VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 73 of 77
  • CVE-2021-3127Mar 16, 2021
    risk 0.00cvss epss 0.01

    NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.

  • CVE-2021-20283Mar 15, 2021
    risk 0.00cvss epss 0.01

    The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

  • CVE-2021-20282Mar 15, 2021
    risk 0.00cvss epss 0.01

    When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

  • CVE-2021-20281Mar 15, 2021
    risk 0.00cvss epss 0.01

    It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

  • CVE-2021-22134Mar 8, 2021
    risk 0.00cvss epss 0.01

    A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents…

  • CVE-2021-22113Feb 23, 2021
    risk 0.00cvss epss 0.01

    Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring…

  • CVE-2021-3396Feb 17, 2021
    risk 0.00cvss epss 0.02

    OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts <1.5.3 has Incorrect Access Control, which allows local and remote code execution using JEXL expressions.

  • CVE-2021-20188Feb 11, 2021
    risk 0.00cvss epss 0.00

    A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root…

  • CVE-2020-29605Jan 29, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in MantisBT before 2.24.4. Due to insufficient access-level checks, any logged-in user allowed to perform Group Actions can get access to the Summary fields of private Issues via bug_arr[]= in a crafted bug_actiongroup_page.php URL. (The target Issues can…

  • CVE-2020-1725Jan 28, 2021
    risk 0.00cvss epss 0.01

    A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.

  • CVE-2020-9492Jan 26, 2021
    risk 0.00cvss epss 0.04

    In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.

  • CVE-2021-21609Jan 13, 2021
    risk 0.00cvss epss 0.01

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.

  • CVE-2020-35849Dec 30, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in MantisBT before 2.24.4. An incorrect access check in bug_revision_view_page.php allows an unprivileged attacker to view the Summary field of private issues, as well as bugnotes revisions, gaining access to potentially confidential information via the…

  • CVE-2020-8920Dec 10, 2020
    risk 0.00cvss epss 0.00

    An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access…

  • CVE-2020-26250Dec 1, 2020
    risk 0.00cvss epss 0.01

    OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning,…

  • CVE-2020-15248Nov 23, 2020
    risk 0.00cvss epss 0.00

    October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which…

  • CVE-2020-15246Nov 23, 2020
    risk 0.00cvss epss 0.02

    October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build…

  • CVE-2020-28053Nov 23, 2020
    risk 0.00cvss epss 0.01

    HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.

  • CVE-2020-25701Nov 19, 2020
    risk 0.00cvss epss 0.01

    If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to…

  • CVE-2020-25699Nov 19, 2020
    risk 0.00cvss epss 0.02

    In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed…