CWE-284
Improper Access Control
Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Hierarchy (View 1000)
Parents
none
Children
- CWE-1191
- CWE-1220
- CWE-1224
- CWE-1231
- CWE-1233
- CWE-1252
- CWE-1257
- CWE-1259
- CWE-1260
- CWE-1262
- CWE-1263
- CWE-1267
- CWE-1270
- CWE-1274
- CWE-1276
- CWE-1280
- CWE-1283
- CWE-1290
- CWE-1292
- CWE-1294
- CWE-1296
- CWE-1304
- CWE-1311
- CWE-1312
- CWE-1313
- CWE-1315
- CWE-1316
- CWE-1317
- CWE-1320
- CWE-1323
- CWE-1334
- CWE-269
- CWE-285
- CWE-286
- CWE-287
- CWE-282
- CWE-346
- CWE-749
- CWE-923
Related attack patterns (CAPEC)
CAPEC-19 · CAPEC-441 · CAPEC-478 · CAPEC-479 · CAPEC-502 · CAPEC-503 · CAPEC-536 · CAPEC-546 · CAPEC-550 · CAPEC-551 · CAPEC-552 · CAPEC-556 · CAPEC-558 · CAPEC-562 · CAPEC-563 · CAPEC-564 · CAPEC-578
CVEs mapped to this weakness (2,700)
page 51 of 135| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-32044 | Med | 0.44 | 6.8 | 0.00 | Nov 13, 2024 | Improper access control for some Intel(R) Arc(TM) Pro Graphics for Windows drivers before version 31.0.101.5319 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. | ||
| CVE-2024-29077 | Med | 0.44 | 6.7 | 0.00 | Nov 13, 2024 | Improper access control in some JAM STAPL Player software before version 2.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||
| CVE-2024-47976 | Med | 0.44 | 6.7 | 0.00 | Oct 7, 2024 | Improper access removal handling in firmware of some Solidigm DC Products may allow an attacker with physical access to gain unauthorized access. | ||
| CVE-2024-39934 | Hig | 0.44 | 7.8 | 0.00 | Jul 4, 2024 | Robotmk before 2.0.1 allows a local user to escalate privileges (e.g., to SYSTEM) if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit any Python environment. | ||
| CVE-2024-21828 | Med | 0.44 | 6.7 | 0.00 | May 16, 2024 | Improper access control in some Intel(R) Ethernet Controller Administrative Tools software before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||
| CVE-2024-34404 | Med | 0.44 | 6.8 | 0.00 | May 3, 2024 | A vulnerability was discovered in the Alta Recovery Vault feature of Veritas NetBackup before 10.4 and NetBackup Appliance before 5.4. By design, only the cloud administrator should be able to disable the retention lock of Governance mode images. This vulnerability allowed a… | ||
| CVE-2023-4107 | Med | 0.44 | 6.7 | 0.00 | Aug 11, 2023 | Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name. | ||
| CVE-2022-24731 | Med | 0.44 | 6.8 | 0.01 | Mar 23, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files… | ||
| CVE-2018-15371 | Med | 0.44 | 6.7 | 0.00 | Oct 5, 2018 | A vulnerability in the shell access request mechanism of Cisco IOS XE Software could allow an authenticated, local attacker to bypass authentication and gain unrestricted access to the root shell of an affected device. The vulnerability exists because the affected software has… | ||
| CVE-2018-0428 | Med | 0.44 | 6.7 | 0.00 | Aug 15, 2018 | A vulnerability in the account management subsystem of Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to elevate privileges to root. The attacker must authenticate with valid administrator credentials. The vulnerability is due to improper… | ||
| CVE-2009-5151 | Med | 0.44 | 6.7 | 0.01 | May 11, 2018 | The stub component of Absolute Computrace Agent V70.785 executes code from a disk's inter-partition space without requiring a digital signature for that code, which allows attackers to execute code on the BIOS. This allows a privileged local user to achieve persistent control of… | ||
| CVE-2009-5150 | Med | 0.44 | 6.7 | 0.01 | May 11, 2018 | Absolute Computrace Agent V80.845 and V80.866 does not have a digital signature for the configuration block, which allows attackers to set up communication with a web site other than the intended search.namequery.com site by modifying data within a disk's inter-partition space.… | ||
| CVE-2018-4844 | Med | 0.44 | 6.7 | 0.00 | Mar 20, 2018 | A vulnerability has been identified in SIMATIC WinCC OA UI for Android (All versions < V3.15.10), SIMATIC WinCC OA UI for iOS (All versions < V3.15.10). Insufficient limitation of CONTROL script capabilities could allow read and write access from one HMI project cache folder to… | ||
| CVE-2016-6338 | Med | 0.44 | 6.8 | 0.01 | Apr 20, 2017 | ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors related to UI selections, which trigger repeating queries. | ||
| CVE-2016-4031 | Med | 0.44 | 6.8 | 0.01 | Apr 13, 2017 | Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices allow attackers to send AT commands… | ||
| CVE-2016-4030 | Med | 0.44 | 6.8 | 0.01 | Apr 13, 2017 | Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices have unintended availability of the… | ||
