Description

Vertical Broken Object Level Authorization (BOLA), also known as Insecure Direct Object References (IDOR), is a security vulnerability that occurs when an application fails to properly enforce access controls. This allows users to access or modify resources belonging to other users with different privilege levels.

Remediation

To mitigate this vulnerability: 1. Implement proper authorization checks for every access to a resource. 2. Use indirect reference maps or strong, server-generated identifiers instead of direct object references. 3. Implement the principle of least privilege. 4. Use session-based authentication and authorization for all sensitive operations. 5. Regularly audit and test access control mechanisms.

References

API1:2023 Broken Object Level Authorization

Related Vulnerabilities

WordPress Plugin Tutor LMS-eLearning and online course solution Insecure Direct Object Reference (2.7.0)

Moodle Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2024-25983)

Envoy Proxy Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2024-45806)

Vanilla Forums Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2018-15833)

Liferay DXP Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2022-42129)

Severity

High

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

Bola