Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5556 vulnerabilities reference this CWE, most recent first.

GHSA-2G6X-RFGR-7F5J

Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52
VLAI
Details

NetApp 7-Mode Transition Tool allows users with valid credentials to access functions and information which may have been intended to be restricted to administrators or privileged users. 7MTT versions below 2.0 do not enforce user authorization rules on file information and status that it has previously collected. The released version of 7MTT has been updated to maintain and verify authorization rules for file information, status and utilities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-03T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "NetApp 7-Mode Transition Tool allows users with valid credentials to access functions and information which may have been intended to be restricted to administrators or privileged users. 7MTT versions below 2.0 do not enforce user authorization rules on file information and status that it has previously collected. The released version of 7MTT has been updated to maintain and verify authorization rules for file information, status and utilities.",
  "id": "GHSA-2g6x-rfgr-7f5j",
  "modified": "2022-05-13T01:52:48Z",
  "published": "2022-05-13T01:52:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5489"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20150323-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2G78-X942-H8VJ

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-07-13 00:01
VLAI
Details

Certain Arm products before 2021-08-23 do not properly consider the effect of exceptions on a VLLDM instruction. A Non-secure handler may have read or write access to part of a Secure context. This affects Arm Cortex-M33 r0p0 through r1p0, Arm Cortex-M35P r0, Arm Cortex-M55 r0p0 through r1p0, and Arm China STAR-MC1 (in the STAR SE configuration).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35465"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-23T13:15:00Z",
    "severity": "LOW"
  },
  "details": "Certain Arm products before 2021-08-23 do not properly consider the effect of exceptions on a VLLDM instruction. A Non-secure handler may have read or write access to part of a Secure context. This affects Arm Cortex-M33 r0p0 through r1p0, Arm Cortex-M35P r0, Arm Cortex-M55 r0p0 through r1p0, and Arm China STAR-MC1 (in the STAR SE configuration).",
  "id": "GHSA-2g78-x942-h8vj",
  "modified": "2022-07-13T00:01:28Z",
  "published": "2022-05-24T19:11:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35465"
    },
    {
      "type": "WEB",
      "url": "https://developer.arm.com/support/arm-security-updates"
    },
    {
      "type": "WEB",
      "url": "https://developer.arm.com/support/arm-security-updates/vlldm-instruction-security-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2G94-9XCH-XC29

Vulnerability from github – Published: 2023-07-31 15:30 – Updated: 2024-03-21 03:35
VLAI
Details

** UNSUPPORTED WHEN ASSIGNED ** Authentication Bypass vulnerability in D-Link DIR-645 firmware version 1.03 allows remote attackers to gain escalated privileges via function phpcgi_main in cgibin. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-31T14:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "** UNSUPPORTED WHEN ASSIGNED ** Authentication Bypass vulnerability in D-Link DIR-645 firmware version 1.03 allows remote attackers to gain escalated privileges via function phpcgi_main in cgibin. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-2g94-9xch-xc29",
  "modified": "2024-03-21T03:35:36Z",
  "published": "2023-07-31T15:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36089"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/en/security-bulletin"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/en/support"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GCQ-QRR4-WC8F

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-05-24 17:27
VLAI
Details

SAP Marketing (Servlet), version-130,140,150, allows an authenticated attacker to invoke certain functions that are restricted. Limited knowledge of payload is required for an attacker to exploit the vulnerability and perform tasks related to contact and interaction data which impacts Confidentiality and Integrity of data in the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-09T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SAP Marketing (Servlet), version-130,140,150, allows an authenticated attacker to invoke certain functions that are restricted. Limited knowledge of payload is required for an attacker to exploit the vulnerability and perform tasks related to contact and interaction data which impacts Confidentiality and Integrity of data in the application.",
  "id": "GHSA-2gcq-qrr4-wc8f",
  "modified": "2022-05-24T17:27:44Z",
  "published": "2022-05-24T17:27:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6320"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2961991"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2GJQ-2933-HPJG

Vulnerability from github – Published: 2025-03-13 06:30 – Updated: 2025-03-13 06:30
VLAI
Details

An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-13T06:15:35Z",
    "severity": "LOW"
  },
  "details": "An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2  which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.",
  "id": "GHSA-2gjq-2933-hpjg",
  "modified": "2025-03-13T06:30:35Z",
  "published": "2025-03-13T06:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7296"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2602274"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/475056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GP6-V2J8-WM92

