Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5518 vulnerabilities reference this CWE, most recent first.

GHSA-WHQR-FGM5-X77Q

Vulnerability from github – Published: 2026-05-28 21:32 – Updated: 2026-07-02 17:44
VLAI
Summary
OpenStack Keystone's federated token rescoping mechanism doesn't propagate the original token's expiry to the newly issued token
Details

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "27.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "28.0.0"
            },
            {
              "fixed": "28.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "29.0.0"
            },
            {
              "fixed": "29.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T17:44:27Z",
    "nvd_published_at": "2026-05-28T19:16:38Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token\u0027s expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected.",
  "id": "GHSA-whqr-fgm5-x77q",
  "modified": "2026-07-02T17:44:27Z",
  "published": "2026-05-28T21:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44394"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/2150379"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/keystone"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2026-603.yaml"
    },
    {
      "type": "WEB",
      "url": "https://security.openstack.org/ossa/OSSA-2026-015.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenStack Keystone\u0027s federated token rescoping mechanism doesn\u0027t propagate the original token\u0027s expiry to the newly issued token"
}

GHSA-WHVF-PMRC-VGH4

Vulnerability from github – Published: 2023-02-09 18:30 – Updated: 2025-03-24 21:30
VLAI
Details

The AMS module has a vulnerability of lacking permission verification in APIs.Successful exploitation of this vulnerability may affect data confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "The AMS module has a vulnerability of lacking permission verification in APIs.Successful exploitation of this vulnerability may affect data confidentiality.",
  "id": "GHSA-whvf-pmrc-vgh4",
  "modified": "2025-03-24T21:30:27Z",
  "published": "2023-02-09T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48302"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/2"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202302-0000001454769474"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WHWG-VH4F-PMMF

Vulnerability from github – Published: 2026-07-01 20:23 – Updated: 2026-07-01 20:23
VLAI
Summary
SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted
Details

In SurrealDB, records can be connected as a graph: a RELATE statement creates an edge record between two node records. If either endpoint node is deleted, SurrealDB automatically removes the edge row to keep the graph consistent.

A user with permission to delete a node could also delete the edges connected to that node, even when the edge table's PERMISSIONS FOR delete clause should have stopped them.

The automatic edge removal (Document::purge_edges) ran with permissions disabled (opt.clone().with_perms(false)), so the edge table's PERMISSIONS FOR delete and PERMISSIONS FOR select clauses were never consulted. The removal step could also observe edge state that the edge's SELECT clause should have hidden.

Impact

What an attacker can do:

  • Delete any edge connected to a node they can delete, regardless of the edge table's PERMISSIONS FOR delete clause.
  • Observe edge contents that PERMISSIONS FOR select should have hidden, as a side effect of the same edge-removal step.

What it can't do:

  • Delete nodes on tables they do not hold DELETE on (the edge removal only runs from an authorised node delete).
  • Cross namespace or database isolation boundaries.
  • Escalate to root or operator-level privileges.

Patches

Document::purge_edges now propagates the caller's permission context into the edge removal. Each connected edge DELETE is evaluated against the edge table's PERMISSIONS FOR delete clause, matching a direct DELETE.

Versions 3.1.0 and later are not affected.

