CWE-285: Improper Authorization
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data Read Files or Directories
说明: An attacker could read sensitive data, either by reading the data directly from a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
影响范围: Integrity
技术影响: Modify Application Data Modify Files or Directories
说明: An attacker could modify sensitive data, either by writing the data directly to a data store that is not properly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
说明: An attacker could gain privileges by modifying or reading critical data directly, or by accessing insufficiently-protected, privileged functionality.
潜在缓解措施
阶段: Architecture and Design
阶段: Architecture and Design
描述: Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Architecture and Design
阶段: System Configuration Installation
描述: Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
检测方法
方法: Automated Static Analysis
有效性: Limited
方法: Automated Dynamic Analysis
Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic
方法: Manual Analysis
有效性: Moderate
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: SOAR Partial
方法: Automated Static Analysis - Source Code
有效性: SOAR Partial
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2022-24730
Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information
参考: CVE-2009-3168
Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords.
参考: CVE-2009-2960
Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users.
参考: CVE-2009-3597
Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request.
参考: CVE-2009-2282
Terminal server does not check authorization for guest access.
参考: CVE-2009-3230
Database server does not use appropriate privileges for certain sensitive operations.
参考: CVE-2009-2213
Gateway uses default "Allow" configuration for its authorization settings.
参考: CVE-2009-0034
Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.
参考: CVE-2008-6123
Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.
参考: CVE-2008-5027
System monitoring software allows users to bypass authorization by creating custom forms.
参考: CVE-2008-7109
Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.
参考: CVE-2008-3424
Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.
参考: CVE-2009-3781
Content management system does not check access permissions for private files, allowing others to view those files.
参考: CVE-2008-4577
ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.
参考: CVE-2008-6548
Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files.
参考: CVE-2007-2925
Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries.
参考: CVE-2006-6679
Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.
参考: CVE-2005-3623
OS kernel does not check for a certain privilege before setting ACLs for files.
参考: CVE-2005-2801
Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.
参考: CVE-2001-1155
Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
| Architecture and Design | - |
| Operation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Missing Access Control | - |
| OWASP Top Ten 2007 | A10 | Failure to Restrict URL Access | CWE More Specific |
| OWASP Top Ten 2004 | A2 | Broken Access Control | CWE More Specific |
| Software Fault Patterns | SFP35 | Insecure resource access | - |
关键信息
CWE ID: CWE-285
抽象级别: Class
结构: Simple
状态: Draft
利用可能性: High