Description

Vertical Broken Object Level Authorization (BOLA), also known as Insecure Direct Object References (IDOR), is a security vulnerability that occurs when an application fails to properly enforce access controls. This allows users to access or modify resources belonging to other users with different privilege levels.

Remediation

To mitigate this vulnerability: 1. Implement proper authorization checks for every access to a resource. 2. Use indirect reference maps or strong, server-generated identifiers instead of direct object references. 3. Implement the principle of least privilege. 4. Use session-based authentication and authorization for all sensitive operations. 5. Regularly audit and test access control mechanisms.

References

API1:2023 Broken Object Level Authorization

Related Vulnerabilities

WordPress Plugin LearnDash LMS Insecure Direct Object Reference (4.6.0)

WordPress Plugin WPQA-Builder forms Addon For WordPress Insecure Direct Object Reference (5.9.2)

Atlassian Jira Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2021-41307)

Liferay Portal Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2022-42129)

Magento Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2019-7854)

Severity

High

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

Bola