CWE-862
Missing Authorization
Description
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-665
CVEs mapped to this weakness (5,392)
page 266 of 270| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-12700 | — | 0.00 | — | 0.00 | May 13, 2020 | The direct_mail extension through 5.2.3 for TYPO3 allows Information Disclosure via a newsletter subscriber data Special Query. | ||
| CVE-2020-12698 | — | 0.00 | — | 0.00 | May 13, 2020 | The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Control for newsletter subscriber tables. | ||
| CVE-2020-11671 | — | 0.00 | — | 0.00 | May 4, 2020 | Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. NOTE: the API is not available by… | ||
| CVE-2020-10187 | — | 0.00 | — | 0.00 | May 4, 2020 | Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request… | ||
| CVE-2020-10684 | 0.00 | — | 0.00 | Mar 24, 2020 | A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker… | |||
| CVE-2019-14883 | — | 0.00 | — | 0.00 | Mar 18, 2020 | A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their… | ||
| CVE-2020-2142 | 0.00 | — | 0.00 | Mar 9, 2020 | A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier allows attackers with Overall/Read permission to trigger builds. | |||
| CVE-2020-5228 | 0.00 | — | 0.00 | Jan 30, 2020 | Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly… | |||
| CVE-2020-2094 | 0.00 | — | 0.00 | Jan 15, 2020 | A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient. | |||
| CVE-2020-2091 | 0.00 | — | 0.00 | Jan 15, 2020 | A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. | |||
| CVE-2019-19899 | — | 0.00 | — | 0.00 | Dec 18, 2019 | Pebble Templates 3.1.2 allows attackers to bypass a protection mechanism (intended to block access to instances of java.lang.Class) because getClass is accessible via the public static java.lang.Class java.lang.Class.forName(java.lang.Module,java.lang.String) signature. | ||
| CVE-2019-16576 | 0.00 | — | 0.00 | Dec 17, 2019 | A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes… | |||
| CVE-2019-16574 | 0.00 | — | 0.00 | Dec 17, 2019 | A missing permission check in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in… | |||
| CVE-2019-16571 | 0.00 | — | 0.00 | Dec 17, 2019 | A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server. | |||
| CVE-2019-16567 | 0.00 | — | 0.00 | Dec 17, 2019 | A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||
| CVE-2019-16566 | 0.00 | — | 0.00 | Dec 17, 2019 | A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||
| CVE-2019-16547 | 0.00 | — | 0.00 | Nov 21, 2019 | Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment. | |||
| CVE-2019-10457 | 0.00 | — | 0.00 | Oct 16, 2019 | A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||
| CVE-2019-10455 | 0.00 | — | 0.00 | Oct 16, 2019 | A missing permission check in Jenkins Rundeck Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. | |||
| CVE-2019-10445 | 0.00 | — | 0.00 | Oct 16, 2019 | A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID. |
- CVE-2020-12700May 13, 2020risk 0.00cvss —epss 0.00
The direct_mail extension through 5.2.3 for TYPO3 allows Information Disclosure via a newsletter subscriber data Special Query.
- CVE-2020-12698May 13, 2020risk 0.00cvss —epss 0.00
The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Control for newsletter subscriber tables.
- CVE-2020-11671May 4, 2020risk 0.00cvss —epss 0.00
Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. NOTE: the API is not available by…
- CVE-2020-10187May 4, 2020risk 0.00cvss —epss 0.00
Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request…
- CVE-2020-10684Mar 24, 2020risk 0.00cvss —epss 0.00
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker…
- CVE-2019-14883Mar 18, 2020risk 0.00cvss —epss 0.00
A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their…
- CVE-2020-2142Mar 9, 2020risk 0.00cvss —epss 0.00
A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier allows attackers with Overall/Read permission to trigger builds.
- CVE-2020-5228Jan 30, 2020risk 0.00cvss —epss 0.00
Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly…
- CVE-2020-2094Jan 15, 2020risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.
- CVE-2020-2091Jan 15, 2020risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
- CVE-2019-19899Dec 18, 2019risk 0.00cvss —epss 0.00
Pebble Templates 3.1.2 allows attackers to bypass a protection mechanism (intended to block access to instances of java.lang.Class) because getClass is accessible via the public static java.lang.Class java.lang.Class.forName(java.lang.Module,java.lang.String) signature.
- CVE-2019-16576Dec 17, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes…
- CVE-2019-16574Dec 17, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…
- CVE-2019-16571Dec 17, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins RapidDeploy Plugin 4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified web server.
- CVE-2019-16567Dec 17, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- CVE-2019-16566Dec 17, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
- CVE-2019-16547Nov 21, 2019risk 0.00cvss —epss 0.00
Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment.
- CVE-2019-10457Oct 16, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
- CVE-2019-10455Oct 16, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Rundeck Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.
- CVE-2019-10445Oct 16, 2019risk 0.00cvss —epss 0.00
A missing permission check in Jenkins Google Kubernetes Engine Plugin 0.7.0 and earlier allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID.