CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,580)
page 116 of 129| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13676 | — | 0.00 | — | 0.00 | Feb 11, 2022 | The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. | ||
| CVE-2020-13675 | — | 0.00 | — | 0.01 | Feb 11, 2022 | Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by… | ||
| CVE-2022-23600 | 0.00 | — | 0.00 | Feb 4, 2022 | fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: 1. A malicious or compromised Service… | |||
| CVE-2022-0273 | 0.00 | — | 0.00 | Jan 30, 2022 | Improper Access Control in Pypi calibreweb prior to 0.6.16. | |||
| CVE-2022-0203 | 0.00 | — | 0.00 | Jan 26, 2022 | Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2. | |||
| CVE-2022-0178 | 0.00 | — | 0.00 | Jan 13, 2022 | Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8. | |||
| CVE-2022-0179 | 0.00 | — | 0.00 | Jan 12, 2022 | snipe-it is vulnerable to Missing Authorization | |||
| CVE-2021-4194 | 0.00 | — | 0.00 | Jan 6, 2022 | bookstack is vulnerable to Improper Access Control | |||
| CVE-2021-4119 | 0.00 | — | 0.00 | Dec 15, 2021 | bookstack is vulnerable to Improper Access Control | |||
| CVE-2021-4089 | 0.00 | — | 0.00 | Dec 10, 2021 | snipe-it is vulnerable to Improper Access Control | |||
| CVE-2021-22565 | — | 0.00 | — | 0.00 | Dec 9, 2021 | An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater. | ||
| CVE-2021-3992 | — | 0.00 | — | 0.00 | Dec 1, 2021 | kimai2 is vulnerable to Improper Access Control | ||
| CVE-2021-4026 | 0.00 | — | 0.00 | Nov 30, 2021 | bookstack is vulnerable to Improper Access Control | |||
| CVE-2021-43996 | — | 0.00 | — | 0.01 | Nov 17, 2021 | The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control. | ||
| CVE-2021-41194 | — | 0.00 | — | 0.00 | Oct 28, 2021 | FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if… | ||
| CVE-2021-40347 | — | 0.00 | — | 0.00 | Sep 10, 2021 | An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place. | ||
| CVE-2021-25735 | 0.00 | — | 0.16 | Sep 6, 2021 | A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the… | |||
| CVE-2021-25956 | 0.00 | — | 0.00 | Aug 17, 2021 | In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of… | |||
| CVE-2021-25954 | 0.00 | — | 0.00 | Aug 9, 2021 | In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at… | |||
| CVE-2021-25320 | 0.00 | — | 0.00 | Jul 15, 2021 | A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher… |
- CVE-2020-13676Feb 11, 2022risk 0.00cvss —epss 0.00
The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
- CVE-2020-13675Feb 11, 2022risk 0.00cvss —epss 0.01
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by…
- CVE-2022-23600Feb 4, 2022risk 0.00cvss —epss 0.00
fleet is an open source device management, built on osquery. Versions prior to 4.9.1 expose a limited ability to spoof SAML authentication with missing audience verification. This impacts deployments using SAML SSO in two specific cases: 1. A malicious or compromised Service…
- CVE-2022-0273Jan 30, 2022risk 0.00cvss —epss 0.00
Improper Access Control in Pypi calibreweb prior to 0.6.16.
- CVE-2022-0203Jan 26, 2022risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2.
- CVE-2022-0178Jan 13, 2022risk 0.00cvss —epss 0.00
Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8.
- CVE-2022-0179Jan 12, 2022risk 0.00cvss —epss 0.00
snipe-it is vulnerable to Missing Authorization
- CVE-2021-4194Jan 6, 2022risk 0.00cvss —epss 0.00
bookstack is vulnerable to Improper Access Control
- CVE-2021-4119Dec 15, 2021risk 0.00cvss —epss 0.00
bookstack is vulnerable to Improper Access Control
- CVE-2021-4089Dec 10, 2021risk 0.00cvss —epss 0.00
snipe-it is vulnerable to Improper Access Control
- CVE-2021-22565Dec 9, 2021risk 0.00cvss —epss 0.00
An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater.
- CVE-2021-3992Dec 1, 2021risk 0.00cvss —epss 0.00
kimai2 is vulnerable to Improper Access Control
- CVE-2021-4026Nov 30, 2021risk 0.00cvss —epss 0.00
bookstack is vulnerable to Improper Access Control
- CVE-2021-43996Nov 17, 2021risk 0.00cvss —epss 0.01
The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control.
- CVE-2021-41194Oct 28, 2021risk 0.00cvss —epss 0.00
FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if…
- CVE-2021-40347Sep 10, 2021risk 0.00cvss —epss 0.00
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.
- CVE-2021-25735Sep 6, 2021risk 0.00cvss —epss 0.16
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the…
- CVE-2021-25956Aug 17, 2021risk 0.00cvss —epss 0.00
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of…
- CVE-2021-25954Aug 9, 2021risk 0.00cvss —epss 0.00
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at…
- CVE-2021-25320Jul 15, 2021risk 0.00cvss —epss 0.00
A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher…