CWE-1220
AllowedInsufficient Granularity of Access Control
Abstraction: Base · Status: Incomplete
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
176 vulnerabilities reference this CWE, most recent first.
CVE-2023-32259 (GCVE-0-2023-32259)
Vulnerability from cvelistv5 – Published: 2024-03-19 15:54 – Updated: 2024-08-02 15:10- CWE-1220 - Insufficient Granularity of Access Control
| Vendor | Product | Version | |
|---|---|---|---|
| OpenText™ | Service Management Automation X (SMAX) |
Affected:
2020.05
Affected: 2020.08 Affected: 2020.11 Affected: 2021.02 Affected: 2021.05 Affected: 2021.08 Affected: 2021.11 Affected: 2022.05 Affected: 2022.11 |
|
| OpenText™ | Asset Management X (AMX) |
Affected:
2021.08
Affected: 2021.11 Affected: 2022.05 Affected: 2022.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-20T15:13:38.310142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:24.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:23.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://portal.microfocus.com/s/article/KM000018803?language=en_US"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Service Management Automation X (SMAX)",
"vendor": "OpenText\u2122",
"versions": [
{
"status": "affected",
"version": "2020.05"
},
{
"status": "affected",
"version": "2020.08"
},
{
"status": "affected",
"version": "2020.11"
},
{
"status": "affected",
"version": "2021.02"
},
{
"status": "affected",
"version": "2021.05"
},
{
"status": "affected",
"version": "2021.08"
},
{
"status": "affected",
"version": "2021.11"
},
{
"status": "affected",
"version": "2022.05"
},
{
"status": "affected",
"version": "2022.11"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Asset Management X (AMX)",
"vendor": "OpenText\u2122",
"versions": [
{
"status": "affected",
"version": "2021.08"
},
{
"status": "affected",
"version": "2021.11"
},
{
"status": "affected",
"version": "2022.05"
},
{
"status": "affected",
"version": "2022.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient Granularity of Access Control vulnerability in OpenText\u2122 Service Management Automation X (SMAX), OpenText\u2122 Asset Management X (AMX) allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Service Management Automation X (SMAX) versions 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11; and Asset Management X (AMX) versions 2021.08, 2021.11, 2022.05, 2022.11.\u003c/p\u003e"
}
],
"value": "Insufficient Granularity of Access Control vulnerability in OpenText\u2122 Service Management Automation X (SMAX), OpenText\u2122 Asset Management X (AMX) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Service Management Automation X (SMAX) versions 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11; and Asset Management X (AMX) versions 2021.08, 2021.11, 2022.05, 2022.11.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220 Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T15:54:11.630Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "OpenText"
},
"references": [
{
"url": "https://portal.microfocus.com/s/article/KM000018803?language=en_US"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://portal.microfocus.com/s/article/KM000018803?language=en_US\"\u003ehttps://portal.microfocus.com/s/article/KM000018803?language=en_US\u003c/a\u003e\u003cbr\u003e"
}
],
"value": " https://portal.microfocus.com/s/article/KM000018803?language=en_US \n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential Insufficient Access Control vulnerability has been identified in OpenText\u2122 SMAX/AMX products.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "OpenText",
"cveId": "CVE-2023-32259",
"datePublished": "2024-03-19T15:54:11.630Z",
"dateReserved": "2023-05-05T14:42:20.152Z",
"dateUpdated": "2024-08-02T15:10:23.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31343 (GCVE-0-2023-31343)
Vulnerability from cvelistv5 – Published: 2025-02-11 22:35 – Updated: 2025-09-23 21:39- CWE-1220 - Insufficient Granularity of Access Control
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31343",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T15:34:57.941103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:35:05.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 7003 Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MilanPI 1.0.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 9004 Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "GenoaPI 1.0.0.B"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Instinct\u2122 MI300A",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MI300API 1.0.0.5"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 3000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Desktop Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5 1.1.0.2"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Athlon\u2122 3000 Series Desktop Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 4000 Series Desktop Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 8000 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5 1.1.0.2"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 5000WX- Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ChagallWSPI-sWRX8 1.0.0.7"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"Pollock-FT5 1.0.0.7\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 3000 Series Mobile Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"Picasso-FP5 1.0.1.1\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 4000 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"RenoirPI-FP6 1.0.0.D\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"Cezanne-FP6 1.0.1.0\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7020 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"MendocinoPI-FT6 1.0.0.6\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 6000 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"Rembrandt-FP7 1.0.0.A\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7035 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"Rembrandt-FP7 1.0.0.A\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7040 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"PhoenixPI-FP8-FP7 1.1.0.2\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7000 Series Mobile Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"DragonRangeFL1PI 1.0.0.3C\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 7003",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"EmbMilanPI-SP3 1.0.0.8\""
