Common Weakness Enumeration

CWE-1220

Allowed

Insufficient Granularity of Access Control

Abstraction: Base · Status: Incomplete

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

176 vulnerabilities reference this CWE, most recent first.

GHSA-9JMP-J63G-8X6M

Vulnerability from github – Published: 2024-09-13 18:31 – Updated: 2025-06-20 20:01
VLAI
Summary
Withdrawn Advisory: Lunary information disclosure vulnerability
Details

Withdrawn Advisory

This advisory has been withdrawn because the lunary npm package is connected to https://github.com/lunary-ai/lunary-js, not the https://github.com/lunary-ai/lunary repo that is discussed in this advisory.

The underlying vulnerability report is still valid, but it doesn't affect a product in a GitHub Advisory Database supported ecosystem.

This link is maintained to preserve external references.

Original Description

An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the runs/{run_id}/related endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the run_id listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the run_id of a public or non-public run.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "lunary"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-13T19:34:16Z",
    "nvd_published_at": "2024-09-13T17:15:13Z",
    "severity": "MODERATE"
  },
  "details": "## Withdrawn Advisory\nThis advisory has been withdrawn because the [lunary npm package](https://www.npmjs.com/package/lunary) is connected to https://github.com/lunary-ai/lunary-js, not the https://github.com/lunary-ai/lunary repo that is discussed in this advisory.\n\n**The underlying vulnerability report is still valid**, but it doesn\u0027t affect a product in a [GitHub Advisory Database supported ecosystem](https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#github-reviewed-advisories).\n\nThis link is maintained to preserve external references.\n\n## Original Description\nAn information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the `run_id` listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the `run_id` of a public or non-public run.",
  "id": "GHSA-9jmp-j63g-8x6m",
  "modified": "2025-06-20T20:01:41Z",
  "published": "2024-09-13T18:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6867"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/35afd4439464571eb016318cd7b6f85a162225ca"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/460df515-164c-4435-954b-0233a181545f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Withdrawn Advisory: Lunary information disclosure vulnerability",
  "withdrawn": "2025-06-20T20:00:15Z"
}

GHSA-9MX7-6MVP-M4H2

Vulnerability from github – Published: 2025-02-12 00:32 – Updated: 2025-02-12 00:32
VLAI
Details

Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-11T23:15:08Z",
    "severity": "HIGH"
  },
  "details": "Improper input validation in the SMM handler may allow a privileged attacker to overwrite SMRAM, potentially leading to arbitrary code execution.",
  "id": "GHSA-9mx7-6mvp-m4h2",
  "modified": "2025-02-12T00:32:16Z",
  "published": "2025-02-12T00:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31343"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3009.html"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4008.html"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-5004.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9VRQ-HH79-6V9M

Vulnerability from github – Published: 2025-05-22 15:34 – Updated: 2025-05-22 15:34
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-22T14:16:08Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.",
  "id": "GHSA-9vrq-hh79-6v9m",
  "modified": "2025-05-22T15:34:50Z",
  "published": "2025-05-22T15:34:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4979"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/524455"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9X88-4JG8-4VF7

Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2025-10-15 15:49
VLAI
Summary
Improper authorization in zenml
Details

An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the active status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "zenml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.56.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-2035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-06T22:21:21Z",
    "nvd_published_at": "2024-06-06T19:15:53Z",
    "severity": "MODERATE"
  },
  "details": "An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.",
  "id": "GHSA-9x88-4jg8-4vf7",
  "modified": "2025-10-15T15:49:21Z",
  "published": "2024-06-06T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2035"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zenml-io/zenml/commit/b95f083efffa56831cd41d8ed536aeb0b6038fa3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/zenml/PYSEC-2024-169.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zenml-io/zenml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/1cfc6493-082e-4229-9f2f-496801a6557c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper authorization in zenml"
}

GHSA-CCMH-37RX-6PP5

Vulnerability from github – Published: 2023-08-21 18:31 – Updated: 2024-04-04 07:05
VLAI
Details

A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4456"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-21T17:15:50Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.",
  "id": "GHSA-ccmh-37rx-6pp5",
  "modified": "2024-04-04T07:05:11Z",
  "published": "2023-08-21T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4456"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:4933"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:5095"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:5096"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-4456"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233087"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CHGX-7CW3-HR55

Vulnerability from github – Published: 2023-08-11 15:30 – Updated: 2024-02-16 15:30
VLAI
Details

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-11T13:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.",
  "id": "GHSA-chgx-7cw3-hr55",
  "modified": "2024-02-16T15:30:25Z",
  "published": "2023-08-11T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7785"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7883"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7884"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7885"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-39418"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228112"
    },
    {
      "type": "WEB",
      "url": "https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230915-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5553"
    },
    {
      "type": "WEB",
      "url": "https://www.postgresql.org/support/security/CVE-2023-39418"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJ3C-5XPM-CX94

Vulnerability from github – Published: 2024-03-29 19:05 – Updated: 2025-10-13 15:42
VLAI
Summary
Kimai API returns timesheet entries a user should not be authorized to view
Details

Summary

The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API.

Details

When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not.

