Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-284 (访问控制不恰当) — Vulnerability Class 2062

2062 vulnerabilities classified as CWE-284 (访问控制不恰当). AI Chinese analysis included.

CWE-284 represents a critical security weakness where software fails to properly restrict access to sensitive resources, allowing unauthorized actors to interact with data or functions they should not reach. This flaw typically arises when developers neglect to implement robust authentication or authorization checks, enabling attackers to bypass security controls through direct URL manipulation, token forgery, or privilege escalation techniques. Exploitation often leads to severe consequences, including data breaches, unauthorized system modifications, or complete service disruption. To mitigate this risk, developers must enforce strict access control policies at every layer of the application architecture. This involves implementing comprehensive identity verification, applying the principle of least privilege, and rigorously validating user permissions before granting access to any protected resource, ensuring that only authenticated and authorized users can perform specific actions.

MITRE CWE Description
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Access control involves the use of several protection mechanisms such as: Authentication (proving the identity of an actor) Authorization (ensuring that a given actor can access a resource), and Accountability (tracking of activities that were performed) When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator. Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies.
Common Consequences (1)
OtherVaries by Context
Mitigations (2)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
This function runs an arbitrary SQL query on a given database, returning the result of the query.
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2020-7578 Siemens Camstar Enterprise Platform和Opcenter Execution Core 访问控制错误漏洞 — Camstar Enterprise Platform 8.1 -2020-07-14
CVE-2020-8196 Citrix System SDWAN WAN-OP 授权问题漏洞 — Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP 4.3 -2020-07-10
CVE-2020-8193 Citrix System SDWAN WAN-OP 授权问题漏洞 — Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP 8.2 -2020-07-10
CVE-2020-8179 Nextcloud Deck 访问控制错误漏洞 — Nextcloud Deck 6.2 -2020-07-02
CVE-2020-15079 Improper access control in PrestaShop — PrestaShop 6.4 Medium2020-07-02
CVE-2020-2500 QNAP Systems Helpdesk 信任管理问题漏洞 — Helpdesk 9.8 Critical2020-07-01
CVE-2020-12024 百特 ExactaMix EM2400 安全漏洞 — Baxter ExactaMix EM 2400 & EM 1200 6.1 -2020-06-29
CVE-2020-10278 RVD#2561: Unprotected BIOS allows user to boot from live OS image. — MiR100 4.6 -2020-06-24
CVE-2020-4062 Improper Access Control in Conjur OSS Helm Chart — Conjur OSS Helm Chart 8.7 High2020-06-22
CVE-2020-3245 Cisco Smart Software Manager On-Prem Improper Access Control Vulnerability — Cisco Smart Software Manager On-Prem 5.3 -2020-06-18
CVE-2020-3364 Cisco IOS XR Software Standby Route Processor Gigabit Ethernet Management Interface Access Control List Bypass Vulnerability — Cisco IOS XR Software 5.3 -2020-06-18
CVE-2020-3231 Cisco IOS Software for Catalyst 2960-L Series Switches and Catalyst CDB-8P Switches 802.1X Authentication Bypass Vulnerability — Cisco IOS 15.2(5a)E 5.4 -2020-06-03
CVE-2020-12493 Critical Vulnerability in SWARCO CPU LS4000 — CPU LS4000 10.0 Critical2020-05-29
CVE-2020-6774 Kiosk Mode Breakout in Bosch Recording Station — Bosch Recording Station 9.3 Critical2020-05-27
CVE-2020-9046 Kantech EntraPass Security Management Software - System Permissions Vulnerability — Kantech EntraPass Security Management Software Special Edition versions 8.22 and prior 8.8 High2020-05-26
CVE-2020-2025 Kata Containers - Cloud Hypervisor guests persist filesystem changes to the underlying host image file — Kata Containers 8.8 High2020-05-19
CVE-2020-11931 Ubuntu modifications to pulseaudio to provide snap security enforcement could be unloaded — pulseaudio 3.3 Low2020-05-15
CVE-2020-10612 Opto 22 SoftPAC Project 访问控制错误漏洞 — Opto 22 SoftPAC Project 9.1 -2020-05-14
CVE-2020-8153 Nextcloud Groupfolders app 访问控制错误漏洞 — Nextcloud Groupfolders 6.5 -2020-05-12
CVE-2020-3253 Cisco Firepower Threat Defense Software Shell Access Vulnerability — Cisco Firepower Threat Defense Software 7.8 -2020-05-06
CVE-2020-3329 Cisco IMC Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data Role-Based Access Control Vulnerability — Cisco UCS Director 4.3 -2020-05-06
CVE-2020-3312 Cisco Firepower Threat Defense Software Information Disclosure Vulnerability — Cisco Firepower Threat Defense Software 7.5 -2020-05-06
CVE-2020-3186 Cisco Firepower Threat Defense Software Management Access List Bypass Vulnerability — Cisco Firepower Threat Defense Software 5.3 -2020-05-06
CVE-2020-1732 Red Hat WildFly Elytron 输入验证错误漏洞 — Soteria 4.2 Medium2020-05-04
CVE-2020-8157 Ubiquiti Networks UniFi Cloud Key 访问控制错误漏洞 — UniFi Cloud Key Gen2, Cloud Key Gen2 plus 6.8 -2020-05-02
CVE-2020-11028 Unauthenticated disclosure of certain private posts in WordPress — WordPress 5.8 Medium2020-04-30
CVE-2020-10641 Inductive Automation Ignition 访问控制错误漏洞 — Ignition 8 Gateway 7.5 -2020-04-28
CVE-2020-5287 Improper access control on customers search in PrestaShop — PrestaShop 4.1 Medium2020-04-20
CVE-2020-5288 Improper access control on product attributes page in PrestaShop — PrestaShop 4.1 Medium2020-04-20
CVE-2020-5293 Improper access control on product page with combinations, attachments and specific prices in PrestaShop — PrestaShop 6.5 Medium2020-04-20

Vulnerabilities classified as CWE-284 (访问控制不恰当) represent 2062 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.