}
]
},
{
"defaultStatus": "unaffected",
"product": "AMD EPYC\u2122 Embedded 9004",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbGenoaPI-SP5 1.0.0.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "AMD Ryzen\u2122 Embedded R1000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"EmbeddedPI-FP5 1.2.0.C\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded R2000",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "\"EmbeddedR2KPI-FP5 1.0.0.3\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded 5000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"EmbAM4PI 1.0.0.5\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded 7000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedAM5PI 1.0.0.1"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded V2000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"EmbeddedPI-FP6 1.0.0.9\""
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded V3000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "\"Embedded-PI FP7r2 1.0.0.9\""
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.\u003cbr\u003e"
}
],
"value": "Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220 Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T21:39:19.127Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-5004.html"
},
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4008.html"
},
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3009.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2023-31343",
"datePublished": "2025-02-11T22:35:04.110Z",
"dateReserved": "2023-04-27T15:25:41.426Z",
"dateUpdated": "2025-09-23T21:39:19.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31342 (GCVE-0-2023-31342)
Vulnerability from cvelistv5 – Published: 2025-02-11 22:24 – Updated: 2026-02-26 19:08- CWE-1220 - Insufficient Granularity of Access Control
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T03:55:33.409726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T19:08:51.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 7003 Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MilanPI 1.0.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 9004 Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "GenoaPI 1.0.0.B"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Instinct\u2122 MI300A",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MI300API 1.0.0.5"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 3000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Desktop Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5 1.1.0.2"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Athlon\u2122 3000 Series Desktop Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 4000 Series Desktop Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM4v2PI 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 8000 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ComboAM5 1.1.0.2"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Threadripper\u2122 PRO 5000WX- Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "ChagallWSPI-sWRX8 1.0.0.7"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "Pollock-FT5 1.0.0.7"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 3000 Series Mobile Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "Picasso-FP5 1.0.1.1"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 4000 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "RenoirPI-FP6 1.0.0.D"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 5000 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "Cezanne-FP6 1.0.1.0"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7020 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MendocinoPI-FT6 1.0.0.6"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 6000 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "Rembrandt-FP7 1.0.0.A"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7035 Series Processor with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "Rembrandt-FP7 1.0.0.A"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7040 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "PhoenixPI-FP8-FP7 1.1.0.2"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 7000 Series Mobile Processors",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "DragonRangeFL1PI 1.0.0.3C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 7003",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbMilanPI-SP3 1.0.0.8"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 Embedded 9004",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbGenoaPI-SP5 1.0.0.6"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded R1000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedPI-FP5 1.2.0.C"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded R2000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedR2KPI-FP5 1.0.0.3"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded 5000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbAM4PI 1.0.0.5"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded 7000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedAM5PI 1.0.0.1"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded V2000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "EmbeddedPI-FP6 1.0.0.9"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD Ryzen\u2122 Embedded V3000",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "Embedded-PI FP7r2 1.0.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution."
