CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5497 vulnerabilities reference this CWE, most recent first.
GHSA-XPVF-6QCC-9JQC
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-18 16:09Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20260107144005-c7f6efdfb035"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.2-0.20260107144005-c7f6efdfb035"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0-rc1"
},
{
"fixed": "10.11.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.2.0-rc1"
},
{
"fixed": "11.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.3.0-rc1"
},
{
"fixed": "11.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4265"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T16:09:03Z",
"nvd_published_at": "2026-03-16T14:20:19Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.3.x \u003c= 11.3.0, 11.2.x \u003c= 11.2.2, 10.11.x \u003c= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553",
"id": "GHSA-xpvf-6qcc-9jqc",
"modified": "2026-03-18T16:09:03Z",
"published": "2026-03-16T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4265"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/c7f6efdfb035490f494b3177996ee5f4b278c988"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost fails to validate team-specific upload_file permissions"
}
GHSA-XPWJ-7V8Q-MCGJ
Vulnerability from github – Published: 2021-09-23 23:18 – Updated: 2022-08-11 16:54Impact
Modules that are dynamically imported through import() or new Worker might have been able to bypass network and file system permission checks when statically importing other modules. In Deno 1.5.x and 1.6.x only programs dynamically importing (especially transitively) untrusted code are affected. In Deno 1.7.x all programs importing (especially transitively) untrusted code are affected.
In effect an attacker in control of a (possibly remote) module in a programs module graph has been able to, irrespective of permissions: 1. initiate GET requests to arbitrary URLs on the internet (including LAN) and possibly read (parts of) the contents of these resources. 2. check for existence of arbitrary paths on the file system, and possibly read (parts of) the contents of these files.
In Deno 1.5.x (October 27th, 2020) and Deno 1.6.x (December 8th, 2020) the attacker module had to have been granted permissions to load dynamically through the network / fs read permission. Since Deno 1.7.x (January 19th, 2021) this vulnerability was able to be exploited in a fully sandboxed isolate (without any permissions). This vulnerability was not present in releases prior to 1.5.0.
Arbitrary non-GET requests, control over request headers, or file system writes are not possible through this vulnerability. Users of the deno_core, deno_runtime, or other deno_* crates are not affected. This is a Deno CLI only vulnerability.
We are relatively confident this was not abused in the wild, as by default Deno prints out a green "Download" message when remote imports are downloaded, and this would have caused suspicion if it occurred in the middle of a programs execution. This message can be silenced with the --quiet flag.
Patches
The vulnerability has been patched in Deno release 1.10.2. You can upgrade to the latest Deno version by running the deno upgrade command. The release is available through all official download channels.
Workarounds
There is no workaround for this issue.
For more information
If you have any questions or comments about this advisory: * Open an issue on the issue tracker * Discuss on Discord
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.10.1"
},
"package": {
"ecosystem": "crates.io",
"name": "deno"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32619"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-23T21:13:15Z",
"nvd_published_at": "2021-05-28T21:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nModules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. In Deno 1.5.x and 1.6.x only programs dynamically importing (especially transitively) untrusted code are affected. In Deno 1.7.x all programs importing (especially transitively) untrusted code are affected.\n\nIn effect an attacker in control of a (possibly remote) module in a programs module graph has been able to, **irrespective of permissions**:\n1. initiate GET requests to arbitrary URLs on the internet (including LAN) and possibly read (parts of) the contents of these resources.\n2. check for existence of arbitrary paths on the file system, and possibly read (parts of) the contents of these files.\n\nIn Deno 1.5.x (October 27th, 2020) and Deno 1.6.x (December 8th, 2020) the attacker module had to have been granted permissions to load dynamically through the network / fs read permission. Since Deno 1.7.x (January 19th, 2021) this vulnerability was able to be exploited in a fully sandboxed isolate (without any permissions). This vulnerability was not present in releases prior to 1.5.0.\n\nArbitrary non-GET requests, control over request headers, or file system writes are not possible through this vulnerability. Users of the `deno_core`, `deno_runtime`, or other `deno_*` crates are not affected. This is a Deno CLI only vulnerability.\n\nWe are relatively confident this was not abused in the wild, as by default Deno prints out a green \"Download\" message when remote imports are downloaded, and this would have caused suspicion if it occurred in the middle of a programs execution. This message can be silenced with the `--quiet` flag. \n\n### Patches\n\nThe vulnerability has been patched in Deno release 1.10.2. You can upgrade to the latest Deno version by running the `deno upgrade` command. The release is available through all official download channels. \n\n### Workarounds\n\nThere is no workaround for this issue.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue on [the issue tracker](https://github.com/denoland/deno)\n* Discuss on [Discord](https://discord.gg/deno)\n",
