CWE-862 Details

CWE-862

Missing Authorization
Hoch
Incomplete
2011-06-01
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Allgemeine Informationen

Hintergrundinformationen

Einführungsmodi

Architecture and Design
Implementation : A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies.
Operation

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)

Technologien

Name: AI/ML (Undetermined)
Name: Web Server (Often)
Name: Database Server (Often)
Class: Not Technology-Specific (Undetermined)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
ConfidentialityRead Application Data, Read Files or Directories

Note: An attacker could read sensitive data, either by reading the data directly from a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
IntegrityModify Application Data, Modify Files or Directories

Note: An attacker could modify sensitive data, either by writing the data directly to a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism

Note: An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

Note: An attacker could gain unauthorized access to resources on the system and excessively consume those resources, leading to a denial of service.

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2024-6845

chatbot Wordpress plugin does not perform authorization on a REST endpoint, allowing retrieval of an API key

CVE-2025-2224

AI-enabled WordPress plugin has a missing capability check for a particular function, allowing changing public status of posts

CVE-2022-24730

Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information

CVE-2009-3168

Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords.

CVE-2009-3597

Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request.

CVE-2009-2282

Terminal server does not check authorization for guest access.

CVE-2008-5027

System monitoring software allows users to bypass authorization by creating custom forms.

CVE-2009-3781

Content management system does not check access permissions for private files, allowing others to view those files.

CVE-2008-6548

Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files.

CVE-2009-2960

Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users.

CVE-2009-3230

Database server does not use appropriate privileges for certain sensitive operations.

CVE-2009-2213

Gateway uses default "Allow" configuration for its authorization settings.

CVE-2009-0034

Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.

CVE-2008-6123

Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.

CVE-2008-7109

Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.

CVE-2008-3424

Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.

CVE-2005-1036

Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap

CVE-2008-4577

ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.

CVE-2007-2925

Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries.

CVE-2006-6679

Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.

CVE-2005-3623

OS kernel does not check for a certain privilege before setting ACLs for files.

CVE-2005-2801

Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.

CVE-2001-1155

Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.

CVE-2020-17533

Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862)

Mögliche Gegenmaßnahmen

Phases : Architecture and Design
Phases : Architecture and Design
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Phases : Architecture and Design
Phases : Architecture and Design
Phases : System Configuration // Installation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

Erkennungsmethoden

Automated Static Analysis

Wirksamkeit : Limited

Automated Dynamic Analysis

Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.

Manual Analysis

Wirksamkeit : Moderate

Manual Static Analysis - Binary or Bytecode

Wirksamkeit : SOAR Partial

Dynamic Analysis with Automated Results Interpretation

Wirksamkeit : SOAR Partial

Dynamic Analysis with Manual Results Interpretation

Wirksamkeit : SOAR Partial

Manual Static Analysis - Source Code

Wirksamkeit : SOAR Partial

Automated Static Analysis - Source Code

Wirksamkeit : SOAR Partial

Architecture or Design Review

Wirksamkeit : High

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is a Class and might have Base-level children that would be more appropriate
Kommentar : Examine children of this entry to see if there is a better fit

Verwandte Angriffsmuster

CAPEC-ID Name des Angriffsmusters
CAPEC-665 Exploitation of Thunderbolt Protection Flaws

Hinweise

Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource.

Referenzen

REF-229

Role Based Access Control and Role Based Security
NIST.
https://csrc.nist.gov/projects/role-based-access-control

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-231

Top 25 Series - Rank 5 - Improper Access Control (Authorization)
Frank Kim.
https://www.sans.org/blog/top-25-series-rank-5-improper-access-control-authorization

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
https://owasp.org/www-project-enterprise-security-api/

REF-233

Authentication using JAAS
Rahul Bhattacharjee.
https://javaranch.com/journal/2008/04/authentication-using-JAAS.html

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
CWE Content Team MITRE 2011-05-24 +00:00 2011-06-01 +00:00 1.13

Änderungen

Name Organisation Datum Kommentar
CWE Content Team MITRE 2011-06-27 +00:00 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, Observed_Examples, References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-02-18 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Alternate_Terms, Observed_Examples
CWE Content Team MITRE 2021-07-20 +00:00 updated Observed_Examples, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-06-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Observed_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2024-11-19 +00:00 updated Common_Consequences, Description, Diagram, Relationships, Terminology_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Applicable_Platforms, Detection_Factors, Observed_Examples, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.