Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5550 vulnerabilities reference this CWE, most recent first.

GHSA-V2H4-8467-FM2M

Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2024-10-15 21:30
VLAI
Details

Vulnerability in the Oracle Sourcing product of Oracle E-Business Suite (component: Auctions). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Sourcing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Sourcing accessible data as well as unauthorized access to critical data or complete access to all Oracle Sourcing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-15T20:15:20Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability in the Oracle Sourcing product of Oracle E-Business Suite (component: Auctions).  Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Sourcing.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Sourcing accessible data as well as  unauthorized access to critical data or complete access to all Oracle Sourcing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).",
  "id": "GHSA-v2h4-8467-fm2m",
  "modified": "2024-10-15T21:30:39Z",
  "published": "2024-10-15T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21279"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2M8-9547-V9WG

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

In updateIncomingFileConfirmNotification of BluetoothOppNotification.java, there is a possible permissions bypass. This could lead to local escalation of privilege allowing an attacker with physical possession of the device to transfer files to it over Bluetooth, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-160691486

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-15T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In updateIncomingFileConfirmNotification of BluetoothOppNotification.java, there is a possible permissions bypass. This could lead to local escalation of privilege allowing an attacker with physical possession of the device to transfer files to it over Bluetooth, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-160691486",
  "id": "GHSA-v2m8-9547-v9wg",
  "modified": "2022-05-24T17:36:24Z",
  "published": "2022-05-24T17:36:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0473"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2020-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V2V2-F783-358J

Vulnerability from github – Published: 2026-03-31 23:50 – Updated: 2026-04-06 17:34
VLAI
Summary
OpenClaw: Zalo channel downloads media before sender authorization
Details

Summary

The Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran.

Impact

Unauthorized senders could force network fetches and disk writes in the inbound media store even when the message itself was rejected.

Affected Component

extensions/zalo/src/monitor.ts

Fixed Versions

  • Affected: <= 2026.3.24
  • Patched: >= 2026.3.28
  • Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 68ceaf7a5f (zalo: gate image downloads before DM auth).

OpenClaw thanks @AntAISecurityLab for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:50:44Z",
    "nvd_published_at": "2026-03-31T15:16:14Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran.\n\n## Impact\n\nUnauthorized senders could force network fetches and disk writes in the inbound media store even when the message itself was rejected.\n\n## Affected Component\n\n`extensions/zalo/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `\u003c= 2026.3.24`\n- Patched: `\u003e= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `68ceaf7a5f` (`zalo: gate image downloads before DM auth`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
  "id": "GHSA-v2v2-f783-358j",
  "modified": "2026-04-06T17:34:34Z",
  "published": "2026-03-31T23:50:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33576"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/68ceaf7a5f64a23e78b95eff055e4b497218312a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-unauthorized-media-download-via-zalo-channel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Zalo channel downloads media before sender authorization"
}

GHSA-V2WW-5RH7-2H5V

Vulnerability from github – Published: 2026-06-18 20:33 – Updated: 2026-06-18 20:33
VLAI
Summary
OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns
Details

Summary

OpenClaw's exec allowlist supported optional argPattern entries to restrict the arguments accepted for an allowlisted executable. In affected releases, Linux and macOS gateways skipped argPattern checks and treated a matching executable path as sufficient to satisfy the allowlist.

This meant an operator could configure an allowlist entry that appeared to permit only a narrow argv shape, but OpenClaw would allow other argv for the same executable without an approval prompt when tools.exec.security was set to allowlist.

This issue is limited to direct enforcement of configured argPattern values. OpenClaw's exec approvals remain best-effort guardrails and do not attempt to semantically model every interpreter, loader, package script, shell feature, or transitive file a command may use.

Affected configurations

This affects OpenClaw gateway deployments that meet all of these conditions:

  • the gateway runs on Linux or macOS
  • exec is configured with tools.exec.security: "allowlist"
  • at least one exec allowlist entry uses argPattern
  • the allowlisted executable accepts security-relevant arguments or flags

Path-only allowlist entries are not additionally affected by this issue, because those entries intentionally allow any arguments for the matched executable. Windows was not affected by this specific bug because the affected code path already applied argPattern checks on Windows.

Impact

If an untrusted or lower-trust sender can influence a tool-enabled agent to call exec, they may be able to run disallowed arguments for an executable that the operator intended to restrict with argPattern. Depending on the executable, those arguments can cause host-side file access, network access, or command execution that should have required an approval prompt.

The practical impact depends on the operator's allowlist and channel exposure. Examples of higher-risk allowlisted executables include tools with interpreter, loader, subprocess, network, or plugin flags such as git, python, node, bash, find, tar, and ssh.

This is not a bypass of all exec approval semantics. It is a bypass of the direct argPattern predicate that the operator configured and that the exec tool description advertised as enforced at runtime.

Patched Versions

The first stable patched version is 2026.5.12.