Workarounds

  • Restrict node DELETE permission to principals trusted to delete all connected edge records.
  • Use namespace or database isolation as the primary boundary where edge-level PERMISSIONS is load-bearing for multi-tenant separation.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T20:23:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "In SurrealDB, records can be connected as a graph: a `RELATE` statement creates an edge record between two node records. If either endpoint node is deleted, SurrealDB automatically removes the edge row to keep the graph consistent.\n\nA user with permission to delete a node could also delete the edges connected to that node, even when the edge table\u0027s `PERMISSIONS FOR delete` clause should have stopped them.\n\nThe automatic edge removal (`Document::purge_edges`) ran with permissions disabled (`opt.clone().with_perms(false)`), so the edge table\u0027s `PERMISSIONS FOR delete` and `PERMISSIONS FOR select` clauses were never consulted. The removal step could also observe edge state that the edge\u0027s SELECT clause should have hidden.\n\n### Impact\n\nWhat an attacker **can** do:\n\n- Delete any edge connected to a node they can delete, regardless of the edge table\u0027s `PERMISSIONS FOR delete` clause.\n- Observe edge contents that `PERMISSIONS FOR select` should have hidden, as a side effect of the same edge-removal step.\n\nWhat it **can\u0027t** do:\n\n- Delete nodes on tables they do not hold `DELETE` on (the edge removal only runs from an authorised node delete).\n- Cross namespace or database isolation boundaries.\n- Escalate to root or operator-level privileges.\n\n### Patches\n\n`Document::purge_edges` now propagates the caller\u0027s permission context into the edge removal. Each connected edge `DELETE` is evaluated against the edge table\u0027s `PERMISSIONS FOR delete` clause, matching a direct `DELETE`.\n\nVersions 3.1.0 and later are not affected.\n\n### Workarounds\n\n- Restrict node `DELETE` permission to principals trusted to delete all connected edge records.\n- Use namespace or database isolation as the primary boundary where edge-level `PERMISSIONS` is load-bearing for multi-tenant separation.",
  "id": "GHSA-whwg-vh4f-pmmf",
  "modified": "2026-07-01T20:23:49Z",
  "published": "2026-07-01T20:23:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-whwg-vh4f-pmmf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/242"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/a80d1784cf75358441978bbd77688855e95f4578"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SurrealDB: Edge PERMISSIONS FOR delete bypassed when a connected node is deleted"
}

GHSA-WJ55-88GF-X564

Vulnerability from github – Published: 2026-03-26 21:14 – Updated: 2026-04-15 20:55
VLAI
Summary
OpenClaw may have stale policy enforcement for queued node actions
Details

Summary

Queued node actions were not revalidated against current command policy when later delivered, so stale allowlists or declarations could survive policy tightening.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • src/gateway/server-methods/nodes.ts now revalidates queued actions against the current allowlist and declared command set at delivery time.
  • src/gateway/server-methods/nodes.invoke-wake.test.ts includes the shipped stale-queue regression coverage.

OpenClaw thanks @zpbrent for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T21:14:24Z",
    "nvd_published_at": "2026-04-10T17:17:05Z",
    "severity": "LOW"
  },
  "details": "## Summary\nQueued node actions were not revalidated against current command policy when later delivered, so stale allowlists or declarations could survive policy tightening.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: \u003c 2026.3.22\n- Fixed: \u003e= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/gateway/server-methods/nodes.ts now revalidates queued actions against the current allowlist and declared command set at delivery time.\n- src/gateway/server-methods/nodes.invoke-wake.test.ts includes the shipped stale-queue regression coverage.\n\nOpenClaw thanks @zpbrent for reporting.",
  "id": "GHSA-wj55-88gf-x564",
  "modified": "2026-04-15T20:55:23Z",
  "published": "2026-03-26T21:14:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wj55-88gf-x564"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35648"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-policy-bypass-via-unvalidated-queued-node-actions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw may have stale policy enforcement for queued node actions"
}

GHSA-WJPH-8W5R-9GHM

Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2022-05-24 17:11
VLAI
Details

cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-17T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "cPanel before 84.0.20 mishandles enforcement of demo checks in the Market UAPI namespace (SEC-542).",
  "id": "GHSA-wjph-8w5r-9ghm",
  "modified": "2022-05-24T17:11:43Z",
  "published": "2022-05-24T17:11:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10117"
    },
    {
      "type": "WEB",
      "url": "https://documentation.cpanel.net/display/CL/84+Change+Log"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WJX2-7G7G-VJ3G

Vulnerability from github – Published: 2023-09-15 00:30 – Updated: 2024-04-04 07:41
VLAI
Details

Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-12T09:15:08Z",
    "severity": "HIGH"
  },
  "details": "Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n",
  "id": "GHSA-wjx2-7g7g-vj3g",
  "modified": "2024-04-04T07:41:30Z",
  "published": "2023-09-15T00:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37881"
    },
    {
      "type": "WEB",
      "url": "https://www.wftpserver.com/serverhistory.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WM68-VVJF-2RC3

Vulnerability from github – Published: 2023-01-24 00:30 – Updated: 2025-01-01 03:31
VLAI
Details

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-24T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability.",
  "id": "GHSA-wm68-vvjf-2rc3",
  "modified": "2025-01-01T03:31:34Z",
  "published": "2023-01-24T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21719"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21719"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21719"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WM8R-W8PF-2V6W

Vulnerability from github – Published: 2026-03-02 22:14 – Updated: 2026-03-20 21:36
VLAI
Summary
OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage
Details

Summary

In OpenClaw 2026.2.25, Signal group authorization under groupPolicy=allowlist could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation.

