CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,580)
page 114 of 129| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-24425 | 0.00 | — | 0.01 | Jan 24, 2023 | Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled… | |||
| CVE-2023-21893 | 0.00 | — | 0.01 | Jan 17, 2023 | Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server. Supported versions that are affected are 19c and 21c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TCPS to compromise Oracle Data Provider for… | |||
| CVE-2022-45438 | 0.00 | — | 0.03 | Jan 16, 2023 | When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and… | |||
| CVE-2023-0091 | 0.00 | — | 0.00 | Jan 11, 2023 | A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information. | |||
| CVE-2023-22487 | 0.00 | — | 0.00 | Jan 11, 2023 | Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special `@""#p` syntax. The following behavior never changes no matter if the actor should… | |||
| CVE-2022-23508 | 0.00 | — | 0.00 | Jan 9, 2023 | Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3… | |||
| CVE-2022-4810 | — | 0.00 | — | 0.00 | Dec 28, 2022 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-4814 | — | 0.00 | — | 0.00 | Dec 28, 2022 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-4809 | — | 0.00 | — | 0.00 | Dec 28, 2022 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-4807 | — | 0.00 | — | 0.00 | Dec 28, 2022 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-4806 | — | 0.00 | — | 0.00 | Dec 28, 2022 | Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-4803 | — | 0.00 | — | 0.00 | Dec 28, 2022 | Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-41654 | 0.00 | — | 0.00 | Dec 23, 2022 | An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability. | |||
| CVE-2022-4724 | — | 0.00 | — | 0.00 | Dec 23, 2022 | Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5. | ||
| CVE-2022-4689 | — | 0.00 | — | 0.00 | Dec 23, 2022 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.0. | ||
| CVE-2022-4684 | — | 0.00 | — | 0.00 | Dec 23, 2022 | Improper Access Control in GitHub repository usememos/memos prior to 0.9.0. | ||
| CVE-2022-47407 | — | 0.00 | — | 0.00 | Dec 14, 2022 | An issue was discovered in the fp_masterquiz (aka Master-Quiz) extension before 2.2.1, and 3.x before 3.5.1, for TYPO3. An attacker can continue the quiz of a different user. In doing so, the attacker can view that user's answers and modify those answers. | ||
| CVE-2022-23485 | 0.00 | — | 0.00 | Dec 10, 2022 | Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an… | |||
| CVE-2022-42126 | 0.00 | — | 0.00 | Nov 15, 2022 | The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI. | |||
| CVE-2022-41874 | 0.00 | — | 0.00 | Nov 10, 2022 | Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop… |
- CVE-2023-24425Jan 24, 2023risk 0.00cvss —epss 0.01
Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled…
- CVE-2023-21893Jan 17, 2023risk 0.00cvss —epss 0.01
Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server. Supported versions that are affected are 19c and 21c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TCPS to compromise Oracle Data Provider for…
- CVE-2022-45438Jan 16, 2023risk 0.00cvss —epss 0.03
When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and…
- CVE-2023-0091Jan 11, 2023risk 0.00cvss —epss 0.00
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
- CVE-2023-22487Jan 11, 2023risk 0.00cvss —epss 0.00
Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special `@""#p` syntax. The following behavior never changes no matter if the actor should…
- CVE-2022-23508Jan 9, 2023risk 0.00cvss —epss 0.00
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3…
- CVE-2022-4810Dec 28, 2022risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4814Dec 28, 2022risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4809Dec 28, 2022risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4807Dec 28, 2022risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4806Dec 28, 2022risk 0.00cvss —epss 0.00
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4803Dec 28, 2022risk 0.00cvss —epss 0.00
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-41654Dec 23, 2022risk 0.00cvss —epss 0.00
An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2022-4724Dec 23, 2022risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5.
- CVE-2022-4689Dec 23, 2022risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
- CVE-2022-4684Dec 23, 2022risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.
- CVE-2022-47407Dec 14, 2022risk 0.00cvss —epss 0.00
An issue was discovered in the fp_masterquiz (aka Master-Quiz) extension before 2.2.1, and 3.x before 3.5.1, for TYPO3. An attacker can continue the quiz of a different user. In doing so, the attacker can view that user's answers and modify those answers.
- CVE-2022-23485Dec 10, 2022risk 0.00cvss —epss 0.00
Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an…
- CVE-2022-42126Nov 15, 2022risk 0.00cvss —epss 0.00
The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset libraries via the UI.
- CVE-2022-41874Nov 10, 2022risk 0.00cvss —epss 0.00
Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop…