CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5548 vulnerabilities reference this CWE, most recent first.
GHSA-33QM-768M-WX8P
Vulnerability from github – Published: 2025-06-29 00:30 – Updated: 2025-06-30 15:30The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root.
{
"affected": [],
"aliases": [
"CVE-2025-53391"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-28T22:15:23Z",
"severity": "CRITICAL"
},
"details": "The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root.",
"id": "GHSA-33qm-768m-wx8p",
"modified": "2025-06-30T15:30:37Z",
"published": "2025-06-29T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53391"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/1108288"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108288"
},
{
"type": "WEB",
"url": "https://deb.debian.org/debian/pool/main/z/zulucrypt/zulucrypt_6.2.0-1.dsc"
},
{
"type": "WEB",
"url": "https://salsa.debian.org/debian/zulucrypt/-/blob/9d661c9f384c4d889d3387944e14ac70cfb9684b/debian/patches/fix_zulupolkit_policy.patch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-33VJ-92QQ-66HC
Vulnerability from github – Published: 2026-06-19 19:35 – Updated: 2026-06-19 19:35Impact
containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected.
Patches
This bug has been fixed in the following containerd versions:
- 2.3.2
- 2.2.5
- 2.1.9
Users should update to these versions to resolve the issue. Recreating existing containers restored from untrusted checkpoints may be necessary to remove smuggled configuration.
Workarounds
Users can mitigate this issue by restricting the restoration of containers from untrusted checkpoint images. If Container Device Interface (CDI) capabilities are not utilized on the node, removing or temporarily relocating host CDI specifications from the default directories (/etc/cdi and /var/run/cdi) will eliminate the reachability of this vulnerability.
Credits
The containerd project would like to thank Robert Prast (@robertprast) for responsibly disclosing this issue in accordance with the containerd security policy.
For more information
If you have any questions or comments about this advisory:
- Open an issue in containerd
- Email us at security@containerd.io
To report a security issue in containerd: * Report a new vulnerability * Email us at security@containerd.io
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containerd/containerd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/containerd/containerd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/containerd/containerd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53492"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T19:35:40Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\ncontainerd\u0027s CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod\u0027s create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected.\n\n### Patches\n\nThis bug has been fixed in the following containerd versions:\n\n* 2.3.2\n* 2.2.5\n* 2.1.9\n\nUsers should update to these versions to resolve the issue. Recreating existing containers restored from untrusted checkpoints may be necessary to remove smuggled configuration.\n\n### Workarounds\n\nUsers can mitigate this issue by restricting the restoration of containers from untrusted checkpoint images. If Container Device Interface (CDI) capabilities are not utilized on the node, removing or temporarily relocating host CDI specifications from the default directories (`/etc/cdi` and `/var/run/cdi`) will eliminate the reachability of this vulnerability.\n\n### Credits\n\nThe containerd project would like to thank Robert Prast (@robertprast) for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose)\n* Email us at [security@containerd.io](mailto:security@containerd.io)\n\nTo report a security issue in containerd:\n* [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new)\n* Email us at [security@containerd.io](mailto:security@containerd.io)",
"id": "GHSA-33vj-92qq-66hc",
"modified": "2026-06-19T19:35:40Z",
"published": "2026-06-19T19:35:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc"
},
{
"type": "PACKAGE",
"url": "https://github.com/containerd/containerd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "containerd CRI checkpoint restore CDI annotation smuggling"
}
GHSA-33WF-4CRM-2322
Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2022-02-24 12:12Improper Access Control in Packagist librenms/librenms prior to 22.2.0.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0580"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-16T22:51:15Z",
"nvd_published_at": "2022-02-14T23:15:00Z",
"severity": "HIGH"
},
"details": "Improper Access Control in Packagist librenms/librenms prior to 22.2.0.",
"id": "GHSA-33wf-4crm-2322",
"modified": "2022-02-24T12:12:44Z",
"published": "2022-02-16T00:01:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0580"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/commit/95970af78e4c899744a715766d744deef8c505f7"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/2494106c-7703-4558-bb1f-1eae59d264e3"
},
{
"type": "WEB",
"url": "https://notes.netbytesec.com/2022/02/multiple-vulnerabilities-in-librenms.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Access Control in librenms"
}
GHSA-33XH-XCH9-P6HJ
Vulnerability from github – Published: 2021-11-23 18:17 – Updated: 2021-11-22 18:36In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.ozone:ozone-main"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39233"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-22T18:36:47Z",
"nvd_published_at": "2021-11-19T10:15:00Z",
"severity": "CRITICAL"
},
"details": "In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.",
"id": "GHSA-33xh-xch9-p6hj",
"modified": "2021-11-22T18:36:47Z",
"published": "2021-11-23T18:17:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39233"
},
{
"type": "WEB",
"url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C394a9a73-44dd-b5db-84d8-607c3226eb00%40apache.org%3E"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Authorization in Apache Ozone"
}
GHSA-342H-3RMJ-QWV4
Vulnerability from github – Published: 2023-03-09 00:30 – Updated: 2023-03-14 21:30An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 2.0 before 3.0.55, which sends custom request headers with every request on the authentication page.
