Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1220 — Vulnerability Class 68

68 vulnerabilities classified as CWE-1220. AI Chinese analysis included.

CWE-1220 represents a critical access control weakness where security policies are implemented with insufficient granularity, resulting in overly broad permissions that fail to restrict unauthorized access to sensitive assets. This vulnerability typically arises when developers apply coarse-grained controls, such as granting read or write access to entire directories or device groups rather than specific files or components. Attackers exploit this by leveraging legitimate but excessive privileges to access or modify security-sensitive data that should remain isolated. In integrated circuits, this might manifest as allowing a low-privilege processor core to access high-security memory regions intended for cryptographic keys. To mitigate this risk, developers must adopt the principle of least privilege, ensuring that access rights are assigned at the most specific level necessary for functionality. Rigorous code reviews and automated static analysis tools can help identify overly permissive configurations before deployment, thereby enforcing strict boundaries between trusted and untrusted agents within the system architecture.

MITRE CWE Description
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. Integrated circuits and hardware engines can expose accesses to assets (device configuration, keys, etc.) to trusted firmware or a software module (commonly set by BIOS/bootloader). This access is typically access-controlled. Upon a power reset, the hardware or system usually starts with default values in registers, and the trusted firmware (Boot firmware) configures the necessary access-control protection. A common weakness that can exist in such protection schemes is that access controls or policies are not granular enough. This condition allows agents beyond trusted agents to access assets and could lead to a loss of functionality or the ability to set up the device securely. This further results in security risks from leaked, sensitive, key material to modification of device configuration.
Common Consequences (1)
Confidentiality, Integrity, Availability, Access ControlModify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Other
Mitigations (1)
Architecture and Design, Implementation, TestingAccess-control-policy protections must be reviewed for design inconsistency and common weaknesses. Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
Effectiveness: High
Examples (2)
Consider a system with a register for storing AES key for encryption or decryption. The key is 128 bits, implemented as a set of four 32-bit registers. The key registers are assets and registers, AES_KEY_READ_POLICY and AES_KEY_WRITE_POLICY, and are defined to provide necessary access controls. The read-policy register defines which agents can read the AES-key registers, and write-policy register …
Register Field description AES_ENC_DEC_KEY_0 AES key [0:31] for encryption or decryption Default 0x00000000 AES_ENC_DEC_KEY_1 AES key [32:63] for encryption or decryption Default 0x00000000 AES_ENC_DEC_KEY_2 AES key [64:95] for encryption or decryption Default 0x00000000 AES_ENC_DEC_KEY_4 AES key [96:127] for encryption or decryption Default 0x00000000 AES_KEY_READ_WRITE_POLICY [31:0] Default 0x00000006 - meaning agent with identities "1" and "2" can both read from and write to key registers
Bad · Other
AES_KEY_READ_POLICY [31:0] Default 0x00000002 - meaning only Crypto engine with identity "1" can read registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3 AES_KEY_WRITE_POLICY [31:0] Default 0x00000004 - meaning only trusted firmware with identity "2" can program registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3
Good · Other
Within the AXI node interface wrapper module in the RISC-V AXI module of the HACK@DAC'19 CVA6 SoC [REF-1346], an access control mechanism is employed to regulate the access of different privileged users to peripherals.
