CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,794 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 29 of 76
- CVE-2022-20762HIGHCVSS 7.8EG 7.82022-04-06
A vulnerability in the Common Execution Environment (CEE) ConfD CLI of Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure (SMI) software could allow an authenticated, local attacker to escalate privileges on an affected devic…
- CVE-2022-20777CRITICALCVSS 9.9EG 9.92022-05-04
Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data…
- CVE-2022-20859MEDIUMCVSS 6.5EG 8.82022-07-06
A vulnerability in the Disaster Recovery framework of Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), and Cisco Unity Connection could allow an authen…
- CVE-2022-20928MEDIUMCVSS 5.8EG 5.82022-11-15
A vulnerability in the authentication and authorization flows for VPN connections in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish …
- CVE-2022-20942MEDIUMCVSS 6.5EG 6.52022-11-04
A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA), Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance, formerly known as Cisco Web Security Appliance (WSA), could allow an authent…
- CVE-2022-2095MEDIUMCVSS 4.3EG 4.32022-08-05
An improper access control check in GitLab CE/EE affecting all versions starting from 13.7 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious authenticated user to…
- CVE-2022-21140MEDIUMCVSS 5.5EG 5.52022-08-18
Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable information disclosure via local access.
- CVE-2022-21141CRITICALCVSS 10.0EG 10.02022-02-18
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization checks on multiple API functions. An attacker may gain a…
- CVE-2022-21153MEDIUMCVSS 5.5EG 5.52022-02-09
Improper access control in the Intel(R) Capital Global Summit Android application may allow an authenticated user to potentially enable information disclosure via local access.
- CVE-2022-21157MEDIUMCVSS 5.5EG 5.52022-02-09
Improper access control in the Intel(R) Smart Campus Android application before version 6.1 may allow authenticated user to potentially enable information disclosure via local access.
- CVE-2022-21174HIGHCVSS 7.8EG 7.82022-02-09
Improper access control in a third-party component of Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2022-21196CRITICALCVSS 10.0EG 9.82022-02-18
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not perform proper authorization and authentication checks on multiple API routes. An att…
- CVE-2022-21225HIGHCVSS 8.0EG 8.02022-08-18
Improper neutralization in the Intel(R) Data Center Manager software before version 4.1 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.
- CVE-2022-2155MEDIUMCVSS 5.7EG 7.12023-01-12
A vulnerability exists in the affected versions of Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role, granting it access to the embedded Power BI reports fe…
- CVE-2022-21678MEDIUMCVSS 4.3EG 4.32022-01-13
Discourse is an open source discussion platform. Prior to version 2.8.0.beta11 in the `tests-passed` branch, version 2.8.0.beta11 in the `beta` branch, and version 2.7.13 in the `stable` branch, the bios of users who made their profiles pr…
- CVE-2022-21701MEDIUMCVSS 5.0EG 5.02022-01-19
Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gateways.gateway.networking.k8s.io` objects…
- CVE-2022-21706HIGHCVSS 7.2EG 7.22022-02-26
Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organ…
- CVE-2022-21707MEDIUMCVSS 6.3EG 6.32022-01-21
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally requi…
- CVE-2022-21713MEDIUMCVSS 4.3EG 4.32022-02-08
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view …
- CVE-2022-21812HIGHCVSS 7.8EG 7.82022-08-18
Improper access control in the Intel(R) HAXM software before version 7.7.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2022-21825HIGHCVSS 7.8EG 7.82022-02-09
An Improper Access Control vulnerability exists in Citrix Workspace App for Linux 2012 - 2111 with App Protection installed that can allow an attacker to perform local privilege escalation.