"id": "GHSA-xpwj-7v8q-mcgj",
"modified": "2022-08-11T16:54:03Z",
"published": "2021-09-23T23:18:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32619"
},
{
"type": "PACKAGE",
"url": "https://github.com/denoland/deno"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Deno\u0027s static imports inside dynamically imported modules do not adhere to permission checks"
}
GHSA-XQ42-24VV-4RXR
Vulnerability from github – Published: 2023-10-30 18:30 – Updated: 2023-11-07 03:30In Sim, there is a possible way to evade mobile preference restrictions due to a permission bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21390"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-30T18:15:09Z",
"severity": "HIGH"
},
"details": "In Sim, there is a possible way to evade mobile preference restrictions due to a permission bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-xq42-24vv-4rxr",
"modified": "2023-11-07T03:30:26Z",
"published": "2023-10-30T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21390"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/android-14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQ44-WCJX-G3W9
Vulnerability from github – Published: 2024-11-19 00:32 – Updated: 2025-10-22 00:33Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
{
"affected": [],
"aliases": [
"CVE-2024-21287"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T22:15:05Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
"id": "GHSA-xq44-wcjx-g3w9",
"modified": "2025-10-22T00:33:11Z",
"published": "2024-11-19T00:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21287"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21287"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/alert-cve-2024-21287.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQ89-553H-3J4M
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure.
{
"affected": [],
"aliases": [
"CVE-2021-39891"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-05T14:15:00Z",
"severity": "MODERATE"
},
"details": "In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin\u0027s impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure.",
"id": "GHSA-xq89-553h-3j4m",
"modified": "2022-07-13T00:01:38Z",
"published": "2022-05-24T19:16:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39891"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39891.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/335137"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQ8M-7C5P-C2R6
Vulnerability from github – Published: 2026-04-21 15:21 – Updated: 2026-04-21 15:21Description
In affected versions of the Next.js SDK, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results.
Which Projects are Affected?
Users are affected if they meet all of the following preconditions: - Applications using the auth0/nextjs-auth0 SDK, versions 4.12.0 to 4.17.0, and - Applications using the proxy handler /me/ and /my-org/ with DPoP enabled.
Affected product and versions
Auth0/nextjs-auth0 v4.12.0 to 4.17.0
Resolution
Upgrade Auth0/nextjs-auth0 version to v4.18.0 or greater
Acknowledgements
Okta would like to thank Reynaldo Immanuel for their discovery and responsible disclosure.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.17.0"
},
"package": {
"ecosystem": "npm",
"name": "@auth0/nextjs-auth0"
},
"ranges": [
{
"events": [
{
"introduced": "4.12.0"
},
{
"fixed": "4.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40155"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T15:21:46Z",
"nvd_published_at": "2026-04-17T21:16:33Z",
"severity": "MODERATE"
},
"details": "### Description\nIn affected versions of the Next.js SDK, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results.\n\n### Which Projects are Affected?\nUsers are affected if they meet all of the following preconditions:\n- Applications using the auth0/nextjs-auth0 SDK, versions 4.12.0 to 4.17.0, and\n- Applications using the proxy handler /me/* and /my-org/* with DPoP enabled.\n\n\n### Affected product and versions\nAuth0/nextjs-auth0 v4.12.0 to 4.17.0\n\n### Resolution\nUpgrade Auth0/nextjs-auth0 version to v4.18.0 or greater\n\n### Acknowledgements\nOkta would like to thank Reynaldo Immanuel for their discovery and responsible disclosure.",
"id": "GHSA-xq8m-7c5p-c2r6",
"modified": "2026-04-21T15:21:46Z",
"published": "2026-04-21T15:21:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-xq8m-7c5p-c2r6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40155"
},
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/commit/98c36dc306970c2230ea1a32efef431d29b99978"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/nextjs-auth0"
},
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.18.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Auth0 Next.js SDK has Improper Proxy Cache Lookup"
}
GHSA-XQHM-WM3P-7WV9
Vulnerability from github – Published: 2024-08-13 12:30 – Updated: 2024-08-13 12:30Incorrect Authorization vulnerability in WPWeb Docket (WooCommerce Collections / Wishlist / Watchlist) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Docket (WooCommerce Collections / Wishlist / Watchlist): from n/a before 1.7.0.
