CWE-1220
AllowedInsufficient Granularity of Access Control
Abstraction: Base · Status: Incomplete
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
176 vulnerabilities reference this CWE, most recent first.
GHSA-9JMP-J63G-8X6M
Vulnerability from github – Published: 2024-09-13 18:31 – Updated: 2025-06-20 20:01Withdrawn Advisory
This advisory has been withdrawn because the lunary npm package is connected to https://github.com/lunary-ai/lunary-js, not the https://github.com/lunary-ai/lunary repo that is discussed in this advisory.
The underlying vulnerability report is still valid, but it doesn't affect a product in a GitHub Advisory Database supported ecosystem.
This link is maintained to preserve external references.
Original Description
An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the runs/{run_id}/related endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the run_id listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the run_id of a public or non-public run.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "lunary"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-6867"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-13T19:34:16Z",
"nvd_published_at": "2024-09-13T17:15:13Z",
"severity": "MODERATE"
},
"details": "## Withdrawn Advisory\nThis advisory has been withdrawn because the [lunary npm package](https://www.npmjs.com/package/lunary) is connected to https://github.com/lunary-ai/lunary-js, not the https://github.com/lunary-ai/lunary repo that is discussed in this advisory.\n\n**The underlying vulnerability report is still valid**, but it doesn\u0027t affect a product in a [GitHub Advisory Database supported ecosystem](https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#github-reviewed-advisories).\n\nThis link is maintained to preserve external references.\n\n## Original Description\nAn information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the `run_id` listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the `run_id` of a public or non-public run.",
"id": "GHSA-9jmp-j63g-8x6m",
"modified": "2025-06-20T20:01:41Z",
"published": "2024-09-13T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6867"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/35afd4439464571eb016318cd7b6f85a162225ca"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/460df515-164c-4435-954b-0233a181545f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Withdrawn Advisory: Lunary information disclosure vulnerability",
"withdrawn": "2025-06-20T20:00:15Z"
}
GHSA-9MX7-6MVP-M4H2
Vulnerability from github – Published: 2025-02-12 00:32 – Updated: 2025-02-12 00:32Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2023-31343"
],
"database_specific": {
"cwe_ids": [
"CWE-1220",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T23:15:08Z",
"severity": "HIGH"
},
"details": "Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.",
"id": "GHSA-9mx7-6mvp-m4h2",
"modified": "2025-02-12T00:32:16Z",
"published": "2025-02-12T00:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31343"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3009.html"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4008.html"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-5004.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9VRQ-HH79-6V9M
Vulnerability from github – Published: 2025-05-22 15:34 – Updated: 2025-05-22 15:34An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
{
"affected": [],
"aliases": [
"CVE-2025-4979"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-22T14:16:08Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.",
"id": "GHSA-9vrq-hh79-6v9m",
"modified": "2025-05-22T15:34:50Z",
"published": "2025-05-22T15:34:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4979"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/524455"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9X88-4JG8-4VF7
Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2025-10-15 15:49An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the active status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "zenml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.56.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-2035"
],
"database_specific": {
"cwe_ids": [
"CWE-1220",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-06T22:21:21Z",
"nvd_published_at": "2024-06-06T19:15:53Z",
"severity": "MODERATE"
},
"details": "An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.",
"id": "GHSA-9x88-4jg8-4vf7",
"modified": "2025-10-15T15:49:21Z",
"published": "2024-06-06T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2035"
},
{
"type": "WEB",
"url": "https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038fa3"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/zenml/PYSEC-2024-169.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/zenml-io/zenml"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper authorization in zenml"
}
GHSA-CCMH-37RX-6PP5
Vulnerability from github – Published: 2023-08-21 18:31 – Updated: 2024-04-04 07:05A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.
{
"affected": [],
"aliases": [
"CVE-2023-4456"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-21T17:15:50Z",
"severity": "MODERATE"
},
"details": "A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.",
"id": "GHSA-ccmh-37rx-6pp5",
"modified": "2024-04-04T07:05:11Z",
"published": "2023-08-21T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4456"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4933"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:5095"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:5096"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-4456"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CHGX-7CW3-HR55
Vulnerability from github – Published: 2023-08-11 15:30 – Updated: 2024-02-16 15:30A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
{
"affected": [],
"aliases": [
"CVE-2023-39418"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-11T13:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.",
"id": "GHSA-chgx-7cw3-hr55",
"modified": "2024-02-16T15:30:25Z",
"published": "2023-08-11T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7785"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7883"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7884"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7885"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-39418"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228112"
},
{
"type": "WEB",
"url": "https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230915-0002"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5553"
},
{
"type": "WEB",
"url": "https://www.postgresql.org/support/security/CVE-2023-39418"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJ3C-5XPM-CX94
Vulnerability from github – Published: 2024-03-29 19:05 – Updated: 2025-10-13 15:42Summary
The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API.
Details
When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not.
Example:
There are projects P1 and P2, Teams T1 and T2, users U1 and U2 and Timesheet entries E1 and E2. U1 is team leader of team T1 and has access to P1. U2 is in Team T2 and has access to both P1 and P2. U2 creates E1 for P1 and E2 for P2.
In the UI, U1 with view _other_timesheet perms sees E1 as he is a part of T1 that has access to P1.
