VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 81 of 278
  • CVE-2022-4169MedNov 28, 2022
    risk 0.42cvss 6.5epss 0.01

    The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to…

  • CVE-2022-41930HigNov 23, 2022
    risk 0.42cvss 7.5epss 0.01

    org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable…

  • CVE-2022-45385HigNov 15, 2022
    risk 0.42cvss 7.5epss 0.01

    A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

  • CVE-2022-40308HigNov 15, 2022
    risk 0.42cvss 7.5epss 0.01

    If anonymous read enabled, it's possible to read the database file directly without logging in.

  • CVE-2022-41254MedSep 21, 2022
    risk 0.42cvss 6.5epss 0.01

    Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-41250MedSep 21, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2022-41246MedSep 21, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials…

  • CVE-2022-36909MedJul 27, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system and to upload a SSH key file from the Jenkins…

  • CVE-2022-36907MedJul 27, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins OpenShift Deployer Plugin 1.2.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

  • CVE-2022-36883HigJul 27, 2022
    risk 0.42cvss 7.5epss 0.06

    A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

  • CVE-2022-2108MedJul 18, 2022
    risk 0.42cvss 6.5epss 0.01

    The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including,…

  • CVE-2022-34810MedJun 30, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-34794MedJun 30, 2022
    risk 0.42cvss 6.5epss 0.01

    Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

  • CVE-2022-34210MedJun 23, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2022-34201MedJun 23, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

  • CVE-2022-34180HigJun 23, 2022
    risk 0.42cvss 7.5epss 0.01

    Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any…

  • CVE-2022-30959MedMay 17, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-1442HigMay 10, 2022
    risk 0.42cvss 7.5epss 0.10

    The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of…

  • CVE-2022-28158MedMar 29, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-28144MedMar 29, 2022
    risk 0.42cvss 6.5epss 0.01

    Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password (perform a connection test), disable…