CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5545 vulnerabilities reference this CWE, most recent first.
GHSA-VFG3-PQPQ-93M4
Vulnerability from github – Published: 2026-03-26 21:27 – Updated: 2026-04-10 20:20Summary
Tlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected: < 2026.3.22
- Fixed: >= 2026.3.22
- Latest released tag checked:
v2026.3.23-2(630f1479c44f78484dfa21bb407cbe6f171dac87) - Latest published npm version checked:
2026.3.23-2
Fix Commit(s)
3cbf932413e41d1836cb91aed1541a28a3122f93ebee4e2210e1f282a982c7ef2ad79d77a572fc87
Release Status
The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.
Code-Level Confirmation
- extensions/tlon/src/monitor/index.ts now defers cite expansion until after authorization and preserves explicit empty-allowlist semantics.
- extensions/tlon/src/monitor/utils.ts and extensions/tlon/src/security.test.ts ship the deferred cite expansion behavior and regressions.
OpenClaw thanks @zpbrent for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35637"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T21:27:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nTlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: \u003c 2026.3.22\n- Fixed: \u003e= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `3cbf932413e41d1836cb91aed1541a28a3122f93`\n- `ebee4e2210e1f282a982c7ef2ad79d77a572fc87`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/tlon/src/monitor/index.ts now defers cite expansion until after authorization and preserves explicit empty-allowlist semantics.\n- extensions/tlon/src/monitor/utils.ts and extensions/tlon/src/security.test.ts ship the deferred cite expansion behavior and regressions.\n\nOpenClaw thanks @zpbrent for reporting.",
"id": "GHSA-vfg3-pqpq-93m4",
"modified": "2026-04-10T20:20:23Z",
"published": "2026-03-26T21:27:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35637"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/ebee4e2210e1f282a982c7ef2ad79d77a572fc87"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-premature-cite-expansion-before-authorization-in-channel-and-dm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete"
}
GHSA-VFH4-5F9P-V75J
Vulnerability from github – Published: 2025-01-15 21:31 – Updated: 2025-01-16 18:31The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.5, iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.5, watchOS 10.5, tvOS 17.5, macOS Ventura 13.6.7, visionOS 1.2. An app may be able to execute arbitrary code with kernel privileges.
{
"affected": [],
"aliases": [
"CVE-2024-40771"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-15T20:15:27Z",
"severity": "HIGH"
},
"details": "The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.5, iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.5, watchOS 10.5, tvOS 17.5, macOS Ventura 13.6.7, visionOS 1.2. An app may be able to execute arbitrary code with kernel privileges.",
"id": "GHSA-vfh4-5f9p-v75j",
"modified": "2025-01-16T18:31:00Z",
"published": "2025-01-15T21:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40771"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120898"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120899"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120900"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120901"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120902"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120903"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120905"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120906"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VFMC-6GQF-R52M
Vulnerability from github – Published: 2022-01-25 00:01 – Updated: 2022-07-12 00:00The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request
{
"affected": [],
"aliases": [
"CVE-2021-24906"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-862",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-24T08:15:00Z",
"severity": "HIGH"
},
"details": "The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request",
"id": "GHSA-vfmc-6gqf-r52m",
"modified": "2022-07-12T00:00:54Z",
"published": "2022-01-25T00:01:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24906"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/4204682b-f657-42e1-941c-bee7a245e9fd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VFPM-R25X-9HG6
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38A vulnerability in the restricted shell of the Cisco Identity Services Engine (ISE) that is accessible via SSH could allow an authenticated, local attacker to run arbitrary CLI commands with elevated privileges. The vulnerability is due to incomplete input validation of the user input for CLI commands issued at the restricted shell. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. An attacker would need valid user credentials to the device to exploit this vulnerability. The vulnerability affects the following Cisco Identity Services Engine (ISE) products running Release 1.4, 2.0, 2.0.1, 2.1.0: ISE, ISE Express, ISE Virtual Appliance. Cisco Bug IDs: CSCve74916.
