Category: Authorization Errors
Draft
Summary
Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1220 | Insufficient Granularity of Access Control | This vulnerability occurs when a system's access controls are too broad, allowing unauthorized users or processes to read or modify sensitive resources. Instead of implementing precise, fine-grained permissions, the security policy uses overly permissive rules that fail to properly restrict access to critical assets like configuration data, keys, or system registers. |
| CWE-1230 | Exposure of Sensitive Information Through Metadata | This vulnerability occurs when an application protects the primary source of sensitive data but fails to secure the metadata derived from it. Attackers can then access this secondary information, which may leak critical details about the original content. |
| CWE-425 | Direct Request ('Forced Browsing') | This vulnerability occurs when a web application fails to verify user permissions for every protected page, file, or API endpoint, allowing attackers to access them directly. |
| CWE-551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | This vulnerability occurs when a web server checks access permissions before fully processing and normalizing a URL, potentially allowing attackers to bypass security controls. |
| CWE-552 | Files or Directories Accessible to External Parties | This vulnerability occurs when an application exposes files or directories to users who shouldn't have access to them. |
| CWE-639 | Authorization Bypass Through User-Controlled Key | This vulnerability occurs when an application's authorization system fails to verify that a user is allowed to access specific data before retrieving it, allowing an attacker to access another user's information by manipulating an identifier they control. |
| CWE-653 | Improper Isolation or Compartmentalization | This vulnerability occurs when an application fails to enforce strong boundaries between components that operate at different security levels, allowing lower-privileged functions to improperly interact with higher-privileged ones. |
| CWE-842 | Placement of User into Incorrect Group | This vulnerability occurs when a system or administrator assigns a user to the wrong security group or role. |
| CWE-939 | Improper Authorization in Handler for Custom URL Scheme | This vulnerability occurs when an app implements a custom URL scheme handler but fails to properly verify which other apps or sources are allowed to trigger it. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.