Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-284 (访问控制不恰当) — Vulnerability Class 2062

2062 vulnerabilities classified as CWE-284 (访问控制不恰当). AI Chinese analysis included.

CWE-284 represents a critical security weakness where software fails to properly restrict access to sensitive resources, allowing unauthorized actors to interact with data or functions they should not reach. This flaw typically arises when developers neglect to implement robust authentication or authorization checks, enabling attackers to bypass security controls through direct URL manipulation, token forgery, or privilege escalation techniques. Exploitation often leads to severe consequences, including data breaches, unauthorized system modifications, or complete service disruption. To mitigate this risk, developers must enforce strict access control policies at every layer of the application architecture. This involves implementing comprehensive identity verification, applying the principle of least privilege, and rigorously validating user permissions before granting access to any protected resource, ensuring that only authenticated and authorized users can perform specific actions.

MITRE CWE Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Access control involves the use of several protection mechanisms such as: Authentication (proving the identity of an actor) Authorization (ensuring that a given actor can access a resource), and Accountability (tracking of activities that were performed) When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator. Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies.
Common Consequences (1)
OtherVaries by Context
Mitigations (2)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
This function runs an arbitrary SQL query on a given database, returning the result of the query.
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2024-13105 D-Link DIR-816 A2 DHCPD Setting form2Dhcpd.cgi access control — DIR-816 A2 5.3 Medium2025-01-02
CVE-2024-13104 D-Link DIR-816 A2 WiFi Settings form2AdvanceSetup.cgi access control — DIR-816 A2 5.3 Medium2025-01-02
CVE-2024-13103 D-Link DIR-816 A2 Virtual Service form2AddVrtsrv.cgi access control — DIR-816 A2 5.3 Medium2025-01-02
CVE-2024-13102 D-Link DIR-816 A2 DDNS Service access control — DIR-816 A2 5.3 Medium2025-01-02
CVE-2024-25133 Openshift-dedicated: hive: rce through aws/kubernetes client configuration leads to privilege escalation 8.8 High2024-12-31
CVE-2024-13067 CodeAstro Online Food Ordering System All Users Page all_users.php access control — Online Food Ordering System 5.3 Medium2024-12-31
CVE-2024-13030 D-Link DIR-823G Web Management Interface HNAP1 SetVirtualServerSettings access control — DIR-823G 7.3 High2024-12-30
CVE-2024-56330 Session VNC may be accessed by other sessions on the same host in stardust — stardust 6.5 -2024-12-20
CVE-2024-9503 Maintenance & Coming Soon Redirect Animation <= 2.1.3 - Missing Authorization to Settings Update — Maintenance & Coming Soon Redirect Animation 4.3 Medium2024-12-20
CVE-2024-11358 Insecure Android File Provider Paths — Mattermost 5.7 Medium2024-12-16
CVE-2024-24902 Dell RecoverPoint for Virtual Machines 访问控制错误漏洞 — RecoverPoint for Virtual Machines 6.6 Medium2024-12-13
CVE-2024-54096 Huawei EMUI和Huawei HarmonyOS 安全漏洞 — HarmonyOS 5.3 Medium2024-12-12
CVE-2024-10124 Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce <= 1.1.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation — Vayu Blocks – Website Builder for the Block Editor 9.8 Critical2024-12-12
CVE-2024-48912 GLPI vulnerable to authenticated insecure account deletion — glpi 6.5 -2024-12-11
CVE-2024-47760 GLPI vulnerable to account takeover via API — glpi 8.8 -2024-12-11
CVE-2024-47758 GLPI vulnerable to account takeover without privilege escalation through the API — glpi 8.8 -2024-12-11
CVE-2024-12294 Last Viewed Posts by WPBeginner <= 1.0.1 - Unauthenticated Sensitive Information Exposure — Last Viewed Posts by WPBeginner 5.3 Medium2024-12-11
CVE-2024-43717 Adobe Experience Manager | Improper Access Control (CWE-284) — Adobe Experience Manager 4.3 Medium2024-12-10
CVE-2024-43716 Adobe Experience Manager | Improper Access Control (CWE-284) — Adobe Experience Manager 4.3 Medium2024-12-10
CVE-2024-54038 Adobe Connect | Improper Access Control (CWE-284) — Adobe Connect 4.3 Medium2024-12-10
CVE-2024-49105 Remote Desktop Client Remote Code Execution Vulnerability — Windows 10 Version 1809 8.4 High2024-12-10
CVE-2024-43600 Microsoft Office Elevation of Privilege Vulnerability — Microsoft Office 2016 7.8 High2024-12-10
CVE-2024-49068 Microsoft SharePoint Elevation of Privilege Vulnerability — Microsoft SharePoint Enterprise Server 2016 8.2 High2024-12-10
CVE-2024-43594 Microsoft System Center Elevation of Privilege Vulnerability — Microsoft System Center 2022 7.3 High2024-12-10
CVE-2024-11868 LearnPress – WordPress LMS Plugin <= 4.2.7.3 - Course Material Sensitive Information Exposure via REST API — LearnPress – WordPress LMS Plugin for Create and Sell Online Courses 5.3 Medium2024-12-10
CVE-2024-49600 Dell Power Manager 访问控制错误漏洞 — Dell Power Manager (DPM) 7.8 High2024-12-09
CVE-2024-12307 Function-Level Access Control Vulnerability Allows Unauthorized Modification of Student Data in Unifiedtransform — Unifiedtransform 4.3 Medium2024-12-09
CVE-2024-12306 Access Control Vulnerabilities Allow Unauthorized Access to User Profiles in Unifiedtransform — Unifiedtransform 4.3 Medium2024-12-09
CVE-2024-12235 Shenzhen Dashi Tongzhou Information Technology AgileBPM AuthorizationTokenCheckFilter.java doFilter access control — AgileBPM 6.3 Medium2024-12-05
CVE-2024-10937 Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins <= 2.0.58 - Sensitive Information Exposure — Related Posts By PickPlugins 5.3 Medium2024-12-05

Vulnerabilities classified as CWE-284 (访问控制不恰当) represent 2062 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.