{
"affected": [],
"aliases": [
"CVE-2024-43131"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T11:15:18Z",
"severity": "HIGH"
},
"details": "Incorrect Authorization vulnerability in WPWeb Docket (WooCommerce Collections / Wishlist / Watchlist) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Docket (WooCommerce Collections / Wishlist / Watchlist): from n/a before 1.7.0.",
"id": "GHSA-xqhm-wm3p-7wv9",
"modified": "2024-08-13T12:30:53Z",
"published": "2024-08-13T12:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43131"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/woocommerce-collections/wordpress-docket-woocommerce-collections-wishlist-watchlist-plugin-1-6-6-unauthenticated-arbitrary-post-page-deletion-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQQX-3G3G-99GR
Vulnerability from github – Published: 2024-03-17 09:30 – Updated: 2024-03-17 09:30A vulnerability was found in kishor-23 Food Waste Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/admin.php. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257056. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-2557"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-17T09:15:07Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in kishor-23 Food Waste Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/admin.php. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257056. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-xqqx-3g3g-99gr",
"modified": "2024-03-17T09:30:45Z",
"published": "2024-03-17T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2557"
},
{
"type": "WEB",
"url": "https://github.com/vanitashtml/CVE-Dumps/blob/main/Execute%20After%20Redirect%20-%20Food%20Management%20System.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.257056"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.257056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQVX-2258-GFP2
Vulnerability from github – Published: 2023-12-05 03:30 – Updated: 2023-12-05 03:30Improper authorization verification vulnerability in AR Emoji prior to SMR Dec-2023 Release 1 allows attackers to read sandbox data of AR Emoji.
{
"affected": [],
"aliases": [
"CVE-2023-42569"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-05T03:15:17Z",
"severity": "MODERATE"
},
"details": "Improper authorization verification vulnerability in AR Emoji prior to SMR Dec-2023 Release 1 allows attackers to read sandbox data of AR Emoji.",
"id": "GHSA-xqvx-2258-gfp2",
"modified": "2023-12-05T03:30:23Z",
"published": "2023-12-05T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42569"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQWW-45WW-CW2P
Vulnerability from github – Published: 2024-11-04 15:31 – Updated: 2024-11-06 18:31Akamai SIA (Secure Internet Access Enterprise) ThreatAvert, in SPS (Security and Personalization Services) before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization controls for the Admin functionality on the ThreatAvert Policy page. An authenticated user can navigate directly to the /#app/intelligence/threatAvertPolicies URI and disable policy enforcement.
{
"affected": [],
"aliases": [
"CVE-2024-45164"
],
"database_specific": {
"cwe_ids": [
"CWE-732",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T14:15:14Z",
"severity": "HIGH"
},
"details": "Akamai SIA (Secure Internet Access Enterprise) ThreatAvert, in SPS (Security and Personalization Services) before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization controls for the Admin functionality on the ThreatAvert Policy page. An authenticated user can navigate directly to the /#app/intelligence/threatAvertPolicies URI and disable policy enforcement.",
"id": "GHSA-xqww-45ww-cw2p",
"modified": "2024-11-06T18:31:05Z",
"published": "2024-11-04T15:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45164"
},
{
"type": "WEB",
"url": "https://notes.netbytesec.com/2024/11/cve-2024-45164-broken-access-control.html"
},
{
"type": "WEB",
"url": "https://www.akamai.com/global-services/support/vulnerability-reporting"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.