VYPR

CWE-285

Improper Authorization

ClassDraftLikelihood: High

Description

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-104 · CAPEC-127 · CAPEC-13 · CAPEC-17 · CAPEC-39 · CAPEC-402 · CAPEC-45 · CAPEC-5 · CAPEC-51 · CAPEC-59 · CAPEC-60 · CAPEC-647 · CAPEC-668 · CAPEC-76 · CAPEC-77 · CAPEC-87

CVEs mapped to this weakness (812)

page 41 of 41
  • CVE-2018-1000408Jan 9, 2019
    risk 0.00cvss epss 0.01

    A denial of service vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that allows attackers without Overall/Read permission to access a specific URL on instances using the built-in…

  • CVE-2018-14637Nov 30, 2018
    risk 0.00cvss epss 0.01

    The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

  • CVE-2018-12467MedAug 1, 2018
    risk 0.00cvss 6.0epss 0.01

    Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689.

  • CVE-2018-12466MedAug 1, 2018
    risk 0.00cvss 4.4epss 0.01

    openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links.

  • CVE-2018-1116MedJul 10, 2018
    risk 0.00cvss 4.4epss 0.01

    A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a…

  • CVE-2018-10861HigJul 10, 2018
    risk 0.00cvss 8.1epss 0.03

    A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches master, mimic, luminous and jewel are believed to be affected.

  • CVE-2018-1082HigApr 4, 2018
    risk 0.00cvss 8.1epss 0.02

    A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.

  • CVE-2017-9268MedMar 1, 2018
    risk 0.00cvss 4.4epss 0.01

    In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption).

  • CVE-2015-3631May 18, 2015
    risk 0.00cvss epss 0.01

    Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc.

  • CVE-2015-3630May 18, 2015
    risk 0.00cvss epss 0.01

    Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.

  • CVE-2014-6408Dec 12, 2014
    risk 0.00cvss epss 0.03

    Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image.

  • CVE-2014-2349May 22, 2014
    risk 0.00cvss epss 0.01

    Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.