VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 36 of 41
  • CVE-2023-34460Jun 23, 2023
    risk 0.00cvss epss 0.01

    Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression…

  • CVE-2023-34091Jun 1, 2023
    risk 0.00cvss epss 0.01

    Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to…

  • CVE-2023-33189May 30, 2023
    risk 0.00cvss epss 0.01

    Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.

  • CVE-2023-2227Apr 21, 2023
    risk 0.00cvss epss 0.44

    Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.

  • CVE-2023-1782Apr 5, 2023
    risk 0.00cvss epss 0.01

    HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

  • CVE-2023-0665Mar 30, 2023
    risk 0.00cvss epss 0.00

    HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate…

  • CVE-2022-40208Mar 24, 2023
    risk 0.00cvss epss 0.01

    In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.

  • CVE-2023-27594Mar 17, 2023
    risk 0.00cvss epss 0.01

    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from…

  • CVE-2023-1463Mar 17, 2023
    risk 0.00cvss epss 0.01

    Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.

  • CVE-2023-0734Mar 5, 2023
    risk 0.00cvss epss 0.01

    Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.

  • CVE-2023-0914Feb 19, 2023
    risk 0.00cvss epss 0.01

    Improper Authorization in GitHub repository pixelfed/pixelfed prior to 0.11.4.

  • CVE-2022-21953Feb 7, 2023
    risk 0.00cvss epss 0.00

    A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions…

  • CVE-2022-24894Feb 3, 2023
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the…

  • CVE-2023-0609Feb 1, 2023
    risk 0.00cvss epss 0.01

    Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.

  • CVE-2023-22480Jan 14, 2023
    risk 0.00cvss epss 0.67

    KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This…

  • CVE-2023-0298Jan 14, 2023
    risk 0.00cvss epss 0.01

    Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.

  • CVE-2022-4868Dec 31, 2022
    risk 0.00cvss epss 0.01

    Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

  • CVE-2022-4804Dec 28, 2022
    risk 0.00cvss epss 0.01

    Improper Authorization in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2022-4802Dec 28, 2022
    risk 0.00cvss epss 0.01

    Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2022-4798Dec 28, 2022
    risk 0.00cvss epss 0.01

    Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.