Szczegóły CWE-863

CWE-863

Incorrect Authorization
Wysoki
Incomplete
2011-06-01
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Zarządzaj powiadomieniami

Nazwa: Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Informacje ogólne

Szczegóły kontekstowe

Sposoby wprowadzenia

Architecture and Design : Authorization weaknesses may arise when a single-user application is ported to a multi-user environment.
Implementation
Operation

Odpowiednie platformy

Język

Class: Not Language-Specific (Undetermined)

Technologie

Name: Web Server (Often)
Name: Database Server (Often)
Class: Not Technology-Specific (Undetermined)

Typowe konsekwencje

Zakres Wpływ Prawdopodobieństwo
ConfidentialityRead Application Data, Read Files or Directories

Note: An attacker could bypass intended access restrictions to read sensitive data, either by reading the data directly from a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
IntegrityModify Application Data, Modify Files or Directories

Note: An attacker could bypass intended access restrictions to modify sensitive data, either by writing the data directly to a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism

Note: An attacker could bypass intended access restrictions to gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
Confidentiality
Integrity
Availability		Execute Unauthorized Code or Commands

Note: An attacker could use elevated privileges to execute unauthorized commands or code.
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

Note: An attacker could gain unauthorized access to resources on the system and excessively consume those resources, leading to a denial of service.

Zaobserwowane przykłady

Odniesienia Opis

CVE-2025-24839

collaboration platform allows attacker to access an AI bot by using a plugin to set a critical property

CVE-2025-32796

LLM application development platform allows non-admin users to enable or disable apps using certain API endpoints

CVE-2021-39155

Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations.

CVE-2019-15900

Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863).

CVE-2009-2213

Gateway uses default "Allow" configuration for its authorization settings.

CVE-2009-0034

Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.

CVE-2008-6123

Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.

CVE-2008-7109

Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.

CVE-2008-3424

Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.

CVE-2008-4577

ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.

CVE-2006-6679

Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.

CVE-2005-2801

Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.

CVE-2001-1155

Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.

Potencjalne środki zaradcze

Phases : Architecture and Design
Phases : Architecture and Design
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Phases : Architecture and Design
Phases : Architecture and Design
Phases : System Configuration // Installation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

Metody wykrywania

Automated Static Analysis

Skuteczność : Limited

Automated Dynamic Analysis

Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.

Manual Analysis

Skuteczność : Moderate

Manual Static Analysis - Binary or Bytecode

Skuteczność : SOAR Partial

Dynamic Analysis with Automated Results Interpretation

Skuteczność : SOAR Partial

Dynamic Analysis with Manual Results Interpretation

Skuteczność : SOAR Partial

Manual Static Analysis - Source Code

Skuteczność : SOAR Partial

Automated Static Analysis - Source Code

Skuteczność : SOAR Partial

Architecture or Design Review

Skuteczność : High

Uwagi dotyczące mapowania podatności

Uzasadnienie : This CWE entry is a Class and might have Base-level children that would be more appropriate
Komentarz : Examine children of this entry to see if there is a better fit

Notatki


Odniesienia

REF-229

Role Based Access Control and Role Based Security
NIST.
https://csrc.nist.gov/projects/role-based-access-control

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-231

Top 25 Series - Rank 5 - Improper Access Control (Authorization)
Frank Kim.
https://www.sans.org/blog/top-25-series-rank-5-improper-access-control-authorization

REF-233

Authentication using JAAS
Rahul Bhattacharjee.
https://javaranch.com/journal/2008/04/authentication-using-JAAS.html

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
https://owasp.org/www-project-enterprise-security-api/

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Zgłoszenie

Nazwa Organizacja Data Data wydania Version
CWE Content Team MITRE 2011-05-24 +00:00 2011-06-01 +00:00 1.13

Modyfikacje

Nazwa Organizacja Data Komentarz
CWE Content Team MITRE 2011-06-27 +00:00 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-02-21 +00:00 updated Description
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Alternate_Terms
CWE Content Team MITRE 2021-07-20 +00:00 updated Observed_Examples
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Observed_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships
CWE Content Team MITRE 2024-02-29 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2024-11-19 +00:00 updated Common_Consequences, Description, Diagram, Relationships, Terminology_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Diagram
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, Observed_Examples, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
Informacje prezentowane na CVE Find pochodzą z kilku starannie wybranych źródeł referencyjnych. Dane CVE są dostarczane przez MITRE Corporation i Narodową Bazę Podatności (NVD). Katalog znanych eksploatowanych podatności (KEV) pochodzi z Agencji ds. Bezpieczeństwa Cyberprzestrzeni i Infrastruktury (CISA), natomiast wyniki EPSS pochodzą z FIRST.org. Ponadto dane dotyczące słabości oprogramowania (CWE) i typowych wzorców ataków (CAPEC) są utrzymywane przez MITRE Corporation, a informacje o konfiguracjach sprzętu i oprogramowania (CPE) są dostarczane przez NVD.