CWE-285: Improper Authorization
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource.
When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.
Modes of Introduction
Phase | Note |
---|---|
Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. A developer may introduce authorization weaknesses because of a lack of understanding about the underlying technologies. For example, a developer may assume that attackers cannot modify certain inputs such as headers or cookies. |
Architecture and Design | Authorization weaknesses may arise when a single-user application is ported to a multi-user environment. |
Operation |
Applicable Platforms
Type | Class | Name | Prevalence |
---|---|---|---|
Language | Not Language-Specific | ||
Technology | Web Server | ||
Technology | Database Server |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org# ID | Name | Weaknesses |
---|---|---|
CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs | CWE-285 |
CAPEC-5 | Blue Boxing | CWE-285 |
CAPEC-13 | Subverting Environment Variable Values | CWE-285 |
CAPEC-17 | Using Malicious Files | CWE-285 |
CAPEC-39 | Manipulating Opaque Client-based Data Tokens | CWE-285 |
CAPEC-45 | Buffer Overflow via Symbolic Links | CWE-285 |
CAPEC-51 | Poison Web Service Registry | CWE-285 |
CAPEC-59 | Session Credential Falsification through Prediction | CWE-285 |
CAPEC-60 | Reusing Session IDs (aka Session Replay) | CWE-285 |
CAPEC-76 | Manipulating Web Input to File System Calls | CWE-285 |
CAPEC-77 | Manipulating User-Controlled Variables | CWE-285 |
CAPEC-87 | Forceful Browsing | CWE-285 |
CAPEC-104 | Cross Zone Scripting | CWE-285 |
CAPEC-127 | Directory Indexing | CWE-285 |
CAPEC-402 | Bypassing ATA Password Security | CWE-285 |
CAPEC-647 | Collect Data from Registries | CWE-285 |
CAPEC-668 | Key Negotiation of Bluetooth Attack (KNOB) | CWE-285 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |