Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5494 vulnerabilities reference this CWE, most recent first.

GHSA-XVHX-JWJW-G589

Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-02 21:31
VLAI
Details

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to modify protected parts of the file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T21:15:05Z",
    "severity": "HIGH"
  },
  "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to modify protected parts of the file system.",
  "id": "GHSA-xvhx-jwjw-g589",
  "modified": "2026-04-02T21:31:58Z",
  "published": "2024-10-28T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44196"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121564"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121568"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121570"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/11"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/12"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVP8-7H22-QMFG

Vulnerability from github – Published: 2024-12-20 15:30 – Updated: 2024-12-20 15:30
VLAI
Details

In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-20T15:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects",
  "id": "GHSA-xvp8-7h22-qmfg",
  "modified": "2024-12-20T15:30:48Z",
  "published": "2024-12-20T15:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56350"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVV8-2HXW-MGHP

Vulnerability from github – Published: 2025-12-28 09:30 – Updated: 2025-12-28 09:30
VLAI
Details

A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-28T08:15:45Z",
    "severity": "LOW"
  },
  "details": "A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-xvv8-2hxw-mghp",
  "modified": "2025-12-28T09:30:27Z",
  "published": "2025-12-28T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15126"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Hwwg/cve/issues/39"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.338504"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.338504"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.711782"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XW7V-QRHC-JJG2

Vulnerability from github – Published: 2022-04-01 00:00 – Updated: 2022-04-18 22:21
VLAI
Summary
Access Control vulnerability in Dolibarr
Details

An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.1, in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "dolibarr/dolibarr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-01T19:38:58Z",
    "nvd_published_at": "2022-03-31T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.1, in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.",
  "id": "GHSA-xw7v-qrhc-jjg2",
  "modified": "2022-04-18T22:21:50Z",
  "published": "2022-04-01T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37517"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Dolibarr/dolibarr/commit/b57eb8284e830e30eefb26e3c5ede076ea24037c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Dolibarr/dolibarr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Dolibarr/dolibarr/releases/tag/14.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Access Control vulnerability in Dolibarr"
}

GHSA-XWJR-6FJ7-FC6H

Vulnerability from github – Published: 2020-11-23 19:48 – Updated: 2021-11-19 13:46
VLAI
Summary
Local File Inclusion by unauthenticated users
Details

Impact

An attacker can exploit this vulnerability to read local files on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request.

Patches

Issue has been patched in Build 469 (v1.0.469) and v1.1.0.

Workarounds

Apply https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4 to your installation manually if unable to upgrade to Build 469.

References

Reported by ka1n4t

For more information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

Threat assessment:

Screen Shot 2020-10-10 at 1 05 19 PM

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.421"
            },
            {
              "fixed": "1.0.469"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-23T19:23:14Z",
    "nvd_published_at": "2020-11-23T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn attacker can exploit this vulnerability to read local files on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request.\n\n### Patches\nIssue has been patched in Build 469 (v1.0.469) and v1.1.0.\n\n### Workarounds\nApply https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4 to your installation manually if unable to upgrade to Build 469.\n\n### References\nReported by [ka1n4t](https://github.com/ka1n4t)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n\u003cimg width=\"1105\" alt=\"Screen Shot 2020-10-10 at 1 05 19 PM\" src=\"https://user-images.githubusercontent.com/7253840/95663086-4ffc4780-0af9-11eb-9bb6-fd40cf11c033.png\"\u003e",
  "id": "GHSA-xwjr-6fj7-fc6h",
  "modified": "2021-11-19T13:46:03Z",
  "published": "2020-11-23T19:48:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-xwjr-6fj7-fc6h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15246"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octobercms/october"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Local File Inclusion by unauthenticated users"
}

GHSA-XWR9-QPH4-CPWG

Vulnerability from github – Published: 2025-08-14 15:30 – Updated: 2025-08-14 15:30
VLAI
Details

A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-14T14:15:35Z",
    "severity": "HIGH"
  },
  "details": "A security issue exists within the 5032 16pt Digital Configurable module\u2019s web server. The web server\u2019s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable.",
  "id": "GHSA-xwr9-qph4-cpwg",
  "modified": "2025-08-14T15:30:45Z",
  "published": "2025-08-14T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7773"
    },
    {
      "type": "WEB",
      "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1733.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XWW8-GQVH-92X9

Vulnerability from github – Published: 2026-07-02 15:40 – Updated: 2026-07-02 15:40
VLAI
Summary
OpenClaw: Exec approval display truncation could hide the command being approved
Details

Summary

OpenClaw exec approvals could show a shortened command in the approval UI while keeping the full original command for execution. For very long commands, an approver could see and approve a benign-looking prefix while a hidden suffix remained part of the command that would run after approval.

This issue affects the approval display and binding for oversized exec commands. It does not make exec available to unauthenticated users, and it does not change OpenClaw's local-first trust model.

