Common Weakness Enumeration

CWE-863

Allowed-with-Review

Incorrect Authorization

Abstraction: Class · Status: Incomplete

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

5556 vulnerabilities reference this CWE, most recent first.

GHSA-2H75-RWG4-WVHQ

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:55
VLAI
Details

On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and STM32H7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated by observing CPU registers and the effect of code/instruction execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-12T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and STM32H7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated by observing CPU registers and the effect of code/instruction execution.",
  "id": "GHSA-2h75-rwg4-wvhq",
  "modified": "2024-04-04T01:55:39Z",
  "published": "2022-05-24T16:56:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14236"
    },
    {
      "type": "WEB",
      "url": "https://www.usenix.org/system/files/woot19-paper_schink.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H84-3CRQ-VGFJ

Vulnerability from github – Published: 2023-07-12 12:31 – Updated: 2024-11-18 16:26
VLAI
Summary
Apache Airflow Incorrect Authorization vulnerability
Details

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-35908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-12T17:30:21Z",
    "nvd_published_at": "2023-07-12T10:15:10Z",
    "severity": "HIGH"
  },
  "details": "Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL.\u00a0It is recommended to upgrade to a version that is not affected",
  "id": "GHSA-2h84-3crq-vgfj",
  "modified": "2024-11-18T16:26:31Z",
  "published": "2023-07-12T12:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35908"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/32014"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/ac65b82eeeeaa670e09a83c7da65cbac7e89f8db"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/c78e16588ee399f6eaf60425eb1ad7fa6d3fe352"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-119.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/vsflptk5dt30vrfggn96nx87d7zr6yvw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Airflow Incorrect Authorization vulnerability"
}

GHSA-2H8W-GRHW-CQCR

Vulnerability from github – Published: 2022-10-08 00:00 – Updated: 2022-10-11 19:00
VLAI
Details

An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-07T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2.",
  "id": "GHSA-2h8w-grhw-cqcr",
  "modified": "2022-10-11T19:00:29Z",
  "published": "2022-10-08T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41574"
    },
    {
      "type": "WEB",
      "url": "https://security.gradle.com"
    },
    {
      "type": "WEB",
      "url": "https://security.gradle.com/advisory/2022-12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2HF9-98XV-3H7H

Vulnerability from github – Published: 2021-11-25 00:00 – Updated: 2022-05-04 00:00
VLAI
Details

Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-24T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper authorization in handler for custom URL scheme vulnerability in Android App \u0027Mercari (Merpay) - Marketplace and Mobile Payments App\u0027 (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account\u0027s access token being obtained.",
  "id": "GHSA-2hf9-98xv-3h7h",
  "modified": "2022-05-04T00:00:57Z",
  "published": "2021-11-25T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20835"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN49465877/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2HJX-QMR7-GG4R

Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-02-17 00:00
VLAI
Details

An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-09T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call",
  "id": "GHSA-2hjx-qmr7-gg4r",
  "modified": "2022-02-17T00:00:47Z",
  "published": "2022-02-11T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39943"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1375393"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39943.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/343604"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2HM8-RQRM-XFJQ

Vulnerability from github – Published: 2026-03-03 21:36 – Updated: 2026-03-03 21:36
VLAI
Summary
OpenClaw's owner-only gateway tool access checks were incomplete in specific authenticated DM flows
Details

Summary

In authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions.

Impact

This requires an authenticated non-owner sender in a DM session and a specific tool invocation path. No unauthenticated access is involved, and this does not provide direct code execution by itself.

Root Cause

  • Some gateway call paths were still using broader default scopes instead of method-level least-privilege scopes.
  • Owner-only enforcement depended on tool-name checks and was not consistently metadata-driven across all call paths.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.17 (latest published npm version as of February 19, 2026)
  • Patched: 2026.2.19

Remediation

  • Refactored gateway method scope mapping to a data-driven table and added guard tests to ensure all exposed core gateway methods stay classified.
  • Centralized owner-only enforcement in tool policy wrappers and tool metadata.
  • Marked owner-only tools explicitly (cron, gateway, whatsapp_login) and removed duplicated per-tool owner checks.
  • Refactored gateway call path internals into smaller helpers while preserving behavior and coverage.

Fix Commit(s)

  • a40c10d3e24568b1e2947c104484be74bf66b8d2
  • 2777d8ad91ef1e8a7c6f5b4b18f8507be7d02914
  • 3d7ad1cfca4daaa84cd553e843e0e08fa6201349

