CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5556 vulnerabilities reference this CWE, most recent first.
GHSA-3QJC-QH2Q-VHXR
Vulnerability from github – Published: 2023-06-09 21:30 – Updated: 2024-04-04 04:42An issue found in FlightAware v.5.8.0 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the database files.
{
"affected": [],
"aliases": [
"CVE-2023-29759"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-09T20:15:09Z",
"severity": "MODERATE"
},
"details": "An issue found in FlightAware v.5.8.0 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the database files.",
"id": "GHSA-3qjc-qh2q-vhxr",
"modified": "2024-04-04T04:42:51Z",
"published": "2023-06-09T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29759"
},
{
"type": "WEB",
"url": "https://github.com/LianKee/SO-CVEs/blob/main/CVEs/CVE-2023-29759/CVE%20detailed.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3QR4-W96F-672V
Vulnerability from github – Published: 2023-06-15 21:30 – Updated: 2025-03-04 18:22Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.6"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.5"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"versions": [
"2.4.4"
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.5-p1"
},
{
"fixed": "2.4.5-p3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.4-p1"
},
{
"fixed": "2.4.4-p4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "magento/project-community-edition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29296"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-04T18:22:38Z",
"nvd_published_at": "2023-06-15T19:15:11Z",
"severity": "LOW"
},
"details": "Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor functionality of another user\u0027s data. Exploitation of this issue does not require user interaction.",
"id": "GHSA-3qr4-w96f-672v",
"modified": "2025-03-04T18:22:38Z",
"published": "2023-06-15T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29296"
},
{
"type": "PACKAGE",
"url": "https://github.com/magento/magento2"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Magento Open Source allows Incorrect Authorization"
}
GHSA-3QVQ-H337-WPRV
Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-07-10 09:32An issue has been discovered in GitLab EE affecting all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated project owners to bypass group-level forking restrictions by manipulating API requests.
{
"affected": [],
"aliases": [
"CVE-2025-3396"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T09:15:29Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab EE affecting all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated project owners to bypass group-level forking restrictions by manipulating API requests.",
"id": "GHSA-3qvq-h337-wprv",
"modified": "2025-07-10T09:32:31Z",
"published": "2025-07-10T09:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3396"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3079956"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/534636"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3QX4-GWGH-93VC
Vulnerability from github – Published: 2025-01-16 21:30 – Updated: 2025-02-03 21:31An access control issue in the component form2WlanBasicSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G wlan service of the device via a crafted POST request.
{
"affected": [],
"aliases": [
"CVE-2024-57676"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-16T19:15:28Z",
"severity": "MODERATE"
},
"details": "An access control issue in the component form2WlanBasicSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G wlan service of the device via a crafted POST request.",
"id": "GHSA-3qx4-gwgh-93vc",
"modified": "2025-02-03T21:31:49Z",
"published": "2025-01-16T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57676"
},
{
"type": "WEB",
"url": "https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Unauthorized_Vulnerability/D-Link/DIR-816/form2WlanBasicSetup.md"
},
{
"type": "WEB",
"url": "https://www.dlink.com/en/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3QXR-H63Q-M7X3
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable improper authorization vulnerability exists in miner_start API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2017-12117"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-19T22:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable improper authorization vulnerability exists in miner_start API of cpp-ethereum\u0027s JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.",
"id": "GHSA-3qxr-h63q-m7x3",
"modified": "2022-05-13T01:01:37Z",
"published": "2022-05-13T01:01:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12117"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0469"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102475"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R2P-7J7F-FC8Q
Vulnerability from github – Published: 2025-01-08 21:32 – Updated: 2025-01-31 18:31A vulnerability in the firewall component of HPE Aruba Networking CX 10000 Series Switches exists. It could allow an unauthenticated adjacent attacker to conduct a packet forwarding attack against the ICMP and UDP protocol. For this attack to be successful an attacker requires a switch configuration that allows packets routing (at layer 3). Configurations that do not allow network traffic routing are not impacted. Successful exploitation could allow an attacker to bypass security policies, potentially leading to unauthorized data exposure.
{
"affected": [],
"aliases": [
"CVE-2024-54010"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T21:15:12Z",
"severity": "LOW"
},
"details": "A vulnerability in the firewall component of HPE Aruba Networking CX 10000 Series Switches exists. It could allow an unauthenticated adjacent attacker to conduct a packet forwarding attack against the ICMP and UDP protocol. For this attack to be successful an attacker requires a switch configuration that allows packets routing (at layer 3). Configurations that do not allow network traffic routing are not impacted. Successful exploitation could allow an attacker to bypass security policies, potentially leading to unauthorized data exposure.",
"id": "GHSA-3r2p-7j7f-fc8q",
"modified": "2025-01-31T18:31:04Z",
"published": "2025-01-08T21:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54010"
},
{
"type": "WEB",
"url": "https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04772.txt"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04772en_us\u0026docLocale=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3R49-G977-5JHX
Vulnerability from github – Published: 2023-05-08 21:31 – Updated: 2024-04-04 03:51A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4. An app may be able to modify protected parts of the file system
{
"affected": [],
"aliases": [
"CVE-2023-23538"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-08T20:15:16Z",
"severity": "MODERATE"
},
"details": "A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4. An app may be able to modify protected parts of the file system",
"id": "GHSA-3r49-g977-5jhx",
"modified": "2024-04-04T03:51:33Z",
"published": "2023-05-08T21:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23538"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213670"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213677"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3R4H-X82W-7JGC
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-07-13 00:01Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers.
