CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5537 vulnerabilities reference this CWE, most recent first.
GHSA-W5J6-7WPF-G6RW
Vulnerability from github – Published: 2026-01-15 15:31 – Updated: 2026-01-15 15:31A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
{
"affected": [],
"aliases": [
"CVE-2026-0713"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-15T13:16:04Z",
"severity": "HIGH"
},
"details": "A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.",
"id": "GHSA-w5j6-7wpf-g6rw",
"modified": "2026-01-15T15:31:16Z",
"published": "2026-01-15T15:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0713"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf"
},
{
"type": "WEB",
"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W5QC-7G9R-478J
Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2023-08-08 15:31An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups.
{
"affected": [],
"aliases": [
"CVE-2022-25318"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-18T06:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups.",
"id": "GHSA-w5qc-7g9r-478j",
"modified": "2023-08-08T15:31:44Z",
"published": "2022-02-19T00:01:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25318"
},
{
"type": "WEB",
"url": "https://github.com/cerebrate-project/cerebrate/commit/15190b930ebada9e8d294db57c96832799d9d93e"
},
{
"type": "WEB",
"url": "https://zigrin.com/advisories/cerebrate-an-incorrect-sharing-group-acl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W5VH-33WW-R5P2
Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
{
"affected": [],
"aliases": [
"CVE-2020-9399"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-28T14:15:00Z",
"severity": "MODERATE"
},
"details": "The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.",
"id": "GHSA-w5vh-33ww-r5p2",
"modified": "2022-05-24T17:09:55Z",
"published": "2022-05-24T17:09:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9399"
},
{
"type": "WEB",
"url": "https://blog.zoller.lu/p/tzo-23-2020-avast-generic-archive.html"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2020/Feb/35"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W5WV-WVRP-V5M5
Vulnerability from github – Published: 2026-01-27 22:15 – Updated: 2026-01-29 03:43Impact
A bug was found with authentication checks on the GetConfig() API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty Bearer token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks.
Additionally, the same bug affected the RefreshResource endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. RefreshResource sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server.
This vulnerability was identified by security researchers, and there are no known reports of exploitation in the wild.
Patches
This problem has been patched in the previous 3 versions of Kargo. Based on our information, almost all users are on one of these versions. If for some reason you cannot upgrade from an earlier version, please reach out to us.
Workarounds
There are no workarounds for this issue, so it is highly recommended to upgrade at the earliest possible
Additional details
This issue was caused by fallback logic in token authentication. The majority of Kargo endpoints are backed by Kubernetes objects, and for these endpoints, unrecognized token types are passed to the Kubernetes API for validation. However, the affected endpoints do not use Kubernetes or used an internal client not subject to authentication, so unrecognized tokens had no validation fallback. As a result, any request with a non-empty Bearer token in the Authorization header was incorrectly treated as authorized.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/akuity/kargo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/akuity/kargo"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0-rc.1"
},
{
"fixed": "1.7.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/akuity/kargo"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0-rc.1"
},
{
"fixed": "1.8.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24748"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-27T22:15:28Z",
"nvd_published_at": "2026-01-27T22:15:56Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks.\n\nAdditionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server.\n\nThis vulnerability was identified by security researchers, and there are no known reports of exploitation in the wild.\n\n### Patches\n\nThis problem has been patched in the previous 3 versions of Kargo. Based on our information, almost all users are on one of these versions. If for some reason you cannot upgrade from an earlier version, please reach out to us.\n\n### Workarounds\n\nThere are no workarounds for this issue, so it is highly recommended to upgrade at the earliest possible\n\n### Additional details\n\nThis issue was caused by fallback logic in token authentication. The majority of Kargo endpoints are backed by Kubernetes objects, and for these endpoints, unrecognized token types are passed to the Kubernetes API for validation. However, the affected endpoints do not use Kubernetes or used an internal client not subject to authentication, so unrecognized tokens had no validation fallback. As a result, any request with a non-empty `Bearer` token in the `Authorization` header was incorrectly treated as authorized.",
"id": "GHSA-w5wv-wvrp-v5m5",
"modified": "2026-01-29T03:43:04Z",
"published": "2026-01-27T22:15:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24748"
},
{
"type": "WEB",
"url": "https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772"
},
{
"type": "WEB",
"url": "https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7"
},
{
"type": "WEB",
"url": "https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c"
},
{
"type": "PACKAGE",
"url": "https://github.com/akuity/kargo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Kargo\u0027s `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access"
}
GHSA-W5WW-7CHG-MXCQ
Vulnerability from github – Published: 2026-07-02 17:18 – Updated: 2026-07-02 17:18Summary
Telegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying commands.allowFrom.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.
