VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 37 of 41
  • CVE-2022-4811Dec 28, 2022
    risk 0.00cvss epss 0.01

    Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1.

  • CVE-2022-4688Dec 23, 2022
    risk 0.00cvss epss 0.01

    Improper Authorization in GitHub repository usememos/memos prior to 0.9.0.

  • CVE-2022-23542Dec 20, 2022
    risk 0.00cvss epss 0.01

    OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in…

  • CVE-2022-4147Dec 6, 2022
    risk 0.00cvss epss 0.01

    Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no…

  • CVE-2022-39340Oct 25, 2022
    risk 0.00cvss epss 0.01

    OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA…

  • CVE-2022-39322Oct 25, 2022
    risk 0.00cvss epss 0.01

    @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - are vulnerable to their…

  • CVE-2022-39341Oct 25, 2022
    risk 0.00cvss epss 0.01

    OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users who have wildcard (`*`) defined on tupleset relations in their authorization model are vulnerable. Version 0.2.4 contains a patch…

  • CVE-2022-39342Oct 25, 2022
    risk 0.00cvss epss 0.01

    OpenFGA is an authorization/permission engine. Versions prior to version 0.2.4 are vulnerable to authorization bypass under certain conditions. Users whose model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other…

  • CVE-2022-41672Oct 7, 2022
    risk 0.00cvss epss 0.01

    In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.

  • CVE-2022-32170Sep 28, 2022
    risk 0.00cvss epss 0.01

    The “Bytebase” application does not restrict low privilege user to access admin “projects“ for which an unauthorized user can view the “projects“ created by “Admin” and the affected endpoint is “/api/project?user=${userId}”.

  • CVE-2022-36090Sep 8, 2022
    risk 0.00cvss epss 0.01

    XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user…

  • CVE-2022-31167Sep 7, 2022
    risk 0.00cvss epss 0.01

    XWiki Platform Security Parent POM contains the security APIs for XWiki Platform, a generic wiki platform. Starting with version 5.0 and prior to 12.10.11, 13.10.1, and 13.4.6, a bug in the security cache stores rules associated to document Page1.Page2 and space Page1.Page2 in…

  • CVE-2022-31247Sep 7, 2022
    risk 0.00cvss epss 0.01

    An Improper Authorization vulnerability in SUSE Rancher, allows any user who has permissions to create/edit cluster role template bindings or project role template bindings (such as cluster-owner, manage cluster members, project-owner and manage project members) to gain owner…

  • CVE-2022-34256Aug 16, 2022
    risk 0.00cvss epss 0.02

    Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to access other user's data.…

  • CVE-2021-4200May 2, 2022
    risk 0.00cvss epss 0.01

    A Improper Privilege Management vulnerability in SUSE Rancher allows write access to the Catalog for any user when restricted-admin role is enabled. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4.

  • CVE-2021-36784May 2, 2022
    risk 0.00cvss epss 0.01

    A Improper Privilege Management vulnerability in SUSE Rancher allows users with the restricted-admin role to escalate to full admin. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4.

  • CVE-2022-0860Mar 11, 2022
    risk 0.00cvss epss 0.02

    Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.

  • CVE-2022-0587Feb 15, 2022
    risk 0.00cvss epss 0.01

    Improper Authorization in Packagist librenms/librenms prior to 22.2.0.

  • CVE-2021-21693Nov 4, 2021
    risk 0.00cvss epss 0.02

    When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

  • CVE-2021-25973Nov 2, 2021
    risk 0.00cvss epss 0.01

    In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only.