OpenClaw thanks @Adam55A-code for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:36:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nIn authenticated non-owner DM sessions, a narrow tool-invocation path could reach broader-than-intended owner-only gateway actions.\n\n## Impact\n\nThis requires an authenticated non-owner sender in a DM session and a specific tool invocation path. No unauthenticated access is involved, and this does not provide direct code execution by itself.\n\n## Root Cause\n\n- Some gateway call paths were still using broader default scopes instead of method-level least-privilege scopes.\n- Owner-only enforcement depended on tool-name checks and was not consistently metadata-driven across all call paths.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.17` (latest published npm version as of February 19, 2026)\n- Patched: `2026.2.19`\n\n## Remediation\n\n- Refactored gateway method scope mapping to a data-driven table and added guard tests to ensure all exposed core gateway methods stay classified.\n- Centralized owner-only enforcement in tool policy wrappers and tool metadata.\n- Marked owner-only tools explicitly (`cron`, `gateway`, `whatsapp_login`) and removed duplicated per-tool owner checks.\n- Refactored gateway call path internals into smaller helpers while preserving behavior and coverage.\n\n## Fix Commit(s)\n\n- `a40c10d3e24568b1e2947c104484be74bf66b8d2`\n- `2777d8ad91ef1e8a7c6f5b4b18f8507be7d02914`\n- `3d7ad1cfca4daaa84cd553e843e0e08fa6201349`\n\nOpenClaw thanks @Adam55A-code for reporting.",
  "id": "GHSA-2hm8-rqrm-xfjq",
  "modified": "2026-03-03T21:36:33Z",
  "published": "2026-03-03T21:36:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/2777d8ad91ef1e8a7c6f5b4b18f8507be7d02914"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/3d7ad1cfca4daaa84cd553e843e0e08fa6201349"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/a40c10d3e24568b1e2947c104484be74bf66b8d2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s owner-only gateway tool access checks were incomplete in specific authenticated DM flows"
}

GHSA-2HMH-WH7Q-6WPR

Vulnerability from github – Published: 2025-01-21 21:30 – Updated: 2025-01-21 21:30
VLAI
Details

Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Agile Integration Services). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM Framework. While the vulnerability is in Oracle Agile PLM Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T21:15:22Z",
    "severity": "CRITICAL"
  },
  "details": "Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Agile Integration Services).   The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM Framework.  While the vulnerability is in Oracle Agile PLM Framework, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).",
  "id": "GHSA-2hmh-wh7q-6wpr",
  "modified": "2025-01-21T21:30:56Z",
  "published": "2025-01-21T21:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21556"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2HQG-M6WM-QJM5

Vulnerability from github – Published: 2024-07-24 18:31 – Updated: 2024-09-03 21:31
VLAI
Details

AdTran SRG 834-5 HDC17600021F1 devices (with SmartOS 11.1.1.1 and fixed in Version 12.1.3.1) have SSH enabled by default, accessible both over the LAN and the Internet. During a window of time when the device is being set up, it uses a default username and password combination of admin/admin with root-level privileges. An attacker can exploit this window to gain unauthorized root access by either modifying the existing admin account or creating a new account with equivalent privileges. This vulnerability allows attackers to execute arbitrary commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31970"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-24T16:15:06Z",
    "severity": "HIGH"
  },
  "details": "AdTran SRG 834-5 HDC17600021F1 devices (with SmartOS 11.1.1.1 and fixed in Version 12.1.3.1) have SSH enabled by default, accessible both over the LAN and the Internet. During a window of time when the device is being set up, it uses a default username and password combination of admin/admin with root-level privileges. An attacker can exploit this window to gain unauthorized root access by either modifying the existing admin account or creating a new account with equivalent privileges. This vulnerability allows attackers to execute arbitrary commands.",
  "id": "GHSA-2hqg-m6wm-qjm5",
  "modified": "2024-09-03T21:31:11Z",
  "published": "2024-07-24T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31970"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-31970"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/cve/blob/main/AdTran/SRG-834-5"
    },
    {
      "type": "WEB",
      "url": "https://supportcommunity.adtran.com/t5/Security-Advisories/ADTSA-2024001-Multiple-vulnerabilities-in-Service-Delivery-Gateway-products/ta-p/39332"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2HR5-CVWP-JR5W

Vulnerability from github – Published: 2024-12-20 18:31 – Updated: 2024-12-20 21:37
VLAI
Summary
Oqtane Framework Insecure Direct Object Reference vulnerability
Details

An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Oqtane.Framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Oqtane.Client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Oqtane.Server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Oqtane.Shared"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-20T19:40:59Z",
    "nvd_published_at": "2024-12-20T16:15:23Z",
    "severity": "LOW"
  },
  "details": "An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.",
  "id": "GHSA-2hr5-cvwp-jr5w",
  "modified": "2024-12-20T21:37:23Z",
  "published": "2024-12-20T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55186"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oqtane/oqtane.framework/pull/4876/files"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/SmitShah1518/00de9ecc46c1a8e2b189185c9d92afb0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oqtane/oqtane.framework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Oqtane Framework Insecure Direct Object Reference vulnerability"
}

GHSA-2HWP-94GX-J73F

Vulnerability from github – Published: 2025-02-14 09:31 – Updated: 2025-02-14 09:31
VLAI
Details

app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-14T07:15:32Z",
    "severity": "MODERATE"
  },
  "details": "app/Model/Attribute.php in MISP before 2.4.198 ignores an ACL during a GUI attribute search.",
  "id": "GHSA-2hwp-94gx-j73f",
  "modified": "2025-02-14T09:31:22Z",
  "published": "2025-02-14T09:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/4f27f83a775aba4d3cca9255f69c3c9998b7df7f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/compare/v2.4.197...v2.4.198"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

No CAPEC attack patterns related to this CWE.