Impact

This is an authorization-boundary weakness between DM pairing and group allowlist controls. A sender approved for DM pairing could pass group checks without explicit group allowlisting.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published version affected: 2026.2.25
  • Vulnerable range: <= 2026.2.25
  • Patched version (planned next release): >= 2026.2.26

Fix

OpenClaw now keeps DM pairing-store entries DM-only and enforces explicit group allowlist boundaries in shared DM/group policy resolution used by Signal and other channels.

Fix Commit(s)

  • 8bdda7a651c21e98faccdbbd73081e79cffe8be0
  • 64de4b6d6ae81e269ceb4ca16f53cda99ced967a

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.26). After npm publish of that version, this advisory is ready to publish without further content edits.

Thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T22:14:56Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nIn OpenClaw `2026.2.25`, Signal group authorization under `groupPolicy=allowlist` could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation.\n\n### Impact\nThis is an authorization-boundary weakness between DM pairing and group allowlist controls. A sender approved for DM pairing could pass group checks without explicit group allowlisting.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published version affected: `2026.2.25`\n- Vulnerable range: `\u003c= 2026.2.25`\n- Patched version (planned next release): `\u003e= 2026.2.26`\n\n### Fix\nOpenClaw now keeps DM pairing-store entries DM-only and enforces explicit group allowlist boundaries in shared DM/group policy resolution used by Signal and other channels.\n\n### Fix Commit(s)\n- `8bdda7a651c21e98faccdbbd73081e79cffe8be0`\n- `64de4b6d6ae81e269ceb4ca16f53cda99ced967a`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`). After npm publish of that version, this advisory is ready to publish without further content edits.\n\nThanks @tdjackey for reporting.",
  "id": "GHSA-wm8r-w8pf-2v6w",
  "modified": "2026-03-20T21:36:10Z",
  "published": "2026-03-02T22:14:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wm8r-w8pf-2v6w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31991"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/64de4b6d6ae81e269ceb4ca16f53cda99ced967a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-dm-pairing-store-leakage-in-signal-group-allowlist"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage"
}

GHSA-WMR8-25FF-GGPJ

Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-06-28 23:28
VLAI
Summary
Incorrect Authorization in Jenkins
Details

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.121.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.122"
            },
            {
              "fixed": "2.132"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1999004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T23:28:29Z",
    "nvd_published_at": "2018-07-23T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.",
  "id": "GHSA-wmr8-25ff-ggpj",
  "modified": "2022-06-28T23:28:29Z",
  "published": "2022-05-13T01:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999004"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/40250f08aca7f3f8816f21870ee23463a52ef2f2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-07-18/#SECURITY-892"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in Jenkins"
}

GHSA-WMX7-X4JP-9JGG

Vulnerability from github – Published: 2023-03-07 20:04 – Updated: 2023-03-07 20:04
VLAI
Summary
OpenSearch has issue with fine-grained access control of indices backing data streams
Details

Impact

There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. This issue can only be triggered by authenticated users authorized to read those data streams which are backed by the impacted indexes. Additionally, existing privileged users cannot access random indexes within these clusters; they can only access indexes to which they have already been granted permission.

Patches

OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue.

Workarounds

There is no recommended work around.

For more information

If you have any questions or comments about this advisory, please contact AWS/Amazon Security via our issue reporting page (https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.plugin:opensearch-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.plugin:opensearch-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-612",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-07T20:04:42Z",
    "nvd_published_at": "2022-11-15T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThere is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. This issue can only be triggered by authenticated users authorized to read those data streams which are backed by the impacted indexes. Additionally, existing privileged users cannot access random indexes within these clusters; they can only access indexes to which they have already been granted permission.\n\n### Patches\nOpenSearch 1.3.7 and 2.4.0 contain a fix for this issue.\n\n### Workarounds\nThere is no recommended work around.\n\n### For more information\nIf you have any questions or comments about this advisory, please contact AWS/Amazon Security via our issue reporting page (https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.\n",
  "id": "GHSA-wmx7-x4jp-9jgg",
  "modified": "2023-03-07T20:04:42Z",
  "published": "2023-03-07T20:04:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-wmx7-x4jp-9jgg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41918"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opensearch-project/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenSearch has issue with fine-grained access control of indices backing data streams"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.