{
"affected": [],
"aliases": [
"CVE-2017-12261"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-02T16:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the restricted shell of the Cisco Identity Services Engine (ISE) that is accessible via SSH could allow an authenticated, local attacker to run arbitrary CLI commands with elevated privileges. The vulnerability is due to incomplete input validation of the user input for CLI commands issued at the restricted shell. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. An attacker would need valid user credentials to the device to exploit this vulnerability. The vulnerability affects the following Cisco Identity Services Engine (ISE) products running Release 1.4, 2.0, 2.0.1, 2.1.0: ISE, ISE Express, ISE Virtual Appliance. Cisco Bug IDs: CSCve74916.",
"id": "GHSA-vfpm-r25x-9hg6",
"modified": "2022-05-13T01:38:00Z",
"published": "2022-05-13T01:38:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12261"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-ise"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101641"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VFVF-6GX5-MQV6
Vulnerability from github – Published: 2021-06-24 20:16 – Updated: 2021-06-23 20:38ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope bar is made before the cache has expired. Whether the token is granted or not to the bar scope, introspection will be valid. A patch will be released with v0.38.12-beta.1. Per default, caching is disabled for the oauth2_introspection authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in func (a *AuthenticatorOAuth2Introspection) Authenticate(...). From tokenFromCache() it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.38.11-beta.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/ory/oathkeeper"
},
"ranges": [
{
"events": [
{
"introduced": "0.38.0-beta.2"
},
{
"fixed": "0.38.12-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32701"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-23T20:38:29Z",
"nvd_published_at": "2021-06-22T20:15:00Z",
"severity": "HIGH"
},
"details": "ORY Oathkeeper is an Identity \u0026 Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope `foo` using an access token granted with that `foo` scope, introspection will be valid and that token will be cached. The problem comes when a second requests to an endpoint that requires the scope `bar` is made before the cache has expired. Whether the token is granted or not to the `bar` scope, introspection will be valid. A patch will be released with `v0.38.12-beta.1`. Per default, caching is disabled for the `oauth2_introspection` authenticator. When caching is disabled, this vulnerability does not exist. The cache is checked in [`func (a *AuthenticatorOAuth2Introspection) Authenticate(...)`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L152). From [`tokenFromCache()`](https://github.com/ory/oathkeeper/blob/6a31df1c3779425e05db1c2a381166b087cb29a4/pipeline/authn/authenticator_oauth2_introspection.go#L97) it seems that it only validates the token expiration date, but ignores whether the token has or not the proper scopes. The vulnerability was introduced in PR #424. During review, we failed to require appropriate test coverage by the submitter which is the primary reason that the vulnerability passed the review process.",
"id": "GHSA-vfvf-6gx5-mqv6",
"modified": "2021-06-23T20:38:29Z",
"published": "2021-06-24T20:16:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ory/oathkeeper/security/advisories/GHSA-qvp4-rpmr-xwrr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32701"
},
{
"type": "WEB",
"url": "https://github.com/ory/oathkeeper/pull/424"
},
{
"type": "WEB",
"url": "https://github.com/ory/oathkeeper/commit/1f9f625c1a49e134ae2299ee95b8cf158feec932"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Authorization in ORY Oathkeeper"
}
GHSA-VFW8-MW63-C6HV
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption.
{
"affected": [],
"aliases": [
"CVE-2021-1076"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-21T23:15:00Z",
"severity": "HIGH"
},
"details": "NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption.",
"id": "GHSA-vfw8-mw63-c6hv",
"modified": "2022-05-24T17:48:16Z",
"published": "2022-05-24T17:48:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1076"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00013.html"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5172"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202310-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG66-2M2C-P54V
Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09The Software Development Kit of the MiContact Center Business with Site Based Security 8.0 through 9.0.1.0 before KB496276 allows an authenticated user to access sensitive information. A successful exploit could allow unauthorized access to user conversations.
{
"affected": [],
"aliases": [
"CVE-2020-9379"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-25T19:15:00Z",
"severity": "MODERATE"
},
"details": "The Software Development Kit of the MiContact Center Business with Site Based Security 8.0 through 9.0.1.0 before KB496276 allows an authenticated user to access sensitive information. A successful exploit could allow unauthorized access to user conversations.",
"id": "GHSA-vg66-2m2c-p54v",
"modified": "2022-05-24T17:09:39Z",
"published": "2022-05-24T17:09:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9379"
},
{
"type": "WEB",
"url": "https://www.mitel.com/support/security-advisories"
},
{
"type": "WEB",
"url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-20-0003"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VG6X-6PG9-6QWG
Vulnerability from github – Published: 2026-07-16 20:08 – Updated: 2026-07-16 20:08Impact
The fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an UPDATE_SCHEMA authorization check to a single schema-mutating method (LocalDocumentType.createProperty). The remaining public schema mutators were left unchecked, so an authenticated identity (including a read-only API token) that lacks the UPDATE_SCHEMA permission could still mutate the database schema on its own database:
DROP PROPERTY <type>.<property>ALTER TYPE <name> SUPERTYPE +<other>/-<other>(change the inheritance hierarchy)ALTER TYPE <name> NAME <newName>(rename a type)- type alias and bucket changes
ALTER PROPERTY <type>.<property> ...(MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) — theLocalPropertysetters had no check at all
This does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises UPDATE_SCHEMA as the gating right for schema mutation.
