CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5549 vulnerabilities reference this CWE, most recent first.
GHSA-2Q9C-QJ72-94FH
Vulnerability from github – Published: 2023-05-08 21:31 – Updated: 2024-04-04 03:52The issue was addressed by removing origin information. This issue is fixed in macOS Ventura 13.3, watchOS 9.4, tvOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, Safari 16.4, iOS 16.4 and iPadOS 16.4. A website may be able to track sensitive user information
{
"affected": [],
"aliases": [
"CVE-2023-27954"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-08T20:15:18Z",
"severity": "MODERATE"
},
"details": "The issue was addressed by removing origin information. This issue is fixed in macOS Ventura 13.3, watchOS 9.4, tvOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, Safari 16.4, iOS 16.4 and iPadOS 16.4. A website may be able to track sensitive user information",
"id": "GHSA-2q9c-qj72-94fh",
"modified": "2024-04-04T03:52:02Z",
"published": "2023-05-08T21:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27954"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00011.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-32"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213670"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213671"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213673"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213674"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213676"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213678"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/May/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2QCM-CV9R-3V6H
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers in a POST request. An anonymous user can abuse this vulnerability to execute critical functions without authorization.
{
"affected": [],
"aliases": [
"CVE-2018-11142"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-31T18:29:00Z",
"severity": "MODERATE"
},
"details": "The \u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027 scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. This restriction can be bypassed by modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers in a POST request. An anonymous user can abuse this vulnerability to execute critical functions without authorization.",
"id": "GHSA-2qcm-cv9r-3v6h",
"modified": "2022-05-13T01:49:01Z",
"published": "2022-05-13T01:49:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11142"
},
{
"type": "WEB",
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2QG3-HFR4-W75G
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Authorization Bypass (to access an endpoint) in FDSQueryService.
{
"affected": [],
"aliases": [
"CVE-2021-35202"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-30T18:15:00Z",
"severity": "MODERATE"
},
"details": "NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Authorization Bypass (to access an endpoint) in FDSQueryService.",
"id": "GHSA-2qg3-hfr4-w75g",
"modified": "2022-07-13T00:01:27Z",
"published": "2022-05-24T19:16:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35202"
},
{
"type": "WEB",
"url": "https://www.netscout.com/securityadvisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2QGF-37V8-C4JH
Vulnerability from github – Published: 2023-07-21 21:30 – Updated: 2024-04-04 06:18An access control issue in WebBoss.io CMS v3.7.0 allows attackers to access the Website Backup Tool via a crafted GET request.
{
"affected": [],
"aliases": [
"CVE-2023-36339"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-21T20:15:15Z",
"severity": "HIGH"
},
"details": "An access control issue in WebBoss.io CMS v3.7.0 allows attackers to access the Website Backup Tool via a crafted GET request.",
"id": "GHSA-2qgf-37v8-c4jh",
"modified": "2024-04-04T06:18:42Z",
"published": "2023-07-21T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36339"
},
{
"type": "WEB",
"url": "https://webboss.feedbear.com/updates"
},
{
"type": "WEB",
"url": "https://www.realinfosec.net/advisories/WEBBOSS-CMS-IDOR-2023-0xv3jsv.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2QH8-FP5P-2XX2
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-08-31 00:00Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
{
"affected": [],
"aliases": [
"CVE-2021-24146"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-18T15:15:00Z",
"severity": "HIGH"
},
"details": "Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.",
"id": "GHSA-2qh8-fp5p-2xx2",
"modified": "2022-08-31T00:00:18Z",
"published": "2022-05-24T17:44:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24146"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/163345/WordPress-Modern-Events-Calendar-5.16.2-Information-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2QV6-8QCF-2852
Vulnerability from github – Published: 2025-11-07 18:30 – Updated: 2025-11-12 18:31An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts.