Example: There are projects P1 and P2, Teams T1 and T2, users U1 and U2 and Timesheet entries E1 and E2. U1 is team leader of team T1 and has access to P1. U2 is in Team T2 and has access to both P1 and P2. U2 creates E1 for P1 and E2 for P2. In the UI, U1 with view _other_timesheet perms sees E1 as he is a part of T1 that has access to P1. In the API, however, he has access to E1 and E2.

Additionally, if U1 is not a team leader T1, he does not see any timesheet from a user other than himself in the UI, but still all timesheets in the API.

PoC

  • Give a user view_other_timesheet permission
  • The result of the UI and the API call to /api/timesheets?user=all differs in the data that is being returned

Curl command: bash curl -X 'GET' \ 'https://kimai.instance.com/api/timesheets?user=all' \ -H 'accept: application/json' \ -H 'X-AUTH-USER: username' \ -H 'X-AUTH-TOKEN: api_token'

Impact

This is at least an insufficient granularity of access control weakness. People can see timesheet entries they are not supposed to. This greatly affects the confidentiality of timesheet entries.

Restricting API access to administrators is also not a valid solution, as API access is needed, for example, to use the mobile app.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-29T19:05:49Z",
    "nvd_published_at": "2024-03-28T14:15:14Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API.\n\n### Details\nWhen setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not.\n\nExample:\nThere are projects P1 and P2, Teams T1 and T2, users U1 and U2 and Timesheet entries E1 and E2. U1 is team leader of team T1 and has access to P1. U2 is in Team T2 and has access to both P1 and P2. U2 creates E1 for P1 and E2 for P2.\nIn the UI, U1 with `view _other_timesheet` perms sees E1 as he is a part of T1 that has access to P1.\nIn the API, however, he has access to E1 **and E2**.\n\nAdditionally, if U1 is not a team leader T1, he does not see any timesheet from a user other than himself in the UI, but still all timesheets in the API.\n\n### PoC\n- Give a user `view_other_timesheet` permission\n- The result of the UI and the API call to `/api/timesheets?user=all` differs in the data that is being returned\n\nCurl command:\n```bash\ncurl -X \u0027GET\u0027 \\\n  \u0027https://kimai.instance.com/api/timesheets?user=all\u0027 \\\n  -H \u0027accept: application/json\u0027 \\\n  -H \u0027X-AUTH-USER: username\u0027 \\\n  -H \u0027X-AUTH-TOKEN: api_token\u0027\n ```\n\n### Impact\nThis is at least an insufficient granularity of access control weakness. People can see timesheet entries they are not supposed to.\nThis greatly affects the confidentiality of timesheet entries. \n\nRestricting API access to administrators is also not a valid solution, as API access is needed, for example, to use the mobile app.",
  "id": "GHSA-cj3c-5xpm-cx94",
  "modified": "2025-10-13T15:42:26Z",
  "published": "2024-03-29T19:05:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29200"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kimai/kimai/releases/tag/2.13.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Kimai API returns timesheet entries a user should not be authorized to view"
}

GHSA-F4C9-CQV8-9V98

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2024-07-19 18:34
VLAI
Summary
Withdrawn Advisory: Insufficient Granularity of Access Control in JSDom
Details

Withdrawn Advisory

This advisory has been withdrawn because the user must configure jsdom to allow access to local files.

Original Description

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 16.4.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "jsdom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "16.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-20066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-22T18:50:49Z",
    "nvd_published_at": "2021-02-16T20:15:00Z",
    "severity": "LOW"
  },
  "details": "# Withdrawn Advisory\n\nThis advisory has been withdrawn because the user must configure jsdom to allow access to local files.\n\n# Original Description\n\nJSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.",
  "id": "GHSA-f4c9-cqv8-9v98",
  "modified": "2024-07-19T18:34:30Z",
  "published": "2022-05-24T17:42:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20066"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsdom/jsdom/issues/3124"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsdom/jsdom/issues/3124#issuecomment-783502951"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jsdom/jsdom"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-JSDOM-1075447"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2021-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn Advisory: Insufficient Granularity of Access Control in JSDom",
  "withdrawn": "2024-07-19T18:34:30Z"
}

GHSA-F662-3VXF-4MP9

Vulnerability from github – Published: 2026-02-02 12:31 – Updated: 2026-02-02 12:31
VLAI
Details

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user's project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-02T11:16:16Z",
    "severity": "HIGH"
  },
  "details": "In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application\u0027s failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user\u0027s project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies.",
  "id": "GHSA-f662-3vxf-4mp9",
  "modified": "2026-02-02T12:31:14Z",
  "published": "2026-02-02T12:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4147"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/3f051943-71ea-414c-a528-cd8b5d82a7ad"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F77V-7FV6-253H

Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31
VLAI
Details

A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them.

To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs.

Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations.

Customers, please review the KB Articles in the References section.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T16:15:57Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them.\n\nTo assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs.\n\nAdditionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations.\n\nCustomers, please review the KB Articles in the References section.",
  "id": "GHSA-f77v-7fv6-253h",
  "modified": "2025-07-08T18:31:43Z",
  "published": "2025-07-08T18:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3648"
    },
    {
      "type": "WEB",
      "url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB2046494"
    },
    {
      "type": "WEB",
      "url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB2139567"
    },
    {
      "type": "WEB",
      "url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB2256712"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design Implementation Testing
  • Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
  • Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.