VYPR

CWE-551

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

BaseIncomplete

Description

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.

Hierarchy (View 1000)

Children

none

CVEs mapped to this weakness (8)

  • CVE-2016-20030CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.01

    ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying…

  • CVE-2026-4636HigApr 2, 2026
    risk 0.46cvss 8.1epss 0.00

    A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an…

  • CVE-2026-0707MedJan 8, 2026
    risk 0.27cvss 5.3epss 0.00

    A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750…

  • CVE-2021-34429Jul 15, 2021
    risk 0.11cvss epss 0.99

    For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in…

  • CVE-2021-28164Apr 1, 2021
    risk 0.10cvss epss 0.82

    In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the…

  • CVE-2021-28165Apr 1, 2021
    risk 0.01cvss epss 0.54

    In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

  • CVE-2023-6394Dec 9, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access…

  • CVE-2023-23924Jan 31, 2023
    risk 0.00cvss epss 0.04

    Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the…