CWE-863: Incorrect Authorization
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data Read Files or Directories
说明: An attacker could bypass intended access restrictions to read sensitive data, either by reading the data directly from a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.
影响范围: Integrity
技术影响: Modify Application Data Modify Files or Directories
说明: An attacker could bypass intended access restrictions to modify sensitive data, either by writing the data directly to a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity Bypass Protection Mechanism
说明: An attacker could bypass intended access restrictions to gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Code or Commands
说明: An attacker could use elevated privileges to execute unauthorized commands or code.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other)
说明: An attacker could gain unauthorized access to resources on the system and excessively consume those resources, leading to a denial of service.
潜在缓解措施
阶段: Architecture and Design
阶段: Architecture and Design
描述: Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Architecture and Design
阶段: System Configuration Installation
描述: Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
检测方法
方法: Automated Static Analysis
有效性: Limited
方法: Automated Dynamic Analysis
Automated dynamic analysis may not be able to find interfaces that are protected by authorization checks, even if those checks contain weaknesses.
方法: Manual Analysis
有效性: Moderate
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: SOAR Partial
方法: Automated Static Analysis - Source Code
有效性: SOAR Partial
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2025-24839
collaboration platform allows attacker to access an AI bot by using a plugin to set a critical property
参考: CVE-2025-32796
LLM application development platform allows non-admin users to enable or disable apps using certain API endpoints
参考: CVE-2021-39155
Chain: A microservice integration and management platform compares the hostname in the HTTP Host header in a case-sensitive way (CWE-178, CWE-1289), allowing bypass of the authorization policy (CWE-863) using a hostname with mixed case or other variations.
参考: CVE-2019-15900
Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863).
参考: CVE-2009-2213
Gateway uses default "Allow" configuration for its authorization settings.
参考: CVE-2009-0034
Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.
参考: CVE-2008-6123
Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.
参考: CVE-2008-7109
Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.
参考: CVE-2008-3424
Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.
参考: CVE-2008-4577
ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.
参考: CVE-2006-6679
Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.
参考: CVE-2005-2801
Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.
参考: CVE-2001-1155
Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | Authorization weaknesses may arise when a single-user application is ported to a multi-user environment. |
| Implementation | - |
| Operation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| ISA/IEC 62443 | Part 4-1 | Req SD-4 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 2.1 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 2.2 | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 2.1 | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 2.2 | - |
| ISA/IEC 62443 | Part 4-1 | Req SVV-1 | - |
| ISA/IEC 62443 | Part 4-1 | Req SVV-4 | - |
| ISA/IEC 62443 | Part 4-1 | Req SD-1 | - |