CWE-1220
Insufficient Granularity of Access Control
Description
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180
CVEs mapped to this weakness (47)
page 3 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-29200 | 0.00 | — | 0.01 | Mar 28, 2024 | Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users… | |||
| CVE-2023-33127 | 0.00 | — | 0.02 | Jul 11, 2023 | .NET and Visual Studio Elevation of Privilege Vulnerability | |||
| CVE-2023-27591 | 0.00 | — | 0.01 | Mar 17, 2023 | Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the… | |||
| CVE-2022-4801 | — | 0.00 | — | 0.01 | Dec 28, 2022 | Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-4813 | — | 0.00 | — | 0.01 | Dec 28, 2022 | Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-1025 | — | 0.00 | — | 0.01 | Jul 12, 2022 | All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. | ||
| CVE-2021-20066 | — | 0.00 | — | 0.01 | Feb 16, 2021 | JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled. |
- CVE-2024-29200Mar 28, 2024risk 0.00cvss —epss 0.01
Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users…
- CVE-2023-33127Jul 11, 2023risk 0.00cvss —epss 0.02
.NET and Visual Studio Elevation of Privilege Vulnerability
- CVE-2023-27591Mar 17, 2023risk 0.00cvss —epss 0.01
Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the…
- CVE-2022-4801Dec 28, 2022risk 0.00cvss —epss 0.01
Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4813Dec 28, 2022risk 0.00cvss —epss 0.01
Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-1025Jul 12, 2022risk 0.00cvss —epss 0.01
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.
- CVE-2021-20066Feb 16, 2021risk 0.00cvss —epss 0.01
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.