VYPR

CWE-863

Incorrect Authorization

ClassIncompleteLikelihood: High

Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Hierarchy (View 1000)

CVEs mapped to this weakness (1,530)

page 8 of 77
  • CVE-2021-21693CriNov 4, 2021
    risk 0.57cvss 9.8epss 0.02

    When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

  • CVE-2021-21692CriNov 4, 2021
    risk 0.57cvss 9.8epss 0.02

    FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.

  • CVE-2021-21691CriNov 4, 2021
    risk 0.57cvss 9.8epss 0.02

    Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

  • CVE-2021-38299CriSep 27, 2021
    risk 0.57cvss 9.8epss 0.02

    Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.

  • CVE-2020-2286HigOct 8, 2020
    risk 0.57cvss 8.8epss 0.01

    Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration.

  • CVE-2020-2228HigJul 15, 2020
    risk 0.57cvss 8.8epss 0.01

    Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.

  • CVE-2018-1000418HigJan 9, 2019
    risk 0.57cvss 8.8epss 0.01

    An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to send test notifications to an attacker-specified HipChat server with attacker-specified credentials IDs obtained…

  • CVE-2017-3183HigJul 24, 2018
    risk 0.57cvss 8.8epss 0.02

    Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Database user access…

  • CVE-2017-0926HigMar 21, 2018
    risk 0.57cvss 8.8epss 0.01

    Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.

  • CVE-2018-2361HigJan 9, 2018
    risk 0.57cvss 8.8epss 0.01

    In SAP Solution Manager 7.20, the role SAP_BPO_CONFIG gives the Business Process Operations (BPO) configuration user more authorization than required for configuring the BPO tools.

  • CVE-2017-0910HigNov 27, 2017
    risk 0.57cvss 8.8epss 0.01

    In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm.

  • CVE-2017-10805HigJul 4, 2017
    risk 0.57cvss 8.8epss 0.01

    In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuth sessions of other users.

  • CVE-2017-8907HigJun 14, 2017
    risk 0.57cvss 8.8epss 0.02

    Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects…

  • CVE-2017-2306HigMay 30, 2017
    risk 0.57cvss 8.8epss 0.02

    On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can execute code on the device.

  • CVE-2017-2305HigMay 30, 2017
    risk 0.57cvss 8.8epss 0.01

    On Juniper Networks Junos Space versions prior to 16.1R1, due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation.

  • CVE-2017-7505HigMay 26, 2017
    risk 0.57cvss 8.8epss 0.02

    Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope,…

  • CVE-2017-3801HigFeb 15, 2017
    risk 0.57cvss 8.8epss 0.00

    A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based…

  • CVE-2026-32173HigApr 3, 2026
    risk 0.56cvss 8.6epss 0.01

    Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network.

  • CVE-2025-13829HigDec 1, 2025
    risk 0.56cvss epss 0.00

    Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToken (10 minutes user Session) * …

  • CVE-2025-24200MedKEVFeb 10, 2025
    risk 0.56cvss 6.1epss 0.05

    An authorization issue was addressed with improved state management. This issue is fixed in iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.1 and iPadOS 18.3.1, iPadOS 17.7.5. A physical attack may disable USB Restricted Mode on a locked device. Apple is…