Vulnerability from github – Published: 2023-04-11 18:30 – Updated: 2024-04-04 03:24
VLAI
Details

A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40682"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-11T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe.",
  "id": "GHSA-2gp6-v2j8-wm92",
  "modified": "2024-04-04T03:24:23Z",
  "published": "2023-04-11T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40682"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-22-336"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GR2-XJJ5-Q4FF

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42
VLAI
Details

Dell EMC Avamar Server, versions 19.3 and 19.4 contain an Improper Authorization vulnerability in the web UI. A remote low privileged attacker could potentially exploit this vulnerability, to gain unauthorized read or modification access to other users' backup data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-15T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell EMC Avamar Server, versions 19.3 and 19.4 contain an Improper Authorization vulnerability in the web UI. A remote low privileged attacker could potentially exploit this vulnerability, to gain unauthorized read or modification access to other users\u0027 backup data.",
  "id": "GHSA-2gr2-xjj5-q4ff",
  "modified": "2022-05-24T17:42:15Z",
  "published": "2022-05-24T17:42:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21511"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000182926/dsa-2021-033-dell-emc-avamar-server-improper-authorization-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GVW-W6FJ-7M3C

Vulnerability from github – Published: 2024-04-15 20:20 – Updated: 2024-04-15 21:37
VLAI
Summary
Argo CD's API server does not enforce project sourceNamespaces
Details

Impact

I can convince the UI to let me do things with an invalid Application. 1. Admin gives me p, michael, applications, *, demo/*, allow, where demo can just deploy to the demo namespace 2. Admin gives me AppProject dev which reconciles from ns dev-apps 3. Admin gives me p, michael, applications, sync, dev/*, allow, i.e. no updating via the UI allowed, gitops-only 4. I create an Application called pwn in dev-apps with project dev and sync the app with sources from git 5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe) 6. I use the UI to edit the resource which should only be mutable via gitops

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.7 v2.9.12 v2.8.16

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Credits

This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.8.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-15T20:20:50Z",
    "nvd_published_at": "2024-04-15T20:15:11Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nI can convince the UI to let me do things with an invalid Application.\n1. Admin gives me `p, michael, applications, *, demo/*, allow`, where `demo` can just deploy to the `demo` namespace\n2. Admin gives me AppProject `dev` which reconciles from ns `dev-apps`\n3. Admin gives me `p, michael, applications, sync, dev/*, allow`, i.e. no updating via the UI allowed, gitops-only\n4. I create an Application called `pwn` in `dev-apps` with project dev and sync the app with sources from git\n5. I change the Application\u2019s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe)\n6. I use the UI to edit the resource which should only be mutable via gitops\n\n### Patches\nA patch for this vulnerability has been released in the following Argo CD versions:\n\nv2.10.7 \nv2.9.12 \nv2.8.16\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\nJoin us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credits\nThis vulnerability was found \u0026 reported by @crenshaw-dev (Michael Crenshaw)\n\nThe Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue\n",
  "id": "GHSA-2gvw-w6fj-7m3c",
  "modified": "2024-04-15T21:37:22Z",
  "published": "2024-04-15T20:20:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31990"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argo CD\u0027s API server does not enforce project sourceNamespaces"
}

GHSA-2GWC-3C7P-CJFQ

Vulnerability from github – Published: 2023-06-02 15:30 – Updated: 2024-04-04 04:29
VLAI
Details

Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-02T13:15:10Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22.\n\n",
  "id": "GHSA-2gwc-3c7p-cjfq",
  "modified": "2024-04-04T04:29:01Z",
  "published": "2023-06-02T15:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3033"
    },
    {
      "type": "WEB",
      "url": "https://borelenzo.github.io/stuff/2023/06/01/cve-2023-3033.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H2X-8HH2-MFQ8

Vulnerability from github – Published: 2024-07-11 21:31 – Updated: 2024-10-30 18:50
VLAI
Summary
NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects
Details

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-streaming-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.24.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-12T14:01:30Z",
    "nvd_published_at": "2024-07-11T21:15:10Z",
    "severity": "HIGH"
  },
  "details": "NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.",
  "id": "GHSA-2h2x-8hh2-mfq8",
  "modified": "2024-10-30T18:50:03Z",
  "published": "2024-07-11T21:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29946"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-2h2x-8hh2-mfq8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/advisories/blob/main/CVE/CVE-2022-29946.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.