CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5528 vulnerabilities reference this CWE, most recent first.
GHSA-W65P-8M9J-6PM4
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-31 18:31Incorrect Authorization vulnerability in Drupal Freelinking allows Forceful Browsing.This issue affects Freelinking: from 0.0.0 before 4.0.1.
{
"affected": [],
"aliases": [
"CVE-2024-13270"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:35Z",
"severity": "MODERATE"
},
"details": "Incorrect Authorization vulnerability in Drupal Freelinking allows Forceful Browsing.This issue affects Freelinking: from 0.0.0 before 4.0.1.",
"id": "GHSA-w65p-8m9j-6pm4",
"modified": "2025-01-31T18:31:04Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13270"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-034"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W65R-3XH2-3PJ4
Vulnerability from github – Published: 2025-09-16 00:30 – Updated: 2025-11-03 21:34This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2025-43307"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T23:15:33Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.",
"id": "GHSA-w65r-3xh2-3pj4",
"modified": "2025-11-03T21:34:30Z",
"published": "2025-09-16T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43307"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125110"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W65V-2JVX-6697
Vulnerability from github – Published: 2023-06-02 12:30 – Updated: 2024-04-04 04:28Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service.
{
"affected": [],
"aliases": [
"CVE-2023-28698"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T11:15:10Z",
"severity": "CRITICAL"
},
"details": "Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service.",
"id": "GHSA-w65v-2jvx-6697",
"modified": "2024-04-04T04:28:38Z",
"published": "2023-06-02T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28698"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7101-f88db-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W66P-78G4-MR7G
Vulnerability from github – Published: 2022-05-17 01:39 – Updated: 2024-09-27 18:07OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-5563"
],
"database_specific": {
"cwe_ids": [
"CWE-324",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-14T00:53:23Z",
"nvd_published_at": "2012-12-18T01:55:00Z",
"severity": "HIGH"
},
"details": "OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.",
"id": "GHSA-w66p-78g4-mr7g",
"modified": "2024-09-27T18:07:52Z",
"published": "2022-05-17T01:39:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5563"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/1079216"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80370"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/keystone"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2012-20.yaml"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20121201003009/http://secunia.com/advisories/51423"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140802122732/http://secunia.com/advisories/51436"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200228144943/http://www.securityfocus.com/bid/56727"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1557.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/11/28/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/11/28/6"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1641-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Keystone Insufficient token expiration"
}
GHSA-W67P-2W4G-FGJP
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-4029"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-01T02:15:00Z",
"severity": "MODERATE"
},
"details": "The /rest/project-templates/1.0/createshared resource in Atlassian Jira Server and Data Center before version 8.5.5, from 8.6.0 before 8.7.2, and from 8.8.0 before 8.8.1 allows remote attackers to enumerate project names via an improper authorization vulnerability.",
"id": "GHSA-w67p-2w4g-fgjp",
"modified": "2022-05-24T17:22:14Z",
"published": "2022-05-24T17:22:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4029"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/JRASERVER-70926"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W68R-5P45-5RQP
Vulnerability from github – Published: 2021-05-06 18:54 – Updated: 2021-05-04 22:46An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "laravel/framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.18.35"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "laravel/framework"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-24941"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-04T22:46:50Z",
"nvd_published_at": "2020-09-04T02:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.",
"id": "GHSA-w68r-5p45-5rqp",
"modified": "2021-05-04T22:46:50Z",
"published": "2021-05-06T18:54:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24941"
},
{
"type": "WEB",
"url": "https://github.com/laravel/framework/commit/897d107775737a958dbd0b2f3ea37877c7526371"
},
{
"type": "WEB",
"url": "https://blog.laravel.com/security-release-laravel-61835-7240"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Input Validation in Laravel"
}
GHSA-W6C7-J32F-RQ8J
Vulnerability from github – Published: 2025-05-13 09:31 – Updated: 2025-07-16 21:02Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.
This issue affects Apache Superset: through 4.1.1.
Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-superset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27696"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-13T20:23:45Z",
"nvd_published_at": "2025-05-13T09:15:20Z",
"severity": "MODERATE"
},
"details": "Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.\n\nThis issue affects Apache Superset: through 4.1.1.\n\nUsers are recommended to upgrade to version 4.1.2 or above, which fixes the issue.",
"id": "GHSA-w6c7-j32f-rq8j",
"modified": "2025-07-16T21:02:59Z",
"published": "2025-05-13T09:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27696"
},
{
"type": "WEB",
"url": "https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/superset"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/05/12/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Superset Allows Ownership Takeover"
}
GHSA-W6F2-8WX4-47R5
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-06-22 18:13Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.26"
},
"package": {
"ecosystem": "Maven",
"name": "mysql:mysql-connector-java"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-2471"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-22T18:13:52Z",
"nvd_published_at": "2021-10-20T11:16:00Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).",
"id": "GHSA-w6f2-8wx4-47r5",
"modified": "2022-06-22T18:13:52Z",
"published": "2022-05-24T19:18:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2471"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Authorization in MySQL Connector Java"
}
GHSA-W6F7-PJ3M-833J
Vulnerability from github – Published: 2026-07-06 21:30 – Updated: 2026-07-08 12:30Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
{
"affected": [],
"aliases": [
"CVE-2026-14536"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T20:16:29Z",
"severity": "HIGH"
},
"details": "Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.",
"id": "GHSA-w6f7-pj3m-833j",
"modified": "2026-07-08T12:30:24Z",
"published": "2026-07-06T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14536"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2026-0023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W6FV-6GCC-X825
Vulnerability from github – Published: 2025-03-17 14:46 – Updated: 2025-03-19 15:00Impact
Zincati ships a polkit rule which allows the zincati system user to use the following actions:
- org.projectatomic.rpmostree1.deploy: used to deploy updates to the system
- org.projectatomic.rpmostree1.finalize-deployment: used to reboot the system into the deployed update
Since Zincati v0.0.24, this polkit rule contains a logic error which broadens access of those polkit actions to any unprivileged user rather than just the zincati system user.