Impact
When the affected feature is enabled and reachable, this could trigger command behavior outside the configured Telegram sender allowlist. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.
Patched Versions
The first stable patched version is 2026.5.6.
Mitigations
restrict Telegram command callbacks to trusted chats until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.5.5"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.5.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T17:18:51Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nTelegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying `commands.allowFrom`.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could trigger command behavior outside the configured Telegram sender allowlist. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.6`.\n\n### Mitigations\n\nrestrict Telegram command callbacks to trusted chats until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"id": "GHSA-w5ww-7chg-mxcq",
"modified": "2026-07-02T17:18:51Z",
"published": "2026-07-02T17:18:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Telegram interactive callbacks could skip commands.allowFrom"
}
GHSA-W5XM-MX47-V7C8
Vulnerability from github – Published: 2024-06-08 21:30 – Updated: 2024-11-18 19:40Withdrawn: This advisory was incorrectly linked the the npm package lunary. The advisory is valid, but not for that packlage.
In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the checkProjectAccess method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the account_project table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "lunary"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-4146"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-10T15:33:08Z",
"nvd_published_at": "2024-06-08T20:15:52Z",
"severity": "CRITICAL"
},
"details": "Withdrawn: This advisory was incorrectly linked the the npm package `lunary`. The advisory is valid, but not for that packlage.\n\nIn lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the `account_project` table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.",
"id": "GHSA-w5xm-mx47-v7c8",
"modified": "2024-11-18T19:40:39Z",
"published": "2024-06-08T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4146"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7"
},
{
"type": "PACKAGE",
"url": "https://github.com/lunary-ai/lunary"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/a749e696-b398-4260-b2d0-b0054b9fffa7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "lunary-ai/lunary allows users unauthorized access to projects",
"withdrawn": "2024-11-18T19:40:39Z"
}
GHSA-W65P-8M9J-6PM4
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-31 18:31Incorrect Authorization vulnerability in Drupal Freelinking allows Forceful Browsing.This issue affects Freelinking: from 0.0.0 before 4.0.1.
{
"affected": [],
"aliases": [
"CVE-2024-13270"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:35Z",
"severity": "MODERATE"
},
"details": "Incorrect Authorization vulnerability in Drupal Freelinking allows Forceful Browsing.This issue affects Freelinking: from 0.0.0 before 4.0.1.",
"id": "GHSA-w65p-8m9j-6pm4",
"modified": "2025-01-31T18:31:04Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13270"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-034"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W65R-3XH2-3PJ4
Vulnerability from github – Published: 2025-09-16 00:30 – Updated: 2025-11-03 21:34This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2025-43307"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T23:15:33Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.",
"id": "GHSA-w65r-3xh2-3pj4",
"modified": "2025-11-03T21:34:30Z",
"published": "2025-09-16T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43307"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125110"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W65V-2JVX-6697
Vulnerability from github – Published: 2023-06-02 12:30 – Updated: 2024-04-04 04:28Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service.
{
"affected": [],
"aliases": [
"CVE-2023-28698"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T11:15:10Z",
"severity": "CRITICAL"
},
"details": "Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service.",
"id": "GHSA-w65v-2jvx-6697",
"modified": "2024-04-04T04:28:38Z",
"published": "2023-06-02T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28698"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7101-f88db-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W66P-78G4-MR7G
Vulnerability from github – Published: 2022-05-17 01:39 – Updated: 2024-09-27 18:07OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-5563"
],
"database_specific": {
"cwe_ids": [
"CWE-324",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-14T00:53:23Z",
"nvd_published_at": "2012-12-18T01:55:00Z",
"severity": "HIGH"
},
"details": "OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.",
"id": "GHSA-w66p-78g4-mr7g",
"modified": "2024-09-27T18:07:52Z",
"published": "2022-05-17T01:39:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5563"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/1079216"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80370"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/keystone"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2012-20.yaml"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20121201003009/http://secunia.com/advisories/51423"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140802122732/http://secunia.com/advisories/51436"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200228144943/http://www.securityfocus.com/bid/56727"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1557.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/11/28/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/11/28/6"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1641-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Keystone Insufficient token expiration"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.