CWE-863
Incorrect Authorization
Description
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Hierarchy (View 1000)
CVEs mapped to this weakness (1,530)
page 8 of 77| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-21693 | Cri | 0.57 | 9.8 | 0.02 | Nov 4, 2021 | When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||
| CVE-2021-21692 | Cri | 0.57 | 9.8 | 0.02 | Nov 4, 2021 | FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'. | ||
| CVE-2021-21691 | Cri | 0.57 | 9.8 | 0.02 | Nov 4, 2021 | Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. | ||
| CVE-2021-38299 | — | Cri | 0.57 | 9.8 | 0.02 | Sep 27, 2021 | Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence. | |
| CVE-2020-2286 | Hig | 0.57 | 8.8 | 0.01 | Oct 8, 2020 | Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration. | ||
| CVE-2020-2228 | Hig | 0.57 | 8.8 | 0.01 | Jul 15, 2020 | Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability. | ||
| CVE-2018-1000418 | Hig | 0.57 | 8.8 | 0.01 | Jan 9, 2019 | An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to send test notifications to an attacker-specified HipChat server with attacker-specified credentials IDs obtained… | ||
| CVE-2017-3183 | Hig | 0.57 | 8.8 | 0.02 | Jul 24, 2018 | Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access… | ||
| CVE-2017-0926 | Hig | 0.57 | 8.8 | 0.01 | Mar 21, 2018 | Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login. | ||
| CVE-2018-2361 | Hig | 0.57 | 8.8 | 0.01 | Jan 9, 2018 | In SAP Solution Manager 7.20, the role SAP_BPO_CONFIG gives the Business Process Operations (BPO) configuration user more authorization than required for configuring the BPO tools. | ||
| CVE-2017-0910 | Hig | 0.57 | 8.8 | 0.01 | Nov 27, 2017 | In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. | ||
| CVE-2017-10805 | Hig | 0.57 | 8.8 | 0.01 | Jul 4, 2017 | In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users. | ||
| CVE-2017-8907 | Hig | 0.57 | 8.8 | 0.02 | Jun 14, 2017 | Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects… | ||
| CVE-2017-2306 | Hig | 0.57 | 8.8 | 0.02 | May 30, 2017 | On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can execute code on the device. | ||
| CVE-2017-2305 | Hig | 0.57 | 8.8 | 0.01 | May 30, 2017 | On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation. | ||
| CVE-2017-7505 | Hig | 0.57 | 8.8 | 0.02 | May 26, 2017 | Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope,… | ||
| CVE-2017-3801 | Hig | 0.57 | 8.8 | 0.00 | Feb 15, 2017 | A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based… | ||
| CVE-2026-32173 | Hig | 0.56 | 8.6 | 0.01 | Apr 3, 2026 | Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-13829 | Hig | 0.56 | — | 0.00 | Dec 1, 2025 | Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToken (10 minutes user Session) * … | ||
| CVE-2025-24200 | Med | 0.56 | 6.1 | 0.05 | KEV | Feb 10, 2025 | An authorization issue was addressed with improved state management. This issue is fixed in iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.1 and iPadOS 18.3.1, iPadOS 17.7.5. A physical attack may disable USB Restricted Mode on a locked device. Apple is… |
- risk 0.57cvss 9.8epss 0.02
When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
- risk 0.57cvss 9.8epss 0.02
FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.
- risk 0.57cvss 9.8epss 0.02
Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
- risk 0.57cvss 9.8epss 0.02
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.
- risk 0.57cvss 8.8epss 0.01
Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration.
- risk 0.57cvss 8.8epss 0.01
Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.
- risk 0.57cvss 8.8epss 0.01
An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to send test notifications to an attacker-specified HipChat server with attacker-specified credentials IDs obtained…
- risk 0.57cvss 8.8epss 0.02
Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access…
- risk 0.57cvss 8.8epss 0.01
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.
- risk 0.57cvss 8.8epss 0.01
In SAP Solution Manager 7.20, the role SAP_BPO_CONFIG gives the Business Process Operations (BPO) configuration user more authorization than required for configuring the BPO tools.
- risk 0.57cvss 8.8epss 0.01
In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm.
- risk 0.57cvss 8.8epss 0.01
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users.
- risk 0.57cvss 8.8epss 0.02
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects…
- risk 0.57cvss 8.8epss 0.02
On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can execute code on the device.
- risk 0.57cvss 8.8epss 0.01
On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation.
- risk 0.57cvss 8.8epss 0.02
Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope,…
- risk 0.57cvss 8.8epss 0.00
A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based…
- risk 0.56cvss 8.6epss 0.01
Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network.
- risk 0.56cvss —epss 0.00
Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToken (10 minutes user Session) * …
- risk 0.56cvss 6.1epss 0.05
An authorization issue was addressed with improved state management. This issue is fixed in iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.1 and iPadOS 18.3.1, iPadOS 17.7.5. A physical attack may disable USB Restricted Mode on a locked device. Apple is…