... for (i=0; i<NB_SUBORDINATE; i++) begin for (j=0; j<NB_MANAGER; j++) begin assign connectivity_map_o[i][j] = access_ctrl_i[i][j][priv_lvl_i] || ((j==6) && access_ctrl_i[i][7][priv_lvl_i]); end end ...
Bad · Verilog
... for (i=0; i<NB_SUBORDINATE; i++) begin for (j=0; j<NB_MANAGER; j++) begin assign connectivity_map_o[i][j] = access_ctrl_i[i][j][priv_lvl_i]; end end ...
Good · Verilog
CVE IDTitleCVSSSeverityPublished
CVE-2025-29987 Dell PowerProtect Data Domain 安全漏洞 — DD OS 8.3 8.8 High2025-04-03
CVE-2024-12619 Insufficient Granularity of Access Control in GitLab — GitLab 5.2 Medium2025-03-28
CVE-2025-20111 Cisco Nexus 3000 and 9000 Series Switches Layer 2 Ethernet Denial of Service Vulnerability — Cisco NX-OS Software 7.4 High2025-02-26
CVE-2024-6696 Hitachi Vantara Pentaho Business Analytics Server - Insufficient Granularity of Access Control — Pentaho Data Integration & Analytics 4.9 Medium2025-02-19
CVE-2024-21971 AMD Graphics Driver 输入验证错误漏洞 — AMD Ryzen™ 5000 Series Desktop Processors 5.5 Medium2025-02-12
CVE-2023-31343 AMD Server Processor 输入验证错误漏洞 — AMD EPYC™ 7003 Processors 7.5 High2025-02-11
CVE-2023-31342 AMD Server Processor 输入验证错误漏洞 — AMD EPYC™ 7003 Processors 7.5 High2025-02-11
CVE-2024-53295 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect DD 7.8 High2025-02-01
CVE-2024-11931 Insufficient Granularity of Access Control in GitLab — GitLab 6.4 Medium2025-01-24
CVE-2024-13272 Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036 — Paragraphs table 4.3 -2025-01-09
CVE-2024-13256 Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020 — Email Contact 7.5 -2025-01-09
CVE-2024-52814 Helm Lacks Granularity in Workflow Role — argo-helm 2.8 Low2024-11-22
CVE-2024-43604 Outlook for Android Elevation of Privilege Vulnerability — Microsoft Outlook for Android 5.7 Medium2024-10-08
CVE-2024-6867 Information Disclosure in lunary-ai/lunary — lunary-ai/lunary 4.3AIMediumAI2024-09-13
CVE-2024-39324 aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services — ai-admin-graphql 3.8 Low2024-07-02
CVE-2024-39323 aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account — ai-admin-graphql 7.1 High2024-07-02
CVE-2024-5389 Insufficient Access Control in lunary-ai/lunary — lunary-ai/lunary 4.3 -2024-06-09
CVE-2023-43040 IBM Spectrum Fusion HCI improper access control — Spectrum Fusion HCI 6.5 Medium2024-05-13
CVE-2024-29200 API returns timesheet entries a user should not be authorized to view — kimai 6.8 Medium2024-03-28
CVE-2023-32259 Potential Insufficient Access Control vulnerability has been identified in OpenText™ SMAX/AMX products. — Service Management Automation X (SMAX) 6.5 Medium2024-03-19
CVE-2023-6725 Tripleo-ansible: bind keys are world readable — Red Hat OpenStack Platform 17.1 for RHEL 8 5.5 Medium2024-03-15
CVE-2024-26246 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability — Microsoft Edge for Android 3.9 Low2024-03-14
CVE-2024-2412 Heimavista Rpage and Epage - Broken Access Control — Rpage 5.3 Medium2024-03-13
CVE-2023-50713 Speckle Server API Token Privilege Escalation — speckle-server 6.5 Medium2023-12-14
CVE-2023-44285 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect DD 7.8 High2023-12-14
CVE-2023-4456 Openshift-logging: lokistack authorisation is cached too broadly — RHOL-5.5-RHEL-8 5.7 Medium2023-08-21
CVE-2023-39418 Postgresql: merge fails to enforce update or select row security policies — Red Hat Enterprise Linux 8 3.1 Low2023-08-11
CVE-2023-33127 .NET and Visual Studio Elevation of Privilege Vulnerability — .NET 6.0 8.1 High2023-07-11
CVE-2023-3227 Insufficient Granularity of Access Control in fossbilling/fossbilling — fossbilling/fossbilling 7.1 -2023-06-14
CVE-2023-0205 NVIDIA ConnectX 安全漏洞 — NVIDIA ConnectX Firmware 5.0 Medium2023-04-22

Vulnerabilities classified as CWE-1220 represent 68 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.