CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key

VariantIncomplete

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

View on MITRE

Back to CWE Lookup

Extended Description

When a user can set a primary key to any value, then the user can modify the key to point to unauthorized records. Database access control errors occur when: Data enters a program from an untrusted source. The data is used to specify the value of a primary key in a SQL query. The untrusted source does not have the permissions to be able to access all rows in the associated table.

Technical Details

Structure: Simple

Applicable To

Languages

SQL

Platforms

Learn More

Find Related CVEs

Search for vulnerabilities that exploit CWE-566

CVE vs CWE: What's the Difference?

Understanding vulnerabilities vs weaknesses

Understanding CVSS Scoring

How vulnerability severity is measured

View Full MITRE Entry

Complete technical details and references