- CVE-2022-2188MEDIUMCVSS 6.5EG 5.52022-11-07
Privilege escalation vulnerability in DXL Broker for Windows prior to 6.0.0.280 allows local users to gain elevated privileges by exploiting weak directory controls in the logs directory. This can lead to a denial-of-service attack on the …
- CVE-2022-21894MEDIUMCVSS 4.4EG 4.42022-01-11
Secure Boot Security Feature Bypass Vulnerability
- CVE-2022-21899MEDIUMCVSS 5.5EG 5.52022-01-11
Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
- CVE-2022-21913MEDIUMCVSS 5.3EG 7.52022-01-11
Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass
- CVE-2022-22048MEDIUMCVSS 6.1EG 6.12022-07-12
BitLocker Security Feature Bypass Vulnerability
- CVE-2022-22091HIGHCVSS 7.5EG 7.52022-09-16
Improper authorization of a replayed LTE security mode command can lead to a denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdrag…
- CVE-2022-22157HIGHCVSS 7.2EG 7.22022-01-19
A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn…
- CVE-2022-22167HIGHCVSS 7.2EG 7.22022-01-19
A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn…
- CVE-2022-22190HIGHCVSS 7.4EG 7.52022-04-14
An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated attacker to leverage a crafted URL to generate PDF reports, potentially containing sensitive configuration i…
- CVE-2022-22254HIGHCVSS 7.5EG 7.52022-04-11
A permission bypass vulnerability exists when the NFC CAs access the TEE.Successful exploitation of this vulnerability may affect data confidentiality.
- CVE-2022-22272MEDIUMCVSS 4.0EG 3.32022-01-10
Improper authorization in TelephonyManager prior to SMR Jan-2022 Release 1 allows attackers to get IMSI without READ_PRIVILEGED_PHONE_STATE permission
- CVE-2022-22288HIGHCVSS 7.5EG 7.52022-01-10
Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 allows remote app installation of the allowlist.
- CVE-2022-2229HIGHCVSS 7.5EG 7.52022-07-01
An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in p…
- CVE-2022-22300MEDIUMCVSS 4.3EG 8.82022-03-01
A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, FortiAnalyzer version 6.0.0 through 6.0.11, FortiAnalyzer version 6.2.0 through 6.2.9, FortiAnalyzer version 6.4.0 throug…
- CVE-2022-22307MEDIUMCVSS 4.4EG 4.42023-06-15
IBM Security Guardium 11.3, 11.4, and 11.5 could allow a local user to obtain elevated privileges due to incorrect authorization checks. IBM X-Force ID: 216753.
- CVE-2022-22326LOWCVSS 3.3EG 3.32022-08-01
IBM Datapower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 could allow unauthorized viewing of logs and files due to insufficient authorization checks. IBM X-Force ID: 218856.
- CVE-2022-2243MEDIUMCVSS 5.0EG 4.32022-07-01
An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects.
- CVE-2022-2244MEDIUMCVSS 4.3EG 4.32022-07-01
An improper authorization vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers with reporter role to manage issues in project's error track…
- CVE-2022-22616MEDIUMCVSS 5.5EG 5.52022-05-26
This issue was addressed with improved checks. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. A maliciously crafted ZIP archive may bypass Gatekeeper checks.
- CVE-2022-22618HIGHCVSS 7.8EG 7.82022-03-18
This issue was addressed with improved checks. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4. A user may be able to bypass the Emergency SOS passcode prompt.
- CVE-2022-22663MEDIUMCVSS 5.5EG 5.52022-05-26
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in iOS 15.4 and iPadOS 15.4, Security Update 2022-004 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.6. A malicious application may bypas…
- CVE-2022-22754MEDIUMCVSS 6.5EG 6.52022-12-22
If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, …
- CVE-2022-22798MEDIUMCVSS 6.8EG 8.82022-05-12
Sysaid – Pro Plus Edition, SysAid Help Desk Broken Access Control v20.4.74 b10, v22.1.20 b62, v22.1.30 b49 - An attacker needs to log in as a guest after that the system redirects him to the service portal or EndUserPortal.JSP, then he n…
- CVE-2022-22967HIGHCVSS 8.8EG 8.82022-06-23
An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is …
- CVE-2022-22978CRITICALCVSS 9.8EG 9.82022-05-19
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the…
- CVE-2022-23009HIGHCVSS 7.2EG 7.22022-01-25
On BIG-IQ Centralized Management 8.x before 8.1.0, an authenticated administrative role user on a BIG-IQ managed BIG-IP device can access other BIG-IP devices managed by the same BIG-IQ system. Note: Software versions which have reached En…
- CVE-2022-2303MEDIUMCVSS 4.3EG 4.32022-08-05
An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for group members to bypass 2FA enforcement…
- CVE-2022-23033HIGHCVSS 7.8EG 7.82022-01-25
arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do no…
- CVE-2022-23134LOWCVSS 3.7EG 9.0⚠ KEV2022-01-13
After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Fro…
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →