CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

ID CWE-551

Abstraction Base

Structure Simple

Status Incomplete

Number of CVEs 7

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.

Modes of Introduction

Phase	Note
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Relationships

View			Weakness
# ID	View	Status	# ID	Name	Abstraction	Structure	Status
CWE-1000	Research Concepts	Draft	CWE-863	Incorrect Authorization	Class	Simple	Incomplete
CWE-1000	Research Concepts	Draft	CWE-696	Incorrect Behavior Order	Class	Simple	Incomplete

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date