| CVE-2016-8793 | Med | 0.44 | 6.7 | 0.00 | Apr 2, 2017 | Huawei Mate 8 phones with software Versions before NXT-AL10C00B386, Versions before NXT-CL00C92B386, Versions before NXT-DL00C17B386, Versions before NXT-TL00C01B386; Mate S phones with software Versions before CRR-CL00C92B368, Versions before CRR-CL20C92B368, Versions before… | ||
| CVE-2016-10065 | Hig | 0.44 | 7.8 | 0.02 | Mar 3, 2017 | The ReadVIFFImage function in coders/viff.c in ImageMagick before 7.0.1-0 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted file. | ||
| CVE-2016-8633 | Med | 0.44 | 6.8 | 0.02 | Nov 28, 2016 | drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets. | ||
| CVE-2016-5610 | Med | 0.44 | 6.8 | 0.00 | Oct 25, 2016 | Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect confidentiality, integrity, and availability via vectors related to Core. |
- risk 0.44cvss 6.8epss 0.00
Improper access control for some Intel(R) Arc(TM) Pro Graphics for Windows drivers before version 31.0.101.5319 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
- risk 0.44cvss 6.7epss 0.00
Improper access control in some JAM STAPL Player software before version 2.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
- risk 0.44cvss 6.7epss 0.00
Improper access removal handling in firmware of some Solidigm DC Products may allow an attacker with physical access to gain unauthorized access.
- risk 0.44cvss 7.8epss 0.00
Robotmk before 2.0.1 allows a local user to escalate privileges (e.g., to SYSTEM) if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit any Python environment.
- risk 0.44cvss 6.7epss 0.00
Improper access control in some Intel(R) Ethernet Controller Administrative Tools software before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
- risk 0.44cvss 6.8epss 0.00
A vulnerability was discovered in the Alta Recovery Vault feature of Veritas NetBackup before 10.4 and NetBackup Appliance before 5.4. By design, only the cloud administrator should be able to disable the retention lock of Governance mode images. This vulnerability allowed a…
- risk 0.44cvss 6.7epss 0.00
Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.
- risk 0.44cvss 6.8epss 0.01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files…
- risk 0.44cvss 6.7epss 0.00
A vulnerability in the shell access request mechanism of Cisco IOS XE Software could allow an authenticated, local attacker to bypass authentication and gain unrestricted access to the root shell of an affected device. The vulnerability exists because the affected software has…
- risk 0.44cvss 6.7epss 0.00
A vulnerability in the account management subsystem of Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to elevate privileges to root. The attacker must authenticate with valid administrator credentials. The vulnerability is due to improper…
- risk 0.44cvss 6.7epss 0.01
The stub component of Absolute Computrace Agent V70.785 executes code from a disk's inter-partition space without requiring a digital signature for that code, which allows attackers to execute code on the BIOS. This allows a privileged local user to achieve persistent control of…
- risk 0.44cvss 6.7epss 0.01
Absolute Computrace Agent V80.845 and V80.866 does not have a digital signature for the configuration block, which allows attackers to set up communication with a web site other than the intended search.namequery.com site by modifying data within a disk's inter-partition space.…
- risk 0.44cvss 6.7epss 0.00
A vulnerability has been identified in SIMATIC WinCC OA UI for Android (All versions < V3.15.10), SIMATIC WinCC OA UI for iOS (All versions < V3.15.10). Insufficient limitation of CONTROL script capabilities could allow read and write access from one HMI project cache folder to…
- risk 0.44cvss 6.8epss 0.01
ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors related to UI selections, which trigger repeating queries.
- risk 0.44cvss 6.8epss 0.01
Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices allow attackers to send AT commands…
- risk 0.44cvss 6.8epss 0.01
Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices have unintended availability of the…
- risk 0.44cvss 6.7epss 0.00
Huawei Mate 8 phones with software Versions before NXT-AL10C00B386, Versions before NXT-CL00C92B386, Versions before NXT-DL00C17B386, Versions before NXT-TL00C01B386; Mate S phones with software Versions before CRR-CL00C92B368, Versions before CRR-CL20C92B368, Versions before…
- risk 0.44cvss 7.8epss 0.02
The ReadVIFFImage function in coders/viff.c in ImageMagick before 7.0.1-0 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted file.
- risk 0.44cvss 6.8epss 0.02
drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets.
- risk 0.44cvss 6.8epss 0.00
Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect confidentiality, integrity, and availability via vectors related to Core.