}
],
"value": "Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220 Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T21:23:17.849Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-5004.html"
},
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4008.html"
},
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3009.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2023-31342",
"datePublished": "2025-02-11T22:24:02.153Z",
"dateReserved": "2023-04-27T15:25:41.425Z",
"dateUpdated": "2026-02-26T19:08:51.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-27591 (GCVE-0-2023-27591)
Vulnerability from cvelistv5 – Published: 2023-03-17 19:04 – Updated: 2025-02-25 14:53| URL | Tags |
|---|---|
| https://github.com/miniflux/v2/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/miniflux/v2/pull/1745 | x_refsource_MISC |
| https://github.com/miniflux/v2/releases/tag/2.0.43 | x_refsource_MISC |
| https://miniflux.app/docs/configuration.html#metr… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:16:35.891Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v"
},
{
"name": "https://github.com/miniflux/v2/pull/1745",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miniflux/v2/pull/1745"
},
{
"name": "https://github.com/miniflux/v2/releases/tag/2.0.43",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/miniflux/v2/releases/tag/2.0.43"
},
{
"name": "https://miniflux.app/docs/configuration.html#metrics-collector",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://miniflux.app/docs/configuration.html#metrics-collector"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:30:31.150918Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:53:48.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "v2",
"vendor": "miniflux",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.43"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the default). A patch is available in Miniflux 2.0.43. As a workaround, set `METRICS_COLLECTOR` to `false` (default) or run Miniflux behind a trusted reverse-proxy."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-17T19:04:03.702Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v"
},
{
"name": "https://github.com/miniflux/v2/pull/1745",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miniflux/v2/pull/1745"
},
{
"name": "https://github.com/miniflux/v2/releases/tag/2.0.43",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/miniflux/v2/releases/tag/2.0.43"
},
{
"name": "https://miniflux.app/docs/configuration.html#metrics-collector",
"tags": [
"x_refsource_MISC"
],
"url": "https://miniflux.app/docs/configuration.html#metrics-collector"
}
],
"source": {
"advisory": "GHSA-3qjf-qh38-x73v",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-27591",
"datePublished": "2023-03-17T19:04:03.702Z",
"dateReserved": "2023-03-04T01:03:53.635Z",
"dateUpdated": "2025-02-25T14:53:48.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6725 (GCVE-0-2023-6725)
Vulnerability from cvelistv5 – Published: 2024-03-15 12:38 – Updated: 2026-02-25 18:20- CWE-1220 - Insufficient Granularity of Access Control
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2024:2736 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2024:2770 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2023-6725 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2249273 | issue-trackingx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat OpenStack Platform 17.1 for RHEL 8 |
Unaffected:
0:14.3.1-17.1.20231103003762.el8ost , < *
(rpm)
cpe:/a:redhat:openstack:17.1::el8 |
|
| Red Hat | Red Hat OpenStack Platform 17.1 for RHEL 8 |
Unaffected:
0:3.3.1-17.1.20231101233754.el8ost , < *
(rpm)
cpe:/a:redhat:openstack:17.1::el8 |
|
| Red Hat | Red Hat OpenStack Platform 17.1 for RHEL 9 |
Unaffected:
0:14.3.1-17.1.20231103010840.el9ost , < *
(rpm)
cpe:/a:redhat:openstack:17.1::el9 |
|
| Red Hat | Red Hat OpenStack Platform 17.1 for RHEL 9 |
Unaffected:
0:3.3.1-17.1.20231101230831.el9ost , < *
(rpm)
cpe:/a:redhat:openstack:17.1::el9 |
|
| Red Hat | Red Hat OpenStack Platform 16.1 |
cpe:/a:redhat:openstack:16.1 |
|
| Red Hat | Red Hat OpenStack Platform 16.2 |
cpe:/a:redhat:openstack:16.2 |
|
| Red Hat | Red Hat OpenStack Platform 17.1 |
cpe:/a:redhat:openstack:17.1 |
|
| Red Hat | Red Hat OpenStack Platform 18.0 |
cpe:/a:redhat:openstack:18.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.912Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2024:2736",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2736"
},
{
"name": "RHSA-2024:2770",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2770"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-6725"
},
{
"name": "RHBZ#2249273",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249273"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-15T16:37:30.842696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T20:40:29.242Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1::el8"
],
"defaultStatus": "affected",
"packageName": "openstack-tripleo-heat-templates",
"product": "Red Hat OpenStack Platform 17.1 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:14.3.1-17.1.20231103003762.el8ost",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1::el8"
],
"defaultStatus": "affected",
"packageName": "tripleo-ansible",
"product": "Red Hat OpenStack Platform 17.1 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.3.1-17.1.20231101233754.el8ost",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1::el9"
],
"defaultStatus": "affected",
"packageName": "openstack-tripleo-heat-templates",
"product": "Red Hat OpenStack Platform 17.1 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:14.3.1-17.1.20231103010840.el9ost",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1::el9"
],
"defaultStatus": "affected",
"packageName": "tripleo-ansible",
"product": "Red Hat OpenStack Platform 17.1 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.3.1-17.1.20231101230831.el9ost",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.1"
],
"defaultStatus": "unaffected",
"packageName": "openstack-designate",
"product": "Red Hat OpenStack Platform 16.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:16.2"
],
"defaultStatus": "unaffected",
"packageName": "openstack-designate",
"product": "Red Hat OpenStack Platform 16.2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:17.1"
],
"defaultStatus": "affected",
"packageName": "openstack-designate",
"product": "Red Hat OpenStack Platform 17.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openstack:18.0"
],
"defaultStatus": "unaffected",
"packageName": "openstack-designate",
"product": "Red Hat OpenStack Platform 18.0",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Michael Johnson (Red Hat)."