In the API, however, he has access to E1 and E2.
Additionally, if U1 is not a team leader T1, he does not see any timesheet from a user other than himself in the UI, but still all timesheets in the API.
PoC
- Give a user
view_other_timesheetpermission - The result of the UI and the API call to
/api/timesheets?user=alldiffers in the data that is being returned
Curl command:
bash
curl -X 'GET' \
'https://kimai.instance.com/api/timesheets?user=all' \
-H 'accept: application/json' \
-H 'X-AUTH-USER: username' \
-H 'X-AUTH-TOKEN: api_token'
Impact
This is at least an insufficient granularity of access control weakness. People can see timesheet entries they are not supposed to. This greatly affects the confidentiality of timesheet entries.
Restricting API access to administrators is also not a valid solution, as API access is needed, for example, to use the mobile app.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "kimai/kimai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-29200"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-29T19:05:49Z",
"nvd_published_at": "2024-03-28T14:15:14Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API.\n\n### Details\nWhen setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not.\n\nExample:\nThere are projects P1 and P2, Teams T1 and T2, users U1 and U2 and Timesheet entries E1 and E2. U1 is team leader of team T1 and has access to P1. U2 is in Team T2 and has access to both P1 and P2. U2 creates E1 for P1 and E2 for P2.\nIn the UI, U1 with `view _other_timesheet` perms sees E1 as he is a part of T1 that has access to P1.\nIn the API, however, he has access to E1 **and E2**.\n\nAdditionally, if U1 is not a team leader T1, he does not see any timesheet from a user other than himself in the UI, but still all timesheets in the API.\n\n### PoC\n- Give a user `view_other_timesheet` permission\n- The result of the UI and the API call to `/api/timesheets?user=all` differs in the data that is being returned\n\nCurl command:\n```bash\ncurl -X \u0027GET\u0027 \\\n \u0027https://kimai.instance.com/api/timesheets?user=all\u0027 \\\n -H \u0027accept: application/json\u0027 \\\n -H \u0027X-AUTH-USER: username\u0027 \\\n -H \u0027X-AUTH-TOKEN: api_token\u0027\n ```\n\n### Impact\nThis is at least an insufficient granularity of access control weakness. People can see timesheet entries they are not supposed to.\nThis greatly affects the confidentiality of timesheet entries. \n\nRestricting API access to administrators is also not a valid solution, as API access is needed, for example, to use the mobile app.",
"id": "GHSA-cj3c-5xpm-cx94",
"modified": "2025-10-13T15:42:26Z",
"published": "2024-03-29T19:05:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29200"
},
{
"type": "PACKAGE",
"url": "https://github.com/kimai/kimai"
},
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/releases/tag/2.13.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Kimai API returns timesheet entries a user should not be authorized to view"
}
GHSA-F4C9-CQV8-9V98
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2024-07-19 18:34Withdrawn Advisory
This advisory has been withdrawn because the user must configure jsdom to allow access to local files.
Original Description
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 16.4.0"
},
"package": {
"ecosystem": "npm",
"name": "jsdom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "16.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-20066"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-22T18:50:49Z",
"nvd_published_at": "2021-02-16T20:15:00Z",
"severity": "LOW"
},
"details": "# Withdrawn Advisory\n\nThis advisory has been withdrawn because the user must configure jsdom to allow access to local files.\n\n# Original Description\n\nJSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.",
"id": "GHSA-f4c9-cqv8-9v98",
"modified": "2024-07-19T18:34:30Z",
"published": "2022-05-24T17:42:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20066"
},
{
"type": "WEB",
"url": "https://github.com/jsdom/jsdom/issues/3124"
},
{
"type": "WEB",
"url": "https://github.com/jsdom/jsdom/issues/3124#issuecomment-783502951"
},
{
"type": "PACKAGE",
"url": "https://github.com/jsdom/jsdom"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-JSDOM-1075447"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2021-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Withdrawn Advisory: Insufficient Granularity of Access Control in JSDom",
"withdrawn": "2024-07-19T18:34:30Z"
}
GHSA-F662-3VXF-4MP9
Vulnerability from github – Published: 2026-02-02 12:31 – Updated: 2026-02-02 12:31In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user's project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies.
{
"affected": [],
"aliases": [
"CVE-2024-4147"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T11:16:16Z",
"severity": "HIGH"
},
"details": "In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application\u0027s failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user\u0027s project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies.",
"id": "GHSA-f662-3vxf-4mp9",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4147"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/3f051943-71ea-414c-a528-cd8b5d82a7ad"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F77V-7FV6-253H
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them.
To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs.
Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations.
Customers, please review the KB Articles in the References section.
{
"affected": [],
"aliases": [
"CVE-2025-3648"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T16:15:57Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them.\n\nTo assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs.\n\nAdditionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations.\n\nCustomers, please review the KB Articles in the References section.",
"id": "GHSA-f77v-7fv6-253h",
"modified": "2025-07-08T18:31:43Z",
"published": "2025-07-08T18:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3648"
},
{
"type": "WEB",
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB2046494"
},
{
"type": "WEB",
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB2139567"
},
{
"type": "WEB",
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB2256712"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
- Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.