[#14436] - ASVS v4.0 - 4.1.3 - Improper authorization

Category:
Bug report
Priority:
Immediate
Status:
New
Project: Severity:
Critical
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:

There are multiple endpoints in the application that are vulnerable.
1. An user with least privileges has access to the endpoint is able to change cloud and OLAP configuration parameters.
2. An user with least privileges can see and generate reports of other organizations that should not be accessible to the user.
3. Any user has access to internal paths like that should be reachable only for an admin user.
Assuming a user with a given identity, authorization is the process of determining whether that user can access
a given resource, based on the user's privileges and any permissions or other access-control specifications that
apply to the resource.
When access control checks are not applied consistently - or not at all - users are able to access data or perform
actions that they should not be allowed to perform. This can lead to a wide range of problems, including
information exposures, denial of service, and arbitrary code execution.
A more specific test to check would be to check if any given user is able to access other users resources. Users
should only be able to access functions, data files, URLs, controllers, services, and other resources, for which
they possess specific authorization. This implies protection against spoofing and elevation of privilege.

AttachmentSize
Image icon jaspersoft_-_bug.png134.27 KB
v4.1.3
Authorization
ramyakrishna.chilukala's picture
Joined: Oct 3 2022 - 10:12pm
Last seen: 1 week 3 days ago

1 Comment:

#1
  • Resolution:Suspended» Open
  • Status:Feedback Requested» New
Feedback
randomness