CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-282
- CWE-285
- CWE-286
- CWE-287
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,580)
page 118 of 129| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-14838 | — | 0.00 | — | 0.00 | Oct 14, 2019 | A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server | ||
| CVE-2019-16377 | — | 0.00 | — | 0.01 | Sep 23, 2019 | The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control. | ||
| CVE-2019-16109 | — | 0.00 | — | 0.00 | Sep 8, 2019 | An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such… | ||
| CVE-2019-10187 | 0.00 | — | 0.00 | Jul 31, 2019 | A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to. | |||
| CVE-2019-10188 | 0.00 | — | 0.00 | Jul 31, 2019 | A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz. | |||
| CVE-2019-10189 | 0.00 | — | 0.00 | Jul 31, 2019 | A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment. | |||
| CVE-2019-10138 | 0.00 | — | 0.00 | Jul 30, 2019 | A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens. | |||
| CVE-2019-12470 | — | 0.00 | — | 0.00 | Jul 10, 2019 | Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | ||
| CVE-2019-12469 | — | 0.00 | — | 0.00 | Jul 10, 2019 | MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | ||
| CVE-2019-12472 | — | 0.00 | — | 0.00 | Jul 10, 2019 | An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | ||
| CVE-2019-12468 | — | 0.00 | — | 0.00 | Jul 10, 2019 | An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover. | ||
| CVE-2019-12467 | — | 0.00 | — | 0.00 | Jul 10, 2019 | MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. | ||
| CVE-2019-12291 | — | 0.00 | — | 0.00 | Jun 6, 2019 | HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured. | ||
| CVE-2019-12243 | — | 0.00 | — | 0.00 | Jun 5, 2019 | Istio 1.1.x through 1.1.6 has Incorrect Access Control. | ||
| CVE-2019-3895 | 0.00 | — | 0.01 | Jun 3, 2019 | An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image… | |||
| CVE-2017-11365 | — | 0.00 | — | 0.00 | May 23, 2019 | Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator. | ||
| CVE-2017-18367 | 0.00 | — | 0.00 | Apr 24, 2019 | libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single… | |||
| CVE-2018-20028 | 0.00 | — | 0.00 | Apr 17, 2019 | Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 has Incorrect Access Control. | |||
| CVE-2019-7611 | 0.00 | — | 0.01 | Mar 25, 2019 | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to… | |||
| CVE-2019-8336 | 0.00 | — | 0.00 | Mar 5, 2019 | HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "" as its secret is used in unusual… |
- CVE-2019-14838Oct 14, 2019risk 0.00cvss —epss 0.00
A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server
- CVE-2019-16377Sep 23, 2019risk 0.00cvss —epss 0.01
The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control.
- CVE-2019-16109Sep 8, 2019risk 0.00cvss —epss 0.00
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such…
- CVE-2019-10187Jul 31, 2019risk 0.00cvss —epss 0.00
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.
- CVE-2019-10188Jul 31, 2019risk 0.00cvss —epss 0.00
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz.
- CVE-2019-10189Jul 31, 2019risk 0.00cvss —epss 0.00
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment.
- CVE-2019-10138Jul 30, 2019risk 0.00cvss —epss 0.00
A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens.
- CVE-2019-12470Jul 10, 2019risk 0.00cvss —epss 0.00
Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed log in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- CVE-2019-12469Jul 10, 2019risk 0.00cvss —epss 0.00
MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed username or log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- CVE-2019-12472Jul 10, 2019risk 0.00cvss —epss 0.00
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.18.0 through 1.32.1. It is possible to bypass the limits on IP range blocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- CVE-2019-12468Jul 10, 2019risk 0.00cvss —epss 0.00
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover.
- CVE-2019-12467Jul 10, 2019risk 0.00cvss —epss 0.00
MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). A spammer can use Special:ChangeEmail to send out spam with no rate limiting or ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
- CVE-2019-12291Jun 6, 2019risk 0.00cvss —epss 0.00
HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.
- CVE-2019-12243Jun 5, 2019risk 0.00cvss —epss 0.00
Istio 1.1.x through 1.1.6 has Incorrect Access Control.
- CVE-2019-3895Jun 3, 2019risk 0.00cvss —epss 0.01
An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image…
- CVE-2017-11365May 23, 2019risk 0.00cvss —epss 0.00
Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.
- CVE-2017-18367Apr 24, 2019risk 0.00cvss —epss 0.00
libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single…
- CVE-2018-20028Apr 17, 2019risk 0.00cvss —epss 0.00
Contao 3.x before 3.5.37, 4.4.x before 4.4.31 and 4.6.x before 4.6.11 has Incorrect Access Control.
- CVE-2019-7611Mar 25, 2019risk 0.00cvss —epss 0.01
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to…
- CVE-2019-8336Mar 5, 2019risk 0.00cvss —epss 0.00
HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "" as its secret is used in unusual…