logo

CWE-566 - Authorization Bypass Through User-Controlled SQL Primary Key

CWE-566

  • Abstraction:
  • Variant
  • Structure:
  • Simple
  • Status:
  • Incomplete
Weakness Name

Authorization Bypass Through User-Controlled SQL Primary Key

Description

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records. Database access control errors occur when:

Common Consequences

Scope: Confidentiality, Integrity, Access Control

Impact: Read Application Data, Modify Application Data, Bypass Protection Mechanism

Related Weaknesses
  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2024-02-29

Free security scan for your website