CWE-285
Improper Authorization
Description
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87
CVEs mapped to this weakness (812)
page 36 of 41| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-34460 | 0.00 | — | 0.01 | Jun 23, 2023 | Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression… | |||
| CVE-2023-34091 | 0.00 | — | 0.01 | Jun 1, 2023 | Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to… | |||
| CVE-2023-33189 | 0.00 | — | 0.01 | May 30, 2023 | Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2. | |||
| CVE-2023-2227 | 0.00 | — | 0.44 | Apr 21, 2023 | Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0. | |||
| CVE-2023-1782 | 0.00 | — | 0.01 | Apr 5, 2023 | HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3. | |||
| CVE-2023-0665 | 0.00 | — | 0.00 | Mar 30, 2023 | HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate… | |||
| CVE-2022-40208 | 0.00 | — | 0.01 | Mar 24, 2023 | In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt. | |||
| CVE-2023-27594 | 0.00 | — | 0.01 | Mar 17, 2023 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from… | |||
| CVE-2023-1463 | 0.00 | — | 0.01 | Mar 17, 2023 | Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. | |||
| CVE-2023-0734 | 0.00 | — | 0.01 | Mar 5, 2023 | Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4. | |||
| CVE-2023-0914 | 0.00 | — | 0.01 | Feb 19, 2023 | Improper Authorization in GitHub repository pixelfed/pixelfed prior to 0.11.4. | |||
| CVE-2022-21953 | 0.00 | — | 0.00 | Feb 7, 2023 | A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions… | |||
| CVE-2022-24894 | 0.00 | — | 0.01 | Feb 3, 2023 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the… | |||
| CVE-2023-0609 | 0.00 | — | 0.01 | Feb 1, 2023 | Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3. | |||
| CVE-2023-22480 | 0.00 | — | 0.67 | Jan 14, 2023 | KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This… | |||
| CVE-2023-0298 | 0.00 | — | 0.01 | Jan 14, 2023 | Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0. | |||
| CVE-2022-4868 | 0.00 | — | 0.01 | Dec 31, 2022 | Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | |||
| CVE-2022-4804 | — | 0.00 | — | 0.01 | Dec 28, 2022 | Improper Authorization in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-4802 | — | 0.00 | — | 0.01 | Dec 28, 2022 | Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-4798 | — | 0.00 | — | 0.01 | Dec 28, 2022 | Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. |
- CVE-2023-34460Jun 23, 2023risk 0.00cvss —epss 0.01
Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. `$HOME/*`), but a regression…
- CVE-2023-34091Jun 1, 2023risk 0.00cvss —epss 0.01
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to…
- CVE-2023-33189May 30, 2023risk 0.00cvss —epss 0.01
Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization decisions may be made by Pomerium. This issue has been patched in versions 0.17.4, 0.18.1, 0.19.2, 0.20.1, 0.21.4 and 0.22.2.
- CVE-2023-2227Apr 21, 2023risk 0.00cvss —epss 0.44
Improper Authorization in GitHub repository modoboa/modoboa prior to 2.1.0.
- CVE-2023-1782Apr 5, 2023risk 0.00cvss —epss 0.01
HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.
- CVE-2023-0665Mar 30, 2023risk 0.00cvss —epss 0.00
HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate…
- CVE-2022-40208Mar 24, 2023risk 0.00cvss —epss 0.01
In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.
- CVE-2023-27594Mar 17, 2023risk 0.00cvss —epss 0.01
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, under specific conditions, Cilium may misattribute the source IP address of traffic to a cluster, identifying external traffic as coming from…
- CVE-2023-1463Mar 17, 2023risk 0.00cvss —epss 0.01
Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.
- CVE-2023-0734Mar 5, 2023risk 0.00cvss —epss 0.01
Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.
- CVE-2023-0914Feb 19, 2023risk 0.00cvss —epss 0.01
Improper Authorization in GitHub repository pixelfed/pixelfed prior to 0.11.4.
- CVE-2022-21953Feb 7, 2023risk 0.00cvss —epss 0.00
A Missing Authorization vulnerability in of SUSE Rancher allows authenticated user to create an unauthorized shell pod and kubectl access in the local cluster This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to 2.6.10; Rancher versions…
- CVE-2022-24894Feb 3, 2023risk 0.00cvss —epss 0.01
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the…
- CVE-2023-0609Feb 1, 2023risk 0.00cvss —epss 0.01
Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.
- CVE-2023-22480Jan 14, 2023risk 0.00cvss —epss 0.67
KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This…
- CVE-2023-0298Jan 14, 2023risk 0.00cvss —epss 0.01
Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.
- CVE-2022-4868Dec 31, 2022risk 0.00cvss —epss 0.01
Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
- CVE-2022-4804Dec 28, 2022risk 0.00cvss —epss 0.01
Improper Authorization in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4802Dec 28, 2022risk 0.00cvss —epss 0.01
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-4798Dec 28, 2022risk 0.00cvss —epss 0.01
Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.