CWE-1259 15 件の CVE MITRE の定義 ↗

CWE-1259: Improper Restriction of Security Token Assignment

概要

CWE-1259(Improper Restriction of Security Token Assignment)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。

セキュリティへの影響
セキュリティ影響:製品や文脈に依存します。CVE 記録、深刻度、MITRE の説明を参照して優先度を判断してください。

説明

The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.

適用プラットフォーム

種別 名称 クラス 普遍性 OS / CPE
language Not Language-Specific Undetermined
operating_system Not OS-Specific Undetermined
architecture Not Architecture-Specific Undetermined
technology Processor Hardware Not Technology-Specific Undetermined
technology System on Chip Undetermined

このデータベースの関連 CVE

これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。

CVE 公開 概要
CVE-2026-25700 2026-06-10 Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after …
CVE-2026-40264 2026-04-20 OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their toke…
CVE-2024-29371 2025-12-17 In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token …
CVE-2025-56207 2025-09-30 A security flaw in the '_transfer' function of a smart contract implementation for Money Making Opportunity (MMO), an Ethereum ERC721 Non-Fungible Token (NFT) project, allows users or attackers to tra…
CVE-2025-56676 2025-09-30 TitanSystems Zender v3.9.7 contains an account takeover vulnerability in its password reset functionality. A temporary password or reset token issued to one user can be used to log in as another user,…
CVE-2024-4598 2025-09-23 An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from ot…
CVE-2025-50579 2025-08-19 A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. This misconfigura…
CVE-2025-51306 2025-08-06 In Gatling Enterprise versions below 1.25.0, a user logging-out can still use his session token to continue using the application without expiration, due to incorrect session management.
CVE-2025-27955 2025-06-02 Clinical Collaboration Platform 12.2.1.5 has a weak logout system where the session token remains valid after logout and allows a remote attacker to obtain sensitive information and execute arbitrary …
CVE-2024-45448 2024-09-03 Page table protection configuration vulnerability in the trusted firmware module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2024-41948 2024-08-01 biscuit-java is the java implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token …
CVE-2024-36111 2024-07-25 KubePi is a K8s panel. Starting in version 1.6.3 and prior to version 1.8.0, there is a defect in the KubePi JWT token verification. The JWT key in the default configuration file is empty. Although a …
CVE-2024-36533 2024-07-24 Insecure permissions in volcano v1.8.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
CVE-2022-23541 2022-12-22 jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `s…
CVE-2022-23551 2022-12-21 aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates …

旧名称

  • Improper Protection of Security Identifiers (2020-08-20)

コンテンツ投稿

名称
Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi
組織
Intel Corporation
日付
2020-03-06
バージョン
4.1

コンテンツの変更履歴

日付 名称 バージョン 重要度 コメント
2020-08-20 CWE Content Team 4.2 updated Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
2021-03-15 CWE Content Team 4.4 updated Maintenance_Notes
2021-10-28 CWE Content Team 4.6 updated Description
2022-04-28 CWE Content Team 4.7 updated Applicable_Platforms, Related_Attack_Patterns
2022-06-28 CWE Content Team 4.8 updated Applicable_Platforms
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-12-11 CWE Content Team 4.19 updated Common_Consequences, Description, Weakness_Ordinalities

貢献

タイプ 名称 日付 コメント
Feedback MaineK00n 2022-10-31 corrected a typo in extended description
cvelogic Threat Intelligence