}
],
"datePublic": "2024-03-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T18:20:14.710Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:2736",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2736"
},
{
"name": "RHSA-2024:2770",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:2770"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-6725"
},
{
"name": "RHBZ#2249273",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249273"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-11-11T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-03-15T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Tripleo-ansible: bind keys are world readable",
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-1220: Insufficient Granularity of Access Control"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-6725",
"datePublished": "2024-03-15T12:38:23.158Z",
"dateReserved": "2023-12-12T09:57:13.700Z",
"dateUpdated": "2026-02-25T18:20:14.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4456 (GCVE-0-2023-4456)
Vulnerability from cvelistv5 – Published: 2023-08-21 15:19 – Updated: 2025-11-20 18:27- CWE-1220 - Insufficient Granularity of Access Control
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2023:4933 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2023:5095 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2023:5096 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2023-4456 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2233087 | issue-trackingx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | RHOL-5.5-RHEL-8 |
Unaffected:
v0.1.0-327 , < *
(rpm)
cpe:/a:redhat:logging:5.5::el8 |
|
| Red Hat | RHOL-5.6-RHEL-8 |
Unaffected:
v0.1.0-326 , < *
(rpm)
cpe:/a:redhat:logging:5.6::el8 |
|
| Red Hat | RHOL-5.7-RHEL-8 |
Unaffected:
v0.1.0-325 , < *
(rpm)
cpe:/a:redhat:logging:5.7::el8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-26T20:04:56.956783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:27:25.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.461Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2023:4933",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4933"
},
{
"name": "RHSA-2023:5095",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:5095"
},
{
"name": "RHSA-2023:5096",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:5096"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-4456"
},
{
"name": "RHBZ#2233087",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233087"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:logging:5.5::el8"
],
"defaultStatus": "affected",
"packageName": "openshift-logging/lokistack-gateway-rhel8",
"product": "RHOL-5.5-RHEL-8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "v0.1.0-327",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:logging:5.6::el8"
],
"defaultStatus": "affected",
"packageName": "openshift-logging/lokistack-gateway-rhel8",
"product": "RHOL-5.6-RHEL-8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "v0.1.0-326",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:logging:5.7::el8"
],
"defaultStatus": "affected",
"packageName": "openshift-logging/lokistack-gateway-rhel8",
"product": "RHOL-5.7-RHEL-8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "v0.1.0-325",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Robert Jacob (Red Hat)."
}
],
"datePublic": "2023-08-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T18:27:42.202Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:4933",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:4933"
},
{
"name": "RHSA-2023:5095",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:5095"
},
{
"name": "RHSA-2023:5096",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:5096"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-4456"
},
{
"name": "RHBZ#2233087",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233087"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-08-21T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-08-21T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Openshift-logging: lokistack authorisation is cached too broadly",
"x_redhatCweChain": "CWE-1220: Insufficient Granularity of Access Control"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-4456",
"datePublished": "2023-08-21T15:19:22.208Z",
"dateReserved": "2023-08-21T11:46:25.407Z",
"dateUpdated": "2025-11-20T18:27:42.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-3227 (GCVE-0-2023-3227)
Vulnerability from cvelistv5 – Published: 2023-06-14 00:00 – Updated: 2025-01-02 20:49- CWE-1220 - Insufficient Granularity of Access Control
| Vendor | Product | Version | |
|---|---|---|---|
| fossbilling | fossbilling/fossbilling |
Affected:
unspecified , < 0.5.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:08.500Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/97ecf4b8-7eeb-4e39-917c-2660262ff9ba"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/fossbilling/fossbilling/commit/b65a75fcf70feaf547d414672f78d7cbe8a98e7e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T20:49:07.930888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T20:49:14.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fossbilling/fossbilling",
"vendor": "fossbilling",
"versions": [
{
"lessThan": "0.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient Granularity of Access Control in GitHub repository fossbilling/fossbilling prior to 0.5.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220 Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-14T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/97ecf4b8-7eeb-4e39-917c-2660262ff9ba"
},
{
"url": "https://github.com/fossbilling/fossbilling/commit/b65a75fcf70feaf547d414672f78d7cbe8a98e7e"
}
],
"source": {
"advisory": "97ecf4b8-7eeb-4e39-917c-2660262ff9ba",
"discovery": "EXTERNAL"
},
"title": "Insufficient Granularity of Access Control in fossbilling/fossbilling"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-3227",
"datePublished": "2023-06-14T00:00:00.000Z",
"dateReserved": "2023-06-14T00:00:00.000Z",
"dateUpdated": "2025-01-02T20:49:14.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0205 (GCVE-0-2023-0205)
Vulnerability from cvelistv5 – Published: 2023-04-22 02:26 – Updated: 2025-02-04 19:31| Vendor | Product | Version | |
|---|---|---|---|
| NVIDIA | NVIDIA ConnectX Firmware |
Affected:
All versions prior to 35.1012
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.064Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5459"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:31:10.617707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T19:31:29.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NVIDIA ConnectX Firmware",
"vendor": "NVIDIA",
"versions": [
{
"status": "affected",
"version": "All versions prior to 35.1012"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": true,
"type": "text/html",
"value": "NVIDIA ConnectX-5, ConnectX-6, and ConnectX6-DX contain a vulnerability in the NIC firmware, where an unprivileged user can exploit insufficient granularity of access control, which may lead to denial of service."