Affected configurations

This affects deployments where exec approval is enabled and an authenticated caller can create a pending host exec request with a command long enough to be truncated in the approval view.

Impact

An approver could make a decision from incomplete command text. If the hidden suffix contained additional shell operations, those operations could run after the approval was resolved.

The practical impact depends on who can request exec approvals and who is allowed to approve them. The issue is an approval integrity problem: the approval surface did not faithfully represent the command that would execute.

Patched Versions

The first stable patched version is 2026.5.18.

Mitigations

Upgrade to openclaw@2026.5.18 or later. Before upgrading, avoid approving unusually long exec commands and keep approval capability limited to trusted operators.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.5.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T15:40:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nOpenClaw exec approvals could show a shortened command in the approval UI while keeping the full original command for execution. For very long commands, an approver could see and approve a benign-looking prefix while a hidden suffix remained part of the command that would run after approval.\n\nThis issue affects the approval display and binding for oversized exec commands. It does not make exec available to unauthenticated users, and it does not change OpenClaw\u0027s local-first trust model.\n\n### Affected configurations\n\nThis affects deployments where exec approval is enabled and an authenticated caller can create a pending host exec request with a command long enough to be truncated in the approval view.\n\n### Impact\n\nAn approver could make a decision from incomplete command text. If the hidden suffix contained additional shell operations, those operations could run after the approval was resolved.\n\nThe practical impact depends on who can request exec approvals and who is allowed to approve them. The issue is an approval integrity problem: the approval surface did not faithfully represent the command that would execute.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.18`.\n\n### Mitigations\n\nUpgrade to `openclaw@2026.5.18` or later. Before upgrading, avoid approving unusually long exec commands and keep approval capability limited to trusted operators.",
  "id": "GHSA-xww8-gqvh-92x9",
  "modified": "2026-07-02T15:40:37Z",
  "published": "2026-07-02T15:40:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xww8-gqvh-92x9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw: Exec approval display truncation could hide the command being approved"
}

GHSA-XX38-QPXM-6J8X

Vulnerability from github – Published: 2022-05-05 02:49 – Updated: 2022-05-05 02:49
VLAI
Details

IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Linux, Solaris, and HP-UX, when a Local OS registry is used, does not properly validate user accounts, which allows remote attackers to bypass intended access restrictions via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-0543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-04-24T10:28:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Linux, Solaris, and HP-UX, when a Local OS registry is used, does not properly validate user accounts, which allows remote attackers to bypass intended access restrictions via unspecified vectors.",
  "id": "GHSA-xx38-qpxm-6j8x",
  "modified": "2022-05-05T02:49:15Z",
  "published": "2022-05-05T02:49:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0543"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82759"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?\u0026uid=swg21632423"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1PM75582"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XX75-RCGC-PC97

Vulnerability from github – Published: 2022-04-08 00:00 – Updated: 2022-04-15 00:00
VLAI
Details

aEnrich a+HRD has inadequate privilege restrictions, an unauthenticated remote attacker can use the API function to upload and execute malicious scripts to control the system or disrupt service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-07T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "aEnrich a+HRD has inadequate privilege restrictions, an unauthenticated remote attacker can use the API function to upload and execute malicious scripts to control the system or disrupt service.",
  "id": "GHSA-xx75-rcgc-pc97",
  "modified": "2022-04-15T00:00:59Z",
  "published": "2022-04-08T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26676"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-5970-2f405-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX9W-464F-7H6F

Vulnerability from github – Published: 2022-09-16 20:27 – Updated: 2024-11-19 16:25
VLAI
Summary
Harbor fails to validate the user permissions when updating a robot account
Details

Impact

Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. API call:

PUT /robots/{robot_id}

By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.

Patches

This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.

Workarounds

There are no workarounds available.

For more information

If you have any questions or comments about this advisory: * Open an issue in the Harbor GitHub repository

Credits

Thanks to Gal Goldstein and Daniel Abeles from Oxeye Security for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.10.12"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.10.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.4.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T20:27:13Z",
    "nvd_published_at": "2024-11-14T12:15:16Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nHarbor fails to validate the user permissions when updating a robot account that\nbelongs to a project that the authenticated user doesn\u2019t have access to. API call:\n\nPUT /robots/{robot_id}\n\nBy sending a request that attempts to update a robot account, and specifying a robot\naccount id and robot account name that belongs to a different project that the user\ndoesn\u2019t have access to, it was possible to revoke the robot account permissions.\n\n### Patches\nThis and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.\n\n### Workarounds\nThere are no workarounds available.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Harbor GitHub repository](https://github.com/goharbor/harbor)\n\n### Credits\nThanks to [Gal Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye Security](https://www.oxeye.io/) for reporting this issue.\n",
  "id": "GHSA-xx9w-464f-7h6f",
  "modified": "2024-11-19T16:25:22Z",
  "published": "2022-09-16T20:27:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31667"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/goharbor/harbor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": " Harbor fails to validate the user permissions when updating a robot account"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.