CWE-863 Details

CWE-863

Incorrect Authorization
Hoch
Incomplete
2011-06-01
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Allgemeine Informationen

Hintergrundinformationen

Einführungsmodi

Architecture and Design : Authorization weaknesses may arise when a single-user application is ported to a multi-user environment.
Implementation
Operation

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)

Technologien

Name: Web Server (Often)
Name: Database Server (Often)
Class: Not Technology-Specific (Undetermined)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
ConfidentialityRead Application Data, Read Files or Directories

Note: An attacker could bypass intended access restrictions to read sensitive data, either by reading the data directly from a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
IntegrityModify Application Data, Modify Files or Directories

Note: An attacker could bypass intended access restrictions to modify sensitive data, either by writing the data directly to a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism

Note: An attacker could bypass intended access restrictions to gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
Confidentiality
Integrity
Availability		Execute Unauthorized Code or Commands

Note: An attacker could use elevated privileges to execute unauthorized commands or code.
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

Note: An attacker could gain unauthorized access to resources on the system and excessively consume those resources, leading to a denial of service.

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2025-24839

collaboration platform allows attacker to access an AI bot by using a plugin to set a critical property

CVE-2025-32796

LLM application development platform allows non-admin users to enable or disable apps using certain API endpoints

CVE-2021-39155

Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations.

CVE-2019-15900

Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863).

CVE-2009-2213

Gateway uses default "Allow" configuration for its authorization settings.

CVE-2009-0034

Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.

CVE-2008-6123

Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.

CVE-2008-7109

Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.

CVE-2008-3424

Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.

CVE-2008-4577

ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.

CVE-2006-6679

Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.

CVE-2005-2801

Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.

CVE-2001-1155

Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.

Mögliche Gegenmaßnahmen

Phases : Architecture and Design
Phases : Architecture and Design
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Phases : Architecture and Design
Phases : Architecture and Design
Phases : System Configuration // Installation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

Erkennungsmethoden

Automated Static Analysis

Wirksamkeit : Limited

Automated Dynamic Analysis

Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.

Manual Analysis

Wirksamkeit : Moderate

Manual Static Analysis - Binary or Bytecode

Wirksamkeit : SOAR Partial

Dynamic Analysis with Automated Results Interpretation

Wirksamkeit : SOAR Partial

Dynamic Analysis with Manual Results Interpretation

Wirksamkeit : SOAR Partial

Manual Static Analysis - Source Code

Wirksamkeit : SOAR Partial

Automated Static Analysis - Source Code

Wirksamkeit : SOAR Partial

Architecture or Design Review

Wirksamkeit : High

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is a Class and might have Base-level children that would be more appropriate
Kommentar : Examine children of this entry to see if there is a better fit

Hinweise


Referenzen

REF-229

Role Based Access Control and Role Based Security
NIST.
https://csrc.nist.gov/projects/role-based-access-control

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-231

Top 25 Series - Rank 5 - Improper Access Control (Authorization)
Frank Kim.
https://www.sans.org/blog/top-25-series-rank-5-improper-access-control-authorization

REF-233

Authentication using JAAS
Rahul Bhattacharjee.
https://javaranch.com/journal/2008/04/authentication-using-JAAS.html

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
https://owasp.org/www-project-enterprise-security-api/

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
CWE Content Team MITRE 2011-05-24 +00:00 2011-06-01 +00:00 1.13

Änderungen

Name Organisation Datum Kommentar
CWE Content Team MITRE 2011-06-27 +00:00 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-02-21 +00:00 updated Description
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Alternate_Terms
CWE Content Team MITRE 2021-07-20 +00:00 updated Observed_Examples
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Observed_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships
CWE Content Team MITRE 2024-02-29 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2024-11-19 +00:00 updated Common_Consequences, Description, Diagram, Relationships, Terminology_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Diagram
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, Observed_Examples, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.