CWE-566 - Authorization Bypass Through User-Controlled SQL Primary Key

CWE-566

Abstraction:
Variant

Structure:
Simple

Status:
Incomplete

Weakness Name: Authorization Bypass Through User-Controlled SQL Primary Key

Description: The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records. Database access control errors occur when:

Common Consequences: Scope: Confidentiality, Integrity, Access Control
Impact: Read Application Data, Modify Application Data, Bypass Protection Mechanism

Related Weaknesses: CWE-639Authorization Bypass Through User-Controlled KeyHigh

Release Date:
2006-07-19

Latest Modification Date:
2024-02-29

Free security scan for your website

Don't show website scan report rating on the leaderboard