Falhas do tipo CWE-862

7.080 resultados

Falha de verificação de autorização

A aplicação não valida se o usuário tem permissão para acessar um recurso ou executar uma ação específica. O código presume que quem chegou até ali já é confiável, pulando a checagem de privilégios. Qualquer atacante que consiga se autenticar (ou nem isso) pode fazer operações que deveria estar proibido.

Exemplo

Um admin painel que verifica login, mas depois deixa qualquer usuário logado deletar outros perfis acessando /admin/delete-user/123 diretamente. A autenticação existe, a autorização não.

Como mitigar

Implemente verificações de autorização (ACL, RBAC ou atributo-based) antes de cada operação sensível: confirme se o usuário tem a role ou permissão necessária. Não confie em autenticação alone — é login que prova quem você é, autorização que prova o que você pode fazer.

CVE-2023-30865MEDIUMIn dialer service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileEPSS 0.1%CVE-2022-48390HIGHIn telephony service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execEPSS 0.1%CVE-2023-20833MEDIUMIn keyinstall, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure witEPSS 0.1%CVE-2022-48392HIGHIn dialer service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional executiEPSS 0.1%CVE-2022-48391MEDIUMIn telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution EPSS 0.1%CVE-2022-48446MEDIUMIn telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution EPSS 0.1%CVE-2022-48447MEDIUMIn telephony service, there is a possible missing permission check. This could lead to local denial of service with no additional execution EPSS 0.1%CVE-2023-40654MEDIUMIn FW-PackageManager, there is a possible missing permission check. This could lead to local escalation of privilege with System execution pEPSS 0.1%CVE-2023-21141In several functions of several files, there is a possible way to access developer mode traces due to a permissions bypass. This could lead EPSS 0.1%CVE-2022-44423MEDIUMIn music service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional exeEPSS 0.1%CVE-2022-44438MEDIUMIn messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additionalEPSS 0.1%CVE-2022-44424MEDIUMIn music service, there is a missing permission check. This could lead to local denial of service in contacts service with no additional exeEPSS 0.1%CVE-2022-44439MEDIUMIn messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additionalEPSS 0.1%CVE-2025-26440HIGHIn multiple functions of CameraService.cpp, there is a possible way to use the camera from the background due to a permissions bypass. This EPSS 0.1%CVE-2022-44434MEDIUMIn messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additionalEPSS 0.1%CVE-2023-21091MEDIUMIn canDisplayLocalUi of AppLocalePickerActivity.java, there is a possible way to change system app locales due to a missing permission checkEPSS 0.1%CVE-2022-39103MEDIUMIn Gallery service, there is a missing permission check. This could lead to local denial of service in Gallery service with no additional exEPSS 0.1%CVE-2022-44436MEDIUMIn messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additionalEPSS 0.1%CVE-2022-44435In messaging service, there is a missing permission check. This could lead to local denial of service in contacts service with no additionalEPSS 0.1%CVE-2025-48591MEDIUMIn multiple locations, there is a possible way to read files from another user due to a missing permission check. This could lead to local iEPSS 0.1%