.\n\nDescription: An attacker can gain total control over the SCADA server, allowing them to intercept industrial data (MQTT/OPC-UA), manipulate PLC tags, or pivot into the internal OT network.\n\nRoot Cause \u0026 Remediation\nThe root cause is the reliance on req.originalUrl for security-critical routing decisions.\n\nThe Fix:\nThe developer must use req.path (which Express pre-parses to remove query strings) or a formal URL parser to ensure that the security check is performed only against the pathname.\n\n```\nJavaScript\n\n// Secure approach\nconst pathname = req.path; \nif (pathname.startsWith(\u0027/socket.io/\u0027)) return next();\n```\n\nThis issue affects only setups where Node-RED is enabled.",
"id": "GHSA-p69w-mmfv-xrfj",
"modified": "2026-05-26T23:40:42Z",
"published": "2026-05-26T23:40:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-p69w-mmfv-xrfj"
},
{
"type": "PACKAGE",
"url": "https://github.com/frangoteam/FUXA"
},
{
"type": "WEB",
"url": "https://github.com/frangoteam/FUXA/releases/tag/v1.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "FUXA Vulnerable to Pre-auth RCE via Path Manipulation \u0026 Configuration Injection"
}
GHSA-P6CR-HM6F-97RW
Vulnerability from github – Published: 2022-01-20 00:01 – Updated: 2022-01-29 00:01A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. While JDPI correctly classifies out-of-state asymmetric TCP flows as the dynamic-application UNKNOWN, this classification is not provided to the policy module properly and hence traffic continues to use the pre-id-default-policy, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when 'set security flow tcp-session no-syn-check' is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions prior to 18.4R2-S10, 18.4R3-S10; 19.1 versions prior to 19.1R3-S8; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R2-S2, 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1.
{
"affected": [],
"aliases": [
"CVE-2022-22167"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-19T01:15:00Z",
"severity": "CRITICAL"
},
"details": "A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when \u0027no-syn-check\u0027 is enabled on the device. While JDPI correctly classifies out-of-state asymmetric TCP flows as the dynamic-application UNKNOWN, this classification is not provided to the policy module properly and hence traffic continues to use the pre-id-default-policy, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when \u0027set security flow tcp-session no-syn-check\u0027 is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions prior to 18.4R2-S10, 18.4R3-S10; 19.1 versions prior to 19.1R3-S8; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R2-S2, 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1.",
"id": "GHSA-p6cr-hm6f-97rw",
"modified": "2022-01-29T00:01:18Z",
"published": "2022-01-20T00:01:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22167"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11265"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P6GJ-JC38-X2M7
Vulnerability from github – Published: 2025-12-01 21:30 – Updated: 2025-12-02 16:53Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0.0-20251013062617-7977e7e6dae3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"last_affected": "10.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost"
},
"ranges": [
{
"events": [
{
"introduced": "10.12.0"
},
{
"last_affected": "10.12.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost"
},
"ranges": [
{
"events": [
{
"introduced": "10.5.0"
},
{
"last_affected": "10.5.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"last_affected": "11.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-12756"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T16:53:35Z",
"nvd_published_at": "2025-12-01T20:15:49Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.0.x \u003c= 11.0.2, 10.12.x \u003c= 10.12.1, 10.11.x \u003c= 10.11.4, 10.5.x \u003c= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users.",
"id": "GHSA-p6gj-jc38-x2m7",
"modified": "2025-12-02T16:53:35Z",
"published": "2025-12-01T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12756"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost fails to validate user permissions when deleting comments in Boards"
}
GHSA-P6H9-GX5G-WG64
Vulnerability from github – Published: 2024-06-13 09:31 – Updated: 2024-08-07 17:43Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to gain unauthorized access or perform actions with the privileges of another user. Exploitation of this issue does not require user interaction.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.7"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.6"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.5"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.4"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.6-p1"
},
{
"fixed": "2.4.6-p6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.5-p1"
},
{
"fixed": "2.4.5-p8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.4-p9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34106"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-07T17:43:55Z",
"nvd_published_at": "2024-06-13T09:15:11Z",
"severity": "MODERATE"
},
"details": "Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to gain unauthorized access or perform actions with the privileges of another user. Exploitation of this issue does not require user interaction.",
"id": "GHSA-p6h9-gx5g-wg64",
"modified": "2024-08-07T17:43:55Z",
"published": "2024-06-13T09:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34106"
},
{
"type": "WEB",
"url": "https://github.com/magento/magento2/commit/30877fce83b793f71421c47347885cf076e81799"
},
{
"type": "WEB",
"url": "https://github.com/magento/magento2/commit/a3c6d6e5e95e63031e4df26cfcf76feace7549c2"
},
{
"type": "WEB",
"url": "https://github.com/magento/magento2/commit/c5c538810b87449886f4669cb8abbe8e5593c83c"
},
{
"type": "WEB",
"url": "https://github.com/magento/magento2/commit/d10435b11ada4e502dca7539f8fd31d059d3c482"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb24-40.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Magento Open Source Incorrect Authorization vulnerability"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.