VYPR

CWE-862

Missing Authorization

ClassIncompleteLikelihood: High

Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (5,549)

page 82 of 278
  • CVE-2022-27211MedMar 15, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing…

  • CVE-2022-27209MedMar 15, 2022
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-25201MedFeb 15, 2022
    risk 0.42cvss 6.5epss 0.01

    Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2022-25193MedFeb 15, 2022
    risk 0.42cvss 6.5epss 0.01

    Missing permission checks in Jenkins Snow Commander Plugin 1.10 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2022-23945HigJan 25, 2022
    risk 0.42cvss 7.5epss 0.04

    Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

  • CVE-2021-21688HigNov 4, 2021
    risk 0.42cvss 7.5epss 0.01

    The agent-to-controller security check FilePath#reading(FileVisitor) in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, FilePath#copyRecursiveTo).

  • CVE-2021-22147MedSep 15, 2021
    risk 0.42cvss 6.5epss 0.01

    Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

  • CVE-2021-21432HigApr 9, 2021
    risk 0.42cvss 7.5epss 0.01

    Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the `~/.netrc` file. Refer to the…

  • CVE-2021-21637MedMar 30, 2021
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2020-25711MedDec 3, 2020
    risk 0.42cvss 6.5epss 0.01

    A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.

  • CVE-2017-15680MedNov 27, 2020
    risk 0.42cvss 6.5epss 0.01

    In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.

  • CVE-2020-2294MedOct 8, 2020
    risk 0.42cvss 6.5epss 0.01

    Jenkins Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin.

  • CVE-2020-10187HigMay 4, 2020
    risk 0.42cvss 7.5epss 0.02

    Doorkeeper version 5.0.0 and later contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request…

  • CVE-2019-16576MedDec 17, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the Kubernetes…

  • CVE-2019-16574MedDec 17, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Alauda DevOps Pipeline Plugin 2.3.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2019-16566MedDec 17, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins Team Concert Plugin 1.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-10387MedAug 7, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,…

  • CVE-2019-10369MedAug 7, 2019
    risk 0.42cvss 6.5epss 0.01

    A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified…

  • CVE-2019-10184HigJul 25, 2019
    risk 0.42cvss 7.5epss 0.03

    undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

  • CVE-2019-10330HigMay 31, 2019
    risk 0.42cvss 7.5epss 0.02

    Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.