CWE-285
Improper Authorization
Description
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87
CVEs mapped to this weakness (812)
page 41 of 41| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1000408 | 0.00 | — | 0.01 | Jan 9, 2019 | A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in… | |||
| CVE-2018-14637 | — | 0.00 | — | 0.01 | Nov 30, 2018 | The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack. | ||
| CVE-2018-12467 | Med | 0.00 | 6.0 | 0.01 | Aug 1, 2018 | Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689. | ||
| CVE-2018-12466 | Med | 0.00 | 4.4 | 0.01 | Aug 1, 2018 | openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links. | ||
| CVE-2018-1116 | Med | 0.00 | 4.4 | 0.01 | Jul 10, 2018 | A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a… | ||
| CVE-2018-10861 | Hig | 0.00 | 8.1 | 0.03 | Jul 10, 2018 | A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches master, mimic, luminous and jewel are believed to be affected. | ||
| CVE-2018-1082 | — | Hig | 0.00 | 8.1 | 0.02 | Apr 4, 2018 | A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site. | |
| CVE-2017-9268 | — | Med | 0.00 | 4.4 | 0.01 | Mar 1, 2018 | In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption). | |
| CVE-2015-3631 | 0.00 | — | 0.01 | May 18, 2015 | Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc. | |||
| CVE-2015-3630 | 0.00 | — | 0.01 | May 18, 2015 | Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image. | |||
| CVE-2014-6408 | 0.00 | — | 0.03 | Dec 12, 2014 | Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image. | |||
| CVE-2014-2349 | 0.00 | — | 0.01 | May 22, 2014 | Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program. |
- CVE-2018-1000408Jan 9, 2019risk 0.00cvss —epss 0.01
A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in…
- CVE-2018-14637Nov 30, 2018risk 0.00cvss —epss 0.01
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.
- risk 0.00cvss 6.0epss 0.01
Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689.
- risk 0.00cvss 4.4epss 0.01
openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links.
- risk 0.00cvss 4.4epss 0.01
A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a…
- risk 0.00cvss 8.1epss 0.03
A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches master, mimic, luminous and jewel are believed to be affected.
- risk 0.00cvss 8.1epss 0.02
A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.
- risk 0.00cvss 4.4epss 0.01
In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption).
- CVE-2015-3631May 18, 2015risk 0.00cvss —epss 0.01
Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc.
- CVE-2015-3630May 18, 2015risk 0.00cvss —epss 0.01
Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.
- CVE-2014-6408Dec 12, 2014risk 0.00cvss —epss 0.03
Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image.
- CVE-2014-2349May 22, 2014risk 0.00cvss —epss 0.01
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.