CWE-862 Detalhe

CWE-862

Missing Authorization
Alta
Incomplete
2011-06-01
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificações para um CWE
Fique informado sobre quaisquer alterações para um CWE específico.
Gerenciar notificações

Nome: Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Informações Gerais

Detalhes de Contexto

Modos de Introdução

Architecture and Design
Implementation : A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies.
Operation

Plataformas Aplicáveis

Linguagem

Class: Not Language-Specific (Undetermined)

Tecnologias

Name: AI/ML (Undetermined)
Name: Web Server (Often)
Name: Database Server (Often)
Class: Not Technology-Specific (Undetermined)

Consequências Comuns

Escopo Impacto Probabilidade
ConfidentialityRead Application Data, Read Files or Directories

Note: An attacker could read sensitive data, either by reading the data directly from a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
IntegrityModify Application Data, Modify Files or Directories

Note: An attacker could modify sensitive data, either by writing the data directly to a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism

Note: An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

Note: An attacker could gain unauthorized access to resources on the system and excessively consume those resources, leading to a denial of service.

Exemplos Observados

Referências Descrição

CVE-2024-6845

chatbot Wordpress plugin does not perform authorization on a REST endpoint, allowing retrieval of an API key

CVE-2025-2224

AI-enabled WordPress plugin has a missing capability check for a particular function, allowing changing public status of posts

CVE-2022-24730

Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information

CVE-2009-3168

Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords.

CVE-2009-3597

Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request.

CVE-2009-2282

Terminal server does not check authorization for guest access.

CVE-2008-5027

System monitoring software allows users to bypass authorization by creating custom forms.

CVE-2009-3781

Content management system does not check access permissions for private files, allowing others to view those files.

CVE-2008-6548

Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files.

CVE-2009-2960

Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users.

CVE-2009-3230

Database server does not use appropriate privileges for certain sensitive operations.

CVE-2009-2213

Gateway uses default "Allow" configuration for its authorization settings.

CVE-2009-0034

Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.

CVE-2008-6123

Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.

CVE-2008-7109

Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.

CVE-2008-3424

Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.

CVE-2005-1036

Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap

CVE-2008-4577

ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.

CVE-2007-2925

Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries.

CVE-2006-6679

Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.

CVE-2005-3623

OS kernel does not check for a certain privilege before setting ACLs for files.

CVE-2005-2801

Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.

CVE-2001-1155

Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.

CVE-2020-17533

Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862)

Mitigações Potenciais

Phases : Architecture and Design
Phases : Architecture and Design
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Phases : Architecture and Design
Phases : Architecture and Design
Phases : System Configuration // Installation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

Métodos de Detecção

Automated Static Analysis

Eficácia : Limited

Automated Dynamic Analysis

Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic.

Manual Analysis

Eficácia : Moderate

Manual Static Analysis - Binary or Bytecode

Eficácia : SOAR Partial

Dynamic Analysis with Automated Results Interpretation

Eficácia : SOAR Partial

Dynamic Analysis with Manual Results Interpretation

Eficácia : SOAR Partial

Manual Static Analysis - Source Code

Eficácia : SOAR Partial

Automated Static Analysis - Source Code

Eficácia : SOAR Partial

Architecture or Design Review

Eficácia : High

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comentário : Examine children of this entry to see if there is a better fit

Padrões de Ataque Relacionados

CAPEC-ID Nome do Padrão de Ataque
CAPEC-665 Exploitation of Thunderbolt Protection Flaws

Notas

Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource.

Referências

REF-229

Role Based Access Control and Role Based Security
NIST.
https://csrc.nist.gov/projects/role-based-access-control

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-231

Top 25 Series - Rank 5 - Improper Access Control (Authorization)
Frank Kim.
https://www.sans.org/blog/top-25-series-rank-5-improper-access-control-authorization

REF-45

OWASP Enterprise Security API (ESAPI) Project
OWASP.
https://owasp.org/www-project-enterprise-security-api/

REF-233

Authentication using JAAS
Rahul Bhattacharjee.
https://javaranch.com/journal/2008/04/authentication-using-JAAS.html

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Submissão

Nome Organização Data Data de lançamento Version
CWE Content Team MITRE 2011-05-24 +00:00 2011-06-01 +00:00 1.13

Modificações

Nome Organização Data Comentário
CWE Content Team MITRE 2011-06-27 +00:00 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, Observed_Examples, References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-02-18 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Alternate_Terms, Observed_Examples
CWE Content Team MITRE 2021-07-20 +00:00 updated Observed_Examples, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-06-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Observed_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2024-11-19 +00:00 updated Common_Consequences, Description, Diagram, Relationships, Terminology_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Applicable_Platforms, Detection_Factors, Observed_Examples, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.