CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key

ID CWE-566

Abstraction Variant

Structure Simple

Status Incomplete

Number of CVEs 2

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records.

Database access control errors occur when:

Data enters a program from an untrusted source.
The data is used to specify the value of a primary key in a SQL query.
The untrusted source does not have the permissions to be able to access all rows in the associated table.

Modes of Introduction

Phase	Note
Architecture and Design	COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.
Implementation

Applicable Platforms

Type	Class	Name	Prevalence
Technology		Database Server

Relationships

View			Weakness
# ID	View	Status	# ID	Name	Abstraction	Structure	Status
CWE-1000	Research Concepts	Draft	CWE-639	Authorization Bypass Through User-Controlled Key	Base	Simple	Incomplete

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date