Affected component
Engine schema layer: engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java and engine/src/main/java/com/arcadedb/schema/LocalProperty.java, reachable via the SQL DROP PROPERTY, ALTER TYPE, and ALTER PROPERTY statements over the database command/query HTTP endpoints.
Patches
Every public schema-mutating method on LocalDocumentType and LocalProperty now enforces checkPermissionsOnDatabase(UPDATE_SCHEMA) via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.
Workarounds
Grant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.
Resources
Incomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.
Credit
Reported by Kai Aizen (SnailSploit).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.arcadedb:arcadedb-engine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54076"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-16T20:08:24Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nThe fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an `UPDATE_SCHEMA` authorization check to a single schema-mutating method (`LocalDocumentType.createProperty`). The remaining public schema mutators were left unchecked, so an authenticated identity (including a **read-only API token**) that lacks the `UPDATE_SCHEMA` permission could still mutate the database schema on its own database:\n\n- `DROP PROPERTY \u003ctype\u003e.\u003cproperty\u003e`\n- `ALTER TYPE \u003cname\u003e SUPERTYPE +\u003cother\u003e` / `-\u003cother\u003e` (change the inheritance hierarchy)\n- `ALTER TYPE \u003cname\u003e NAME \u003cnewName\u003e` (rename a type)\n- type alias and bucket changes\n- `ALTER PROPERTY \u003ctype\u003e.\u003cproperty\u003e ...` (MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) \u2014 the `LocalProperty` setters had no check at all\n\nThis does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises `UPDATE_SCHEMA` as the gating right for schema mutation.\n\n### Affected component\n\nEngine schema layer: `engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java` and `engine/src/main/java/com/arcadedb/schema/LocalProperty.java`, reachable via the SQL `DROP PROPERTY`, `ALTER TYPE`, and `ALTER PROPERTY` statements over the database command/query HTTP endpoints.\n\n### Patches\n\nEvery public schema-mutating method on `LocalDocumentType` and `LocalProperty` now enforces `checkPermissionsOnDatabase(UPDATE_SCHEMA)` via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.\n\n### Workarounds\n\nGrant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.\n\n### Resources\n\nIncomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.\n\n### Credit\n\nReported by Kai Aizen (SnailSploit).",
"id": "GHSA-vg6x-6pg9-6qwg",
"modified": "2026-07-16T20:08:24Z",
"published": "2026-07-16T20:08:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-vg6x-6pg9-6qwg"
},
{
"type": "PACKAGE",
"url": "https://github.com/ArcadeData/arcadedb"
},
{
"type": "WEB",
"url": "https://github.com/ArcadeData/arcadedb/releases/tag/26.6.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)"
}
GHSA-VG73-HFWM-24QF
Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-06-02 00:00Insufficient checks in System Management Unit (SMU) FeatureConfig may result in reenabling features potentially resulting in denial of resources and/or denial of service.
{
"affected": [],
"aliases": [
"CVE-2021-26376"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T17:15:00Z",
"severity": "MODERATE"
},
"details": "Insufficient checks in System Management Unit (SMU) FeatureConfig may result in reenabling features potentially resulting in denial of resources and/or denial of service.",
"id": "GHSA-vg73-hfwm-24qf",
"modified": "2022-06-02T00:00:30Z",
"published": "2022-05-12T00:01:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26376"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1027"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG7P-2967-P5P3
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to bypass authentication by sending the decoded value of the GgpoZWxwCmxpc3QKd2hvCg== string to the telnet server.
{
"affected": [],
"aliases": [
"CVE-2021-27177"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T19:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to bypass authentication by sending the decoded value of the GgpoZWxwCmxpc3QKd2hvCg== string to the telnet server.",
"id": "GHSA-vg7p-2967-p5p3",
"modified": "2022-05-24T17:41:52Z",
"published": "2022-05-24T17:41:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27177"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#telnet-cli-auth-bypass"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.