}
],
"value": "NVIDIA ConnectX-5, ConnectX-6, and ConnectX6-DX contain a vulnerability in the NIC firmware, where an unprivileged user can exploit insufficient granularity of access control, which may lead to denial of service."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of service"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-22T02:26:35.234Z",
"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
"shortName": "nvidia"
},
"references": [
{
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5459"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
"assignerShortName": "nvidia",
"cveId": "CVE-2023-0205",
"datePublished": "2023-04-22T02:26:35.234Z",
"dateReserved": "2023-01-11T05:48:54.895Z",
"dateUpdated": "2025-02-04T19:31:29.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0203 (GCVE-0-2023-0203)
Vulnerability from cvelistv5 – Published: 2023-04-22 02:24 – Updated: 2025-02-04 19:04| Vendor | Product | Version | |
|---|---|---|---|
| NVIDIA | NVIDIA ConnectX Firmware |
Affected:
All versions prior to 35.1012
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:43.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5459"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:04:39.753638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T19:04:46.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NVIDIA ConnectX Firmware",
"vendor": "NVIDIA",
"versions": [
{
"status": "affected",
"version": "All versions prior to 35.1012"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": true,
"type": "text/html",
"value": "NVIDIA ConnectX-5, ConnectX-6, and ConnectX6-DX contain a vulnerability in the NIC firmware, where an unprivileged user can exploit insufficient granularity of access control, which may lead to denial of service."
}
],
"value": "NVIDIA ConnectX-5, ConnectX-6, and ConnectX6-DX contain a vulnerability in the NIC firmware, where an unprivileged user can exploit insufficient granularity of access control, which may lead to denial of service."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Denial of service"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-22T02:24:15.822Z",
"orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
"shortName": "nvidia"
},
"references": [
{
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5459"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
"assignerShortName": "nvidia",
"cveId": "CVE-2023-0203",
"datePublished": "2023-04-22T02:24:15.822Z",
"dateReserved": "2023-01-11T05:48:53.613Z",
"dateUpdated": "2025-02-04T19:04:46.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36110 (GCVE-0-2022-36110)
Vulnerability from cvelistv5 – Published: 2022-09-09 19:15 – Updated: 2025-04-23 17:12| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/releases/tag/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36110",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:49:24.565249Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:12:19.594Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T19:15:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
}
],
"source": {
"advisory": "GHSA-ggf6-638m-vqmg",
"discovery": "UNKNOWN"
},
"title": "Netmaker vulnerable to Insufficient Granularity of Access Control",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36110",
"STATE": "PUBLIC",
"TITLE": "Netmaker vulnerable to Insufficient Granularity of Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netmaker",
"version": {
"version_data": [
{
"version_value": "\u003c 0.15.1"
}
]
}
}
]
},
"vendor_name": "gravitl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1220: Insufficient Granularity of Access Control"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg",
"refsource": "CONFIRM",
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
},
{
"name": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
}
]
},
"source": {
"advisory": "GHSA-ggf6-638m-vqmg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36110",
"datePublished": "2022-09-09T19:15:12.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:12:19.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
- Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
- Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.