In practice, this means that any unprivileged user with access to the system D-Bus socket is able to deploy older Fedora CoreOS versions (which may have other known vulnerabilities). Note that rpm-ostree enforces that the selected version must be from the same branch the system is currently on so this cannot directly be used to deploy an attacker-controlled update payload.
This primarily impacts users running untrusted workloads with access to the system D-Bus socket. Note that in general, untrusted workloads should not be given this access, whether containerized or not. By default, containers do not have access to the system D-Bus socket.
Patches
The logic error is fixed in Zincati v0.0.30. The fix is included in the following FCOS releases:
- On the stable stream: 41.20250302.3.2
- On the testing stream: 41.20250315.2.0
- On the next stream: 42.20250316.1.0
Workarounds
A workaround is to add the following polkit rule:
polkit.addRule(function(action, subject) {
if (action.id == "org.projectatomic.rpmostree1.deploy" ||
action.id == "org.projectatomic.rpmostree1.finalize-deployment" ||
action.id == "org.projectatomic.rpmostree1.cleanup") {
if (subject.user != "zincati") {
return polkit.Result.NO;
}
}
});
to e.g. /etc/polkit-1/rules.d/00-zincati-fix.rules (it must sort earlier than zincati.rules lexicographically).
Note that this rule will deny all non-root users other than zincati from using those actions. If you've added polkit rules to allow e.g. the core user or other users, you will need to adjust the policy (or make sure the ordering is appropriate).
References
This issue was introduced by this commit, and is fixed in v0.0.30.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.0.29"
},
"package": {
"ecosystem": "crates.io",
"name": "zincati"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.24"
},
{
"fixed": "0.0.30"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27512"
],
"database_specific": {
"cwe_ids": [
"CWE-783",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-17T14:46:56Z",
"nvd_published_at": "2025-03-17T15:15:44Z",
"severity": "LOW"
},
"details": "### Impact\n\nZincati ships a polkit rule which allows the `zincati` system user to use the following actions:\n- `org.projectatomic.rpmostree1.deploy`: used to deploy updates to the system\n- `org.projectatomic.rpmostree1.finalize-deployment`: used to reboot the system into the deployed update\n\nSince Zincati [v0.0.24](https://github.com/coreos/zincati/releases/tag/v0.0.24), this polkit rule contains a logic error which broadens access of those polkit actions to any unprivileged user rather than just the `zincati` system user.\n\nIn practice, this means that any unprivileged user with access to the system D-Bus socket is able to deploy older Fedora CoreOS versions (which may have other known vulnerabilities). Note that rpm-ostree enforces that the selected version must be from the same branch the system is currently on so this cannot directly be used to deploy an attacker-controlled update payload.\n\nThis primarily impacts users running untrusted workloads with access to the system D-Bus socket. Note that in general, untrusted workloads should not be given this access, whether containerized or not. By default, containers do not have access to the system D-Bus socket.\n\n### Patches\n\nThe logic error is fixed in Zincati v0.0.30. The fix is included in the following FCOS releases:\n- On the `stable` stream: 41.20250302.3.2\n- On the `testing` stream: 41.20250315.2.0\n- On the `next` stream: 42.20250316.1.0\n\n### Workarounds\n\nA workaround is to add the following polkit rule:\n\n```javascript\npolkit.addRule(function(action, subject) {\n if (action.id == \"org.projectatomic.rpmostree1.deploy\" ||\n action.id == \"org.projectatomic.rpmostree1.finalize-deployment\" ||\n action.id == \"org.projectatomic.rpmostree1.cleanup\") {\n if (subject.user != \"zincati\") {\n return polkit.Result.NO;\n }\n }\n});\n```\n\nto e.g. `/etc/polkit-1/rules.d/00-zincati-fix.rules` (it must sort earlier than `zincati.rules` lexicographically).\n\nNote that this rule will deny all non-root users other than `zincati` from using those actions. If you\u0027ve added polkit rules to allow e.g. the `core` user or other users, you will need to adjust the policy (or make sure the ordering is appropriate).\n\n### References\n\nThis issue was introduced by [this commit](https://github.com/coreos/zincati/commit/28a43aa2c1edda091ba659677d73c13e6e3ea99d), and is fixed in [v0.0.30](https://github.com/coreos/zincati/releases/tag/v0.0.30).",
"id": "GHSA-w6fv-6gcc-x825",
"modified": "2025-03-19T15:00:20Z",
"published": "2025-03-17T14:46:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coreos/zincati/security/advisories/GHSA-w6fv-6gcc-x825"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27512"
},
{
"type": "WEB",
"url": "https://github.com/coreos/zincati/commit/01d8e89f799e6ba21bdf7dc668abce23bd0d8f78"
},
{
"type": "WEB",
"url": "https://github.com/coreos/zincati/commit/28a43aa2c1edda091ba659677d73c13e6e3ea99d"
},
{
"type": "PACKAGE",
"url": "https://github.com/coreos/zincati"
},
{
"type": "WEB",
"url": "https://github.com/coreos/zincati/releases/tag/v0.0.24"
},
{
"type": "WEB",
"url": "https://github.com/coreos/zincati/releases/tag/v0.0.30"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Zincati allows unprivileged access to rpm-ostree D-Bus `Deploy()` and `FinalizeDeployment()` methods"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.