CWE-285: Improper Authorization

ID CWE-285

Abstraction Class

Structure Simple

Status Draft

Number of CVEs 587

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource.

When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.

Modes of Introduction

Phase	Note
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic. A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies.
Architecture and Design	Authorization weaknesses may arise when a single-user application is ported to a multi-user environment.
Operation

Applicable Platforms

Type	Class	Name
Language	Not Language-Specific
Technology		Web Server
Technology		Database Server

Relationships

View			Weakness
# ID	View	Status	# ID	Name	Abstraction	Structure	Status
CWE-1000	Research Concepts	Draft	CWE-284	Improper Access Control	Pillar	Simple	Incomplete
CWE-1340	CISQ Data Protection Measures	Incomplete	CWE-284	Improper Access Control	Pillar	Simple	Incomplete

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPEC™) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org

# ID	Name	Weaknesses
CAPEC-1	Accessing Functionality Not Properly Constrained by ACLs	CWE-285
CAPEC-5	Blue Boxing	CWE-285
CAPEC-13	Subverting Environment Variable Values	CWE-285
CAPEC-17	Using Malicious Files	CWE-285
CAPEC-39	Manipulating Opaque Client-based Data Tokens	CWE-285
CAPEC-45	Buffer Overflow via Symbolic Links	CWE-285
CAPEC-51	Poison Web Service Registry	CWE-285
CAPEC-59	Session Credential Falsification through Prediction	CWE-285
CAPEC-60	Reusing Session IDs (aka Session Replay)	CWE-285
CAPEC-76	Manipulating Web Input to File System Calls	CWE-285
CAPEC-77	Manipulating User-Controlled Variables	CWE-285
CAPEC-87	Forceful Browsing	CWE-285
CAPEC-104	Cross Zone Scripting	CWE-285
CAPEC-127	Directory Indexing	CWE-285
CAPEC-402	Bypassing ATA Password Security	CWE-285
CAPEC-647	Collect Data from Registries	CWE-285
CAPEC-668	Key Negotiation of Bluetooth Attack (KNOB)	CWE-285

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date