Szczegóły CWE-862

CWE-862

Missing Authorization
Wysoki
Incomplete
2011-06-01
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Zarządzaj powiadomieniami

Nazwa: Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Informacje ogólne

Szczegóły kontekstowe

Sposoby wprowadzenia

Architecture and Design
Implementation : A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies.
Operation

Odpowiednie platformy

Język

Class: Not Language-Specific (Undetermined)

Technologie

Name: AI/ML (Undetermined)
Name: Web Server (Often)
Name: Database Server (Often)
Class: Not Technology-Specific (Undetermined)

Typowe konsekwencje

Zakres Wpływ Prawdopodobieństwo
ConfidentialityRead Application Data, Read Files or Directories

Note: An attacker could read sensitive data, either by reading the data directly from a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
IntegrityModify Application Data, Modify Files or Directories

Note: An attacker could modify sensitive data, either by writing the data directly to a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism

Note: An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

Note: An attacker could gain unauthorized access to resources on the system and excessively consume those resources, leading to a denial of service.

Zaobserwowane przykłady

Odniesienia Opis

CVE-2024-6845

chatbot Wordpress plugin does not perform authorization on a REST endpoint, allowing retrieval of an API key

CVE-2025-2224

AI-enabled WordPress plugin has a missing capability check for a particular function, allowing changing public status of posts

CVE-2022-24730

Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information

CVE-2009-3168

Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords.

CVE-2009-3597

Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request.

CVE-2009-2282

Terminal server does not check authorization for guest access.

CVE-2008-5027

System monitoring software allows users to bypass authorization by creating custom forms.

CVE-2009-3781

Content management system does not check access permissions for private files, allowing others to view those files.

CVE-2008-6548

Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files.

CVE-2009-2960

Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users.

CVE-2009-3230

Database server does not use appropriate privileges for certain sensitive operations.

CVE-2009-2213

Gateway uses default "Allow" configuration for its authorization settings.

CVE-2009-0034

Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.

CVE-2008-6123

Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.

CVE-2008-7109

Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.

CVE-2008-3424

Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.

CVE-2005-1036

Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap

CVE-2008-4577

ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.

CVE-2007-2925

Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries.

CVE-2006-6679

Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.

CVE-2005-3623

OS kernel does not check for a certain privilege before setting ACLs for files.

CVE-2005-2801

Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.

CVE-2001-1155

Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.

CVE-2020-17533

Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862)

Potencjalne środki zaradcze

Phases : Architecture and Design
Phases : Architecture and Design
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Phases : Architecture and Design
Phases : Architecture and Design
Phases : System Configuration // Installation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

Metody wykrywania

Automated Static Analysis

Skuteczność : Limited

Automated Dynamic Analysis

Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.

Manual Analysis

Skuteczność : Moderate

Manual Static Analysis - Binary or Bytecode

Skuteczność : SOAR Partial

Dynamic Analysis with Automated Results Interpretation

Skuteczność : SOAR Partial

Dynamic Analysis with Manual Results Interpretation

Skuteczność : SOAR Partial

Manual Static Analysis - Source Code

Skuteczność : SOAR Partial

Automated Static Analysis - Source Code

Skuteczność : SOAR Partial

Architecture or Design Review

Skuteczność : High

Uwagi dotyczące mapowania podatności

Uzasadnienie : This CWE entry is a Class and might have Base-level children that would be more appropriate
Komentarz : Examine children of this entry to see if there is a better fit

Powiązane wzorce ataków

CAPEC-ID Nazwa wzorca ataku
CAPEC-665 Exploitation of Thunderbolt Protection Flaws

Notatki

Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource.

Odniesienia

REF-229

Role Based Access Control and Role Based Security
NIST.
https://csrc.nist.gov/projects/role-based-access-control

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-231

Top 25 Series - Rank 5 - Improper Access Control (Authorization)
Frank Kim.
https://www.sans.org/blog/top-25-series-rank-5-improper-access-control-authorization

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
https://owasp.org/www-project-enterprise-security-api/

REF-233

Authentication using JAAS
Rahul Bhattacharjee.
https://javaranch.com/journal/2008/04/authentication-using-JAAS.html

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Zgłoszenie

Nazwa Organizacja Data Data wydania Version
CWE Content Team MITRE 2011-05-24 +00:00 2011-06-01 +00:00 1.13

Modyfikacje

Nazwa Organizacja Data Komentarz
CWE Content Team MITRE 2011-06-27 +00:00 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, Observed_Examples, References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-02-18 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Alternate_Terms, Observed_Examples
CWE Content Team MITRE 2021-07-20 +00:00 updated Observed_Examples, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-06-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Observed_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2024-11-19 +00:00 updated Common_Consequences, Description, Diagram, Relationships, Terminology_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Applicable_Platforms, Detection_Factors, Observed_Examples, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
Informacje prezentowane na CVE Find pochodzą z kilku starannie wybranych źródeł referencyjnych. Dane CVE są dostarczane przez MITRE Corporation i Narodową Bazę Podatności (NVD). Katalog znanych eksploatowanych podatności (KEV) pochodzi z Agencji ds. Bezpieczeństwa Cyberprzestrzeni i Infrastruktury (CISA), natomiast wyniki EPSS pochodzą z FIRST.org. Ponadto dane dotyczące słabości oprogramowania (CWE) i typowych wzorców ataków (CAPEC) są utrzymywane przez MITRE Corporation, a informacje o konfiguracjach sprzętu i oprogramowania (CPE) są dostarczane przez NVD.