{
"affected": [],
"aliases": [
"CVE-2025-63687"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-07T16:15:42Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized attackers to delete arbitrary users posts.",
"id": "GHSA-2qv6-8qcf-2852",
"modified": "2025-11-12T18:31:09Z",
"published": "2025-11-07T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63687"
},
{
"type": "WEB",
"url": "https://github.com/rymcu/forest/issues/193"
},
{
"type": "WEB",
"url": "https://gist.github.com/LockeTom/564d5be6b75bb64d120daed96d74ec9c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2R23-2G6V-2M5F
Vulnerability from github – Published: 2026-05-28 21:32 – Updated: 2026-07-02 17:44An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "27.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "28.0.0"
},
{
"fixed": "28.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "29.0.0"
},
{
"fixed": "29.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42999"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T17:44:03Z",
"nvd_published_at": "2026-05-28T19:16:37Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0).",
"id": "GHSA-2r23-2g6v-2m5f",
"modified": "2026-07-02T17:44:03Z",
"published": "2026-05-28T21:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42999"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-42999"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/2148398"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482840"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/keystone"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2026-600.yaml"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42999.json"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2026-015.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Keystone has an Authorization Bypass"
}
GHSA-2R24-5J8R-CF83
Vulnerability from github – Published: 2024-06-03 09:30 – Updated: 2025-05-20 15:30In the Linux kernel, the following vulnerability has been resolved:
tracefs: Reset permissions on remount if permissions are options
There's an inconsistency with the way permissions are handled in tracefs. Because the permissions are generated when accessed, they default to the root inode's permission if they were never set by the user. If the user sets the permissions, then a flag is set and the permissions are saved via the inode (for tracefs files) or an internal attribute field (for eventfs).
But if a remount happens that specify the permissions, all the files that were not changed by the user gets updated, but the ones that were are not. If the user were to remount the file system with a given permission, then all files and directories within that file system should be updated.
This can cause security issues if a file's permission was updated but the admin forgot about it. They could incorrectly think that remounting with permissions set would update all files, but miss some.
For example:
# cd /sys/kernel/tracing # chgrp 1002 current_tracer # ls -l [..] -rw-r----- 1 root root 0 May 1 21:25 buffer_size_kb -rw-r----- 1 root root 0 May 1 21:25 buffer_subbuf_size_kb -r--r----- 1 root root 0 May 1 21:25 buffer_total_size_kb -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer -rw-r----- 1 root root 0 May 1 21:25 dynamic_events -r--r----- 1 root root 0 May 1 21:25 dyn_ftrace_total_info -r--r----- 1 root root 0 May 1 21:25 enabled_functions
Where current_tracer now has group "lkp".
# mount -o remount,gid=1001 . # ls -l -rw-r----- 1 root tracing 0 May 1 21:25 buffer_size_kb -rw-r----- 1 root tracing 0 May 1 21:25 buffer_subbuf_size_kb -r--r----- 1 root tracing 0 May 1 21:25 buffer_total_size_kb -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer -rw-r----- 1 root tracing 0 May 1 21:25 dynamic_events -r--r----- 1 root tracing 0 May 1 21:25 dyn_ftrace_total_info -r--r----- 1 root tracing 0 May 1 21:25 enabled_functions
Everything changed but the "current_tracer".
Add a new link list that keeps track of all the tracefs_inodes which has the permission flags that tell if the file/dir should use the root inode's permission or not. Then on remount, clear all the flags so that the default behavior of using the root inode's permission is done for all files and directories.