{
"affected": [],
"aliases": [
"CVE-2021-37841"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-12T14:15:00Z",
"severity": "HIGH"
},
"details": "Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers.",
"id": "GHSA-3r4h-x82w-7jgc",
"modified": "2022-07-13T00:01:34Z",
"published": "2022-05-24T19:10:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37841"
},
{
"type": "WEB",
"url": "https://docs.docker.com/docker-for-windows/release-notes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R6V-762W-V9RW
Vulnerability from github – Published: 2025-01-30 18:32 – Updated: 2025-01-31 00:30The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.3, macOS Ventura 13.7.3, macOS Sonoma 14.7.3. A local attacker may be able to elevate their privileges.
{
"affected": [],
"aliases": [
"CVE-2025-24099"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-30T17:15:18Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.3, macOS Ventura 13.7.3, macOS Sonoma 14.7.3. A local attacker may be able to elevate their privileges.",
"id": "GHSA-3r6v-762w-v9rw",
"modified": "2025-01-31T00:30:44Z",
"published": "2025-01-30T18:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24099"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122068"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122069"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122070"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3R8V-2XMJ-5C39
Vulnerability from github – Published: 2026-06-30 18:16 – Updated: 2026-06-30 18:16Summary
A Fission Function spec carries three reference types — Secret, ConfigMap, and Package. The first two were namespace-validated by the admission webhook; PackageRef.Namespace was not.
Details
A tenant with functions.fission.io/create in their own namespace could set spec.package.packageref.namespace to any other namespace. When the function is invoked, the fetcher sidecar reads the victim Package using the
fission-fetcher service account's namespace-wide get packages permission and writes its contents to /userfunc/deployarchive inside the attacker's pool pod, exposing the victim's source code and any embedded credentials.
The fission-fetcher SA holds get packages in every configured function namespace (granted by charts/fission-all/templates/_function-access-role.tpl), so the namespace check was the only barrier between the attacker and any
in-cluster Fission Package.
Impact
A function author in one namespace could read the deployment archive — and therefore the source code and embedded secrets — of any Package in any other namespace.
Fix
Fixed in #3389 and released in v1.24.0.
The admission webhook (pkg/webhook/function.go::Validate) rejects Function.spec.package.packageref.namespace != metadata.namespace. An empty namespace remains accepted (controllers default it to the function's namespace). This
shipped together with the EnvironmentRef cross-namespace check (GHSA-cvw6-gfvv-953q).
Behavioural change
Functions that explicitly set spec.package.packageref.namespace to a different namespace are now rejected at admission.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.23.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/fission/fission"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49823"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:16:33Z",
"nvd_published_at": "2026-06-10T18:17:10Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA Fission Function spec carries three reference types \u2014 Secret, ConfigMap, and Package. The first two were namespace-validated by the admission webhook; `PackageRef.Namespace` was not.\n\n### Details\n\nA tenant with `functions.fission.io/create` in their own namespace could set `spec.package.packageref.namespace` to any other namespace. When the function is invoked, the fetcher sidecar reads the victim Package using the\n`fission-fetcher` service account\u0027s namespace-wide `get packages` permission and writes its contents to `/userfunc/deployarchive` inside the attacker\u0027s pool pod, exposing the victim\u0027s source code and any embedded credentials.\n\nThe `fission-fetcher` SA holds `get packages` in every configured function namespace (granted by `charts/fission-all/templates/_function-access-role.tpl`), so the namespace check was the only barrier between the attacker and any\nin-cluster Fission Package.\n\n### Impact\n\nA function author in one namespace could read the deployment archive \u2014 and therefore the source code and embedded secrets \u2014 of any Package in any other namespace.\n\n### Fix\n\nFixed in [#3389](https://github.com/fission/fission/pull/3389) and released in [v1.24.0](https://github.com/fission/fission/releases/tag/v1.24.0).\n\nThe admission webhook (`pkg/webhook/function.go::Validate`) rejects `Function.spec.package.packageref.namespace != metadata.namespace`. An empty namespace remains accepted (controllers default it to the function\u0027s namespace). This\nshipped together with the EnvironmentRef cross-namespace check (GHSA-cvw6-gfvv-953q).\n\n### Behavioural change\n\nFunctions that explicitly set `spec.package.packageref.namespace` to a different namespace are now rejected at admission.",
"id": "GHSA-3r8v-2xmj-5c39",
"modified": "2026-06-30T18:16:33Z",
"published": "2026-06-30T18:16:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fission/fission/security/advisories/GHSA-3r8v-2xmj-5c39"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49823"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/pull/3389"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/commit/80e7ba55228e1ef426f51353e25d2682ec61de34"
},
{
"type": "PACKAGE",
"url": "https://github.com/fission/fission"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/releases/tag/v1.24.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.