Mitigations

Upgrade to openclaw@2026.5.12 or later. Before upgrading, operators who use exec allowlist mode should review entries that combine an executable path with argPattern, especially for interpreter-like or subprocess-capable tools.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.5.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53853"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-693",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T20:33:22Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nOpenClaw\u0027s exec allowlist supported optional `argPattern` entries to restrict the arguments accepted for an allowlisted executable. In affected releases, Linux and macOS gateways skipped `argPattern` checks and treated a matching executable path as sufficient to satisfy the allowlist.\n\nThis meant an operator could configure an allowlist entry that appeared to permit only a narrow argv shape, but OpenClaw would allow other argv for the same executable without an approval prompt when `tools.exec.security` was set to `allowlist`.\n\nThis issue is limited to direct enforcement of configured `argPattern` values. OpenClaw\u0027s exec approvals remain best-effort guardrails and do not attempt to semantically model every interpreter, loader, package script, shell feature, or transitive file a command may use.\n\n### Affected configurations\n\nThis affects OpenClaw gateway deployments that meet all of these conditions:\n\n- the gateway runs on Linux or macOS\n- exec is configured with `tools.exec.security: \"allowlist\"`\n- at least one exec allowlist entry uses `argPattern`\n- the allowlisted executable accepts security-relevant arguments or flags\n\nPath-only allowlist entries are not additionally affected by this issue, because those entries intentionally allow any arguments for the matched executable. Windows was not affected by this specific bug because the affected code path already applied `argPattern` checks on Windows.\n\n### Impact\n\nIf an untrusted or lower-trust sender can influence a tool-enabled agent to call exec, they may be able to run disallowed arguments for an executable that the operator intended to restrict with `argPattern`. Depending on the executable, those arguments can cause host-side file access, network access, or command execution that should have required an approval prompt.\n\nThe practical impact depends on the operator\u0027s allowlist and channel exposure. Examples of higher-risk allowlisted executables include tools with interpreter, loader, subprocess, network, or plugin flags such as `git`, `python`, `node`, `bash`, `find`, `tar`, and `ssh`.\n\nThis is not a bypass of all exec approval semantics. It is a bypass of the direct `argPattern` predicate that the operator configured and that the exec tool description advertised as enforced at runtime.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.12`.\n\n### Mitigations\n\nUpgrade to `openclaw@2026.5.12` or later. Before upgrading, operators who use exec allowlist mode should review entries that combine an executable path with `argPattern`, especially for interpreter-like or subprocess-capable tools.",
  "id": "GHSA-v2ww-5rh7-2h5v",
  "modified": "2026-06-18T20:33:22Z",
  "published": "2026-06-18T20:33:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v2ww-5rh7-2h5v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53853"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-argument-pattern-bypass-in-exec-allowlist-via-linux-and-macos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns"
}

GHSA-V326-937J-3P86

Vulnerability from github – Published: 2023-07-17 18:31 – Updated: 2024-04-04 06:11
VLAI
Details

Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3613"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-17T16:15:11Z",
    "severity": "LOW"
  },
  "details": "Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing\u00a0guest accounts to be added or invited to channels by default. \n\n",
  "id": "GHSA-v326-937j-3p86",
  "modified": "2024-04-04T06:11:04Z",
  "published": "2023-07-17T18:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3613"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3C2-39FM-JQ4H

Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-05-06 23:04
VLAI
Summary
Duplicate Advisory: OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-5h2w-qmfp-ggp6. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:04:42Z",
    "nvd_published_at": "2026-04-23T22:16:40Z",
    "severity": "MODERATE"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-5h2w-qmfp-ggp6. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.",
  "id": "GHSA-v3c2-39fm-jq4h",
  "modified": "2026-05-06T23:04:42Z",
  "published": "2026-04-24T00:31:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2w-qmfp-ggp6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41344"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-verbose-parameter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`",
  "withdrawn": "2026-05-06T23:04:42Z"
}

GHSA-V3CC-QM43-9JHP

Vulnerability from github – Published: 2022-01-20 00:02 – Updated: 2022-01-29 00:01
VLAI
Details

A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. JDPI incorrectly classifies out-of-state asymmetric TCP flows as the dynamic-application INCONCLUSIVE instead of UNKNOWN, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when 'set security flow tcp-session no-syn-check' is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.1 versions prior to 19.1R2-S3, 19.1R3-S6; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R2-S5, 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3-S1; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-19T01:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when \u0027no-syn-check\u0027 is enabled on the device. JDPI incorrectly classifies out-of-state asymmetric TCP flows as the dynamic-application INCONCLUSIVE instead of UNKNOWN, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when \u0027set security flow tcp-session no-syn-check\u0027 is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.1 versions prior to 19.1R2-S3, 19.1R3-S6; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R2-S5, 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3-S1; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1.",
  "id": "GHSA-v3cc-qm43-9jhp",
  "modified": "2022-01-29T00:01:21Z",
  "published": "2022-01-20T00:02:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22157"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V3CW-79RQ-FHPQ

Vulnerability from github – Published: 2025-04-21 15:31 – Updated: 2025-04-21 15:31
VLAI
Details

Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-21T15:15:57Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4.",
  "id": "GHSA-v3cw-79rq-fhpq",
  "modified": "2025-04-21T15:31:24Z",
  "published": "2025-04-21T15:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12862"
    },
    {
      "type": "WEB",
      "url": "https://support.opentext.com/csm?id=ot_kb_unauthenticated\u0026sysparm_article=KB0839115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V3GF-Q256-843H

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2023-12-31 21:30
VLAI
Details

An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions., aka 'Azure Functions Elevation of Privilege Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-16T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions., aka \u0027Azure Functions Elevation of Privilege Vulnerability\u0027.",
  "id": "GHSA-v3gf-q256-843h",
  "modified": "2023-12-31T21:30:22Z",
  "published": "2022-05-24T17:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16904"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16904"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V436-Q368-HVGG

Vulnerability from github – Published: 2023-01-12 23:39 – Updated: 2023-01-23 18:47
VLAI
Summary
Keycloak has lack of validation of access token on client registrations endpoint
Details

When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token.

If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 20.0.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-0091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-12T23:39:39Z",
    "nvd_published_at": "2023-01-13T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token.\n\nIf the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints.",
  "id": "GHSA-v436-q368-hvgg",
  "modified": "2023-01-23T18:47:54Z",
  "published": "2023-01-12T23:39:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-0091"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak has lack of validation of access token on client registrations endpoint"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.