{
"affected": [],
"aliases": [
"CVE-2022-4315"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-08T23:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 2.0 before 3.0.55, which sends custom request headers with every request on the authentication page.",
"id": "GHSA-342h-3rmj-qwv4",
"modified": "2023-03-14T21:30:20Z",
"published": "2023-03-09T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4315"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1767525"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4315.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/384995"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-343H-H5V5-82RQ
Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2025-05-21 18:32Inappropriate implementation in iframe Sandbox in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-3057"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-26T16:15:00Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in iframe Sandbox in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
"id": "GHSA-343h-h5v5-82rq",
"modified": "2025-05-21T18:32:59Z",
"published": "2022-09-27T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3057"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1336904"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202209-23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-344V-JR69-X57C
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository.
{
"affected": [],
"aliases": [
"CVE-2021-24279"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-14T12:15:00Z",
"severity": "MODERATE"
},
"details": "In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository.",
"id": "GHSA-344v-jr69-x57c",
"modified": "2022-05-24T19:02:29Z",
"published": "2022-05-24T19:02:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24279"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/75f7690d-7f6b-48a8-a9d1-95578a657920"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3492-V7J6-2XGV
Vulnerability from github – Published: 2024-06-27 00:31 – Updated: 2024-06-27 00:31An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.
{
"affected": [],
"aliases": [
"CVE-2024-4011"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-27T00:15:11Z",
"severity": "LOW"
},
"details": "An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.",
"id": "GHSA-3492-v7j6-2xgv",
"modified": "2024-06-27T00:31:04Z",
"published": "2024-06-27T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4011"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2456186"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/457235"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-34G7-PG9J-PXGP
Vulnerability from github – Published: 2025-04-25 15:31 – Updated: 2025-04-25 17:28A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0-beta"
},
{
"fixed": "4.3.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0-beta"
},
{
"fixed": "4.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0-beta"
},
{
"fixed": "4.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3647"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-25T17:28:41Z",
"nvd_published_at": "2025-04-25T15:15:38Z",
"severity": "MODERATE"
},
"details": "A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.",
"id": "GHSA-34g7-pg9j-pxgp",
"modified": "2025-04-25T17:28:42Z",
"published": "2025-04-25T15:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3647"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/bd6ec0ac84cf0f73ab35e7e244e1f9b06929083a"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-3647"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359762"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=467607"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle allows IDOR when accessing the cohorts report"
}
GHSA-34J4-424F-XR64
Vulnerability from github – Published: 2025-12-25 06:30 – Updated: 2025-12-25 06:30Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node.
{
"affected": [],
"aliases": [
"CVE-2025-66378"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-25T05:16:09Z",
"severity": "MODERATE"
},
"details": "Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node.",
"id": "GHSA-34j4-424f-xr64",
"modified": "2025-12-25T06:30:26Z",
"published": "2025-12-25T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66378"
},
{
"type": "WEB",
"url": "https://docs.pexip.com/admin/security_bulletins.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.