CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,392)
page 253 of 270| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-33265 | 0.00 | — | 0.00 | Jul 18, 2023 | In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted. | |||
| CVE-2023-37965 | 0.00 | — | 0.01 | Jul 12, 2023 | A missing permission check in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||
| CVE-2023-37963 | 0.00 | — | 0.01 | Jul 12, 2023 | A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system. | |||
| CVE-2023-37959 | 0.00 | — | 0.01 | Jul 12, 2023 | A missing permission check in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | |||
| CVE-2023-37956 | 0.00 | — | 0.00 | Jul 12, 2023 | A missing permission check in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||
| CVE-2023-37953 | 0.00 | — | 0.00 | Jul 12, 2023 | A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||
| CVE-2023-37950 | 0.00 | — | 0.00 | Jul 12, 2023 | A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||
| CVE-2023-37949 | 0.00 | — | 0.01 | Jul 12, 2023 | A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in… | |||
| CVE-2023-37945 | 0.00 | — | 0.00 | Jul 12, 2023 | A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 through 2.3.0 (both inclusive) allows attackers with Overall/Read permission to download a string representation of the current security realm. | |||
| CVE-2023-37944 | 0.00 | — | 0.01 | Jul 12, 2023 | A missing permission check in Jenkins Datadog Plugin 5.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||
| CVE-2023-36815 | 0.00 | — | 0.00 | Jul 3, 2023 | Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the… | |||
| CVE-2023-3315 | 0.00 | — | 0.01 | Jun 19, 2023 | Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | |||
| CVE-2023-2783 | — | 0.00 | — | 0.00 | Jun 16, 2023 | Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps. | ||
| CVE-2023-35149 | 0.00 | — | 0.01 | Jun 14, 2023 | A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins. | |||
| CVE-2023-34234 | 0.00 | — | 0.00 | Jun 7, 2023 | OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.… | |||
| CVE-2022-39335 | 0.00 | — | 0.00 | May 26, 2023 | Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that… | |||
| CVE-2023-33948 | 0.00 | — | 0.00 | May 24, 2023 | The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL. | |||
| CVE-2023-31826 | — | 0.00 | — | 0.00 | May 23, 2023 | Skyscreamer Open Source Nevado JMS v1.3.2 does not perform security checks when receiving messages. This allows attackers to execute arbitrary commands via supplying crafted data. | ||
| CVE-2023-33252 | — | 0.00 | — | 0.00 | May 21, 2023 | iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus. | ||
| CVE-2023-2590 | — | 0.00 | — | 0.00 | May 9, 2023 | Missing Authorization in GitHub repository answerdev/answer prior to 1.0.9. |
- CVE-2023-33265Jul 18, 2023risk 0.00cvss —epss 0.00
In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.
- CVE-2023-37965Jul 12, 2023risk 0.00cvss —epss 0.01
A missing permission check in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
- CVE-2023-37963Jul 12, 2023risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.
- CVE-2023-37959Jul 12, 2023risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
- CVE-2023-37956Jul 12, 2023risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
- CVE-2023-37953Jul 12, 2023risk 0.00cvss —epss 0.00
A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
- CVE-2023-37950Jul 12, 2023risk 0.00cvss —epss 0.00
A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
- CVE-2023-37949Jul 12, 2023risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…
- CVE-2023-37945Jul 12, 2023risk 0.00cvss —epss 0.00
A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 through 2.3.0 (both inclusive) allows attackers with Overall/Read permission to download a string representation of the current security realm.
- CVE-2023-37944Jul 12, 2023risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Datadog Plugin 5.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
- CVE-2023-36815Jul 3, 2023risk 0.00cvss —epss 0.00
Sealos is a Cloud Operating System designed for managing cloud-native applications. In version 4.2.0 and prior, there is a permission flaw in the Sealos billing system, which allows users to control the recharge resource account `sealos[.] io/v1/Payment`, resulting in the…
- CVE-2023-3315Jun 19, 2023risk 0.00cvss —epss 0.01
Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
- CVE-2023-2783Jun 16, 2023risk 0.00cvss —epss 0.00
Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps.
- CVE-2023-35149Jun 14, 2023risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.
- CVE-2023-34234Jun 7, 2023risk 0.00cvss —epss 0.00
OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.…
- CVE-2022-39335May 26, 2023risk 0.00cvss —epss 0.00
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that…
- CVE-2023-33948May 24, 2023risk 0.00cvss —epss 0.00
The Dynamic Data Mapping module in Liferay Portal 7.4.3.67, and Liferay DXP 7.4 update 67 does not limit Document and Media files which can be downloaded from a Form, which allows remote attackers to download any file from Document and Media via a crafted URL.
- CVE-2023-31826May 23, 2023risk 0.00cvss —epss 0.00
Skyscreamer Open Source Nevado JMS v1.3.2 does not perform security checks when receiving messages. This allows attackers to execute arbitrary commands via supplying crafted data.
- CVE-2023-33252May 21, 2023risk 0.00cvss —epss 0.00
iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.
- CVE-2023-2590May 9, 2023risk 0.00cvss —epss 0.00
Missing Authorization in GitHub repository answerdev/answer prior to 1.0.9.