VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 75 of 77
  • CVE-2020-15513Jul 7, 2020
    risk 0.00cvss epss 0.01

    The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control.

  • CVE-2020-15084Jun 30, 2020
    risk 0.00cvss epss 0.01

    In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are…

  • CVE-2020-9587Jun 26, 2020
    risk 0.00cvss epss 0.05

    Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.

  • CVE-2017-18884Jun 19, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.

  • CVE-2020-8151May 12, 2020
    risk 0.00cvss epss 0.02

    There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.

  • CVE-2020-12691May 6, 2020
    risk 0.00cvss epss 0.05

    An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to…

  • CVE-2020-12669May 6, 2020
    risk 0.00cvss epss 0.02

    core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.

  • CVE-2020-2188May 6, 2020
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2020-12477Apr 29, 2020
    risk 0.00cvss epss 0.02

    The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function.

  • CVE-2020-2148Mar 9, 2020
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.

  • CVE-2020-2135Mar 9, 2020
    risk 0.00cvss epss 0.01

    Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.

  • CVE-2020-2134Mar 9, 2020
    risk 0.00cvss epss 0.01

    Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.

  • CVE-2020-7955Jan 31, 2020
    risk 0.00cvss epss 0.01

    HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.

  • CVE-2020-2104Jan 29, 2020
    risk 0.00cvss epss 0.01

    Jenkins 2.218 and earlier, LTS 2.204.1 and earlier allowed users with Overall/Read access to view a JVM memory usage chart.

  • CVE-2019-16538Nov 21, 2019
    risk 0.00cvss epss 0.01

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts.

  • CVE-2012-2238Nov 21, 2019
    risk 0.00cvss epss 0.02

    trytond 2.4: ModelView.button fails to validate authorization

  • CVE-2019-10458Oct 16, 2019
    risk 0.00cvss epss 0.02

    Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

  • CVE-2019-14832Oct 15, 2019
    risk 0.00cvss epss 0.01

    A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.

  • CVE-2019-10418Sep 25, 2019
    risk 0.00cvss epss 0.01

    Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.

  • CVE-2019-10417Sep 25, 2019
    risk 0.00cvss epss 0.01

    Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.