CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Parents

CWE-285

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,392)

page 264 of 270

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2021-21625	Jenkins Project CloudBees AWS Credentials Plugin	—	0.00	Mar 18, 2021	Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.
CVE-2021-20283	—	—	0.00	Mar 15, 2021	The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVE-2020-29604	—	—	0.00	Jan 29, 2021	An issue was discovered in MantisBT before 2.24.4. A missing access check in bug_actiongroup.php allows an attacker (with rights to create new issues) to use the COPY group action to create a clone, including all bugnotes and attachments, of any private issue (i.e., one having…
CVE-2020-25629	—	—	0.01	Dec 8, 2020	A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5…
CVE-2020-2323	Jenkins Project Chaos Monkey Plugin	—	0.00	Dec 3, 2020	Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.
CVE-2020-2322	Jenkins Project Chaos Monkey Plugin	—	0.00	Dec 3, 2020	Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.
CVE-2020-25711	Infinite Infinispan	—	0.00	Dec 3, 2020	A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.
CVE-2017-15680	—	—	0.01	Nov 27, 2020	In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.
CVE-2020-26231	Octobercms October	—	0.00	Nov 23, 2020	October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages,…
CVE-2020-15247	Octobercms October	—	0.00	Nov 23, 2020	October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would…
CVE-2020-2313	Jenkins Project Azure VM Agents Plugin	—	0.00	Nov 4, 2020	A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2020-2310	Jenkins Project Ansible Tower Plugin	—	0.00	Nov 4, 2020	Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2020-2311	Jenkins Project AWS Global Configuration Plugin	—	0.00	Nov 4, 2020	A missing permission check in Jenkins AWS Global Configuration Plugin 1.5 and earlier allows attackers with Overall/Read permission to replace the global AWS configuration.
CVE-2020-2308	Jenkins Project Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin	—	0.00	Nov 4, 2020	A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names.
CVE-2020-2309	Jenkins Project Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin	—	0.00	Nov 4, 2020	A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2020-2306	Jenkins Project Mercurial Plugin	—	0.00	Nov 4, 2020	A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.
CVE-2020-2302	Jenkins Project Active Directory Jenkins Plugin	—	0.00	Nov 4, 2020	A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier allows attackers with Overall/Read permission to access the domain health check diagnostic page.
CVE-2020-27998	—	—	0.01	Oct 29, 2020	An issue was discovered in FastReport before 2020.4.0. It lacks a ScriptSecurity feature and therefore may mishandle (for example) GetType, typeof, TypeOf, DllImport, LoadLibrary, and GetProcAddress.
CVE-2020-27664	—	—	0.01	Oct 22, 2020	admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality.
CVE-2020-15245	Sylius Sylius	—	0.00	Oct 19, 2020	In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were…

CVE-2021-21625Mar 18, 2021
Jenkins Project
CloudBees AWS Credentials Plugin
risk 0.00cvss —epss 0.00
Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.
CVE-2021-20283Mar 15, 2021
risk 0.00cvss —epss 0.00
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
CVE-2020-29604Jan 29, 2021
risk 0.00cvss —epss 0.00
An issue was discovered in MantisBT before 2.24.4. A missing access check in bug_actiongroup.php allows an attacker (with rights to create new issues) to use the COPY group action to create a clone, including all bugnotes and attachments, of any private issue (i.e., one having…
CVE-2020-25629Dec 8, 2020
risk 0.00cvss —epss 0.01
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5…
CVE-2020-2323Dec 3, 2020
Jenkins Project
Chaos Monkey Plugin
risk 0.00cvss —epss 0.00
Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.
CVE-2020-2322Dec 3, 2020
Jenkins Project
Chaos Monkey Plugin
risk 0.00cvss —epss 0.00
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.
CVE-2020-25711Dec 3, 2020
Infinite
Infinispan
risk 0.00cvss —epss 0.00
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.
CVE-2017-15680Nov 27, 2020
risk 0.00cvss —epss 0.01
In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.
CVE-2020-26231Nov 23, 2020
Octobercms
October
risk 0.00cvss —epss 0.00
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages,…
CVE-2020-15247Nov 23, 2020
Octobercms
October
risk 0.00cvss —epss 0.00
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would…
CVE-2020-2313Nov 4, 2020
Jenkins Project
Azure VM Agents Plugin
risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2020-2310Nov 4, 2020
Jenkins Project
Ansible Tower Plugin
risk 0.00cvss —epss 0.00
Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2020-2311Nov 4, 2020
Jenkins Project
AWS Global Configuration Plugin
risk 0.00cvss —epss 0.00
A missing permission check in Jenkins AWS Global Configuration Plugin 1.5 and earlier allows attackers with Overall/Read permission to replace the global AWS configuration.
CVE-2020-2308Nov 4, 2020
Jenkins Project
Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin
risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names.
CVE-2020-2309Nov 4, 2020
Jenkins Project
Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin
risk 0.00cvss —epss 0.00
A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2020-2306Nov 4, 2020
Jenkins Project
Mercurial Plugin
risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.
CVE-2020-2302Nov 4, 2020
Jenkins Project
Active Directory Jenkins Plugin
risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier allows attackers with Overall/Read permission to access the domain health check diagnostic page.
CVE-2020-27998Oct 29, 2020
risk 0.00cvss —epss 0.01
An issue was discovered in FastReport before 2020.4.0. It lacks a ScriptSecurity feature and therefore may mishandle (for example) GetType, typeof, TypeOf, DllImport, LoadLibrary, and GetProcAddress.
CVE-2020-27664Oct 22, 2020
risk 0.00cvss —epss 0.01
admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality.
CVE-2020-15245Oct 19, 2020
Sylius
Sylius
risk 0.00cvss —epss 0.00
In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were…