{
"affected": [],
"aliases": [
"CVE-2024-36963"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-03T08:15:09Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracefs: Reset permissions on remount if permissions are options\n\nThere\u0027s an inconsistency with the way permissions are handled in tracefs.\nBecause the permissions are generated when accessed, they default to the\nroot inode\u0027s permission if they were never set by the user. If the user\nsets the permissions, then a flag is set and the permissions are saved via\nthe inode (for tracefs files) or an internal attribute field (for\neventfs).\n\nBut if a remount happens that specify the permissions, all the files that\nwere not changed by the user gets updated, but the ones that were are not.\nIf the user were to remount the file system with a given permission, then\nall files and directories within that file system should be updated.\n\nThis can cause security issues if a file\u0027s permission was updated but the\nadmin forgot about it. They could incorrectly think that remounting with\npermissions set would update all files, but miss some.\n\nFor example:\n\n # cd /sys/kernel/tracing\n # chgrp 1002 current_tracer\n # ls -l\n[..]\n -rw-r----- 1 root root 0 May 1 21:25 buffer_size_kb\n -rw-r----- 1 root root 0 May 1 21:25 buffer_subbuf_size_kb\n -r--r----- 1 root root 0 May 1 21:25 buffer_total_size_kb\n -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer\n -rw-r----- 1 root root 0 May 1 21:25 dynamic_events\n -r--r----- 1 root root 0 May 1 21:25 dyn_ftrace_total_info\n -r--r----- 1 root root 0 May 1 21:25 enabled_functions\n\nWhere current_tracer now has group \"lkp\".\n\n # mount -o remount,gid=1001 .\n # ls -l\n -rw-r----- 1 root tracing 0 May 1 21:25 buffer_size_kb\n -rw-r----- 1 root tracing 0 May 1 21:25 buffer_subbuf_size_kb\n -r--r----- 1 root tracing 0 May 1 21:25 buffer_total_size_kb\n -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer\n -rw-r----- 1 root tracing 0 May 1 21:25 dynamic_events\n -r--r----- 1 root tracing 0 May 1 21:25 dyn_ftrace_total_info\n -r--r----- 1 root tracing 0 May 1 21:25 enabled_functions\n\nEverything changed but the \"current_tracer\".\n\nAdd a new link list that keeps track of all the tracefs_inodes which has\nthe permission flags that tell if the file/dir should use the root inode\u0027s\npermission or not. Then on remount, clear all the flags so that the\ndefault behavior of using the root inode\u0027s permission is done for all\nfiles and directories.",
"id": "GHSA-2r24-5j8r-cf83",
"modified": "2025-05-20T15:30:36Z",
"published": "2024-06-03T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36963"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/414fb08628143203d29ccd0264b5a83fb9523c03"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f91fc82794d4a6e41cdcd02d00baa377d94ca78"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/baa23a8d4360d981a49913841a726edede5cdd54"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2R2V-Q399-QQ93
Vulnerability from github – Published: 2021-11-10 19:45 – Updated: 2021-11-10 19:44Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or newer.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.10.RELEASE"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.10.RELEASE0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-22051"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-09T21:08:14Z",
"nvd_published_at": "2021-11-08T14:15:00Z",
"severity": "MODERATE"
},
"details": "Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or newer.",
"id": "GHSA-2r2v-q399-qq93",
"modified": "2021-11-10T19:44:31Z",
"published": "2021-11-10T19:45:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22051"
},
{
"type": "WEB",
"url": "https://tanzu.vmware.com/security/cve-2021-22051"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Request injection in Spring Cloud Gateway"
}
GHSA-2R3Q-HH42-H52V
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition: versions 1.3.0 and below and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition: versions 1.3.0 and below.
{
"affected": [],
"aliases": [
"CVE-2021-28826"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-14T17:15:00Z",
"severity": "HIGH"
},
"details": "The Windows Installation component of TIBCO Software Inc.\u0027s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with local access on some versions of the Windows operating system to insert malicious software. The affected component can be abused to execute the malicious software inserted by the attacker with the elevated privileges of the component. This vulnerability results from a lack of access restrictions on certain files and/or folders in the installation. Affected releases are TIBCO Software Inc.\u0027s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition: versions 1.3.0 and below and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition: versions 1.3.0 and below.",
"id": "GHSA-2r3q-hh42-h52v",
"modified": "2022-05-24T17:47:38Z",
"published": "2022-05-24T17:47:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28826"
},
{
"type": "WEB",
"url": "https://www.tibco.com/support/advisories/2021/04/tibco-security-advisory-april-14-2021-tibco-messaging-2021-28826"
},
{
"type": "WEB",
"url": "http://www.tibco.com/services/support/advisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.