DerScanner
Home / Vulnerability Database / PL or SQL : AUTHID unspecified
PL/SQL

PL or SQL : AUTHID unspecified

Classification

OWASP Top 10 2013
A7-Missing Function Level Access Control
OWASP Top 10 2017
A5-Broken Access Control
OWASP Top 10 2021
A1-Broken Access Control
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(1)
CWE
CWE-1033

Overview

The application does not define AUTHID parameter when defining a function, procedure, or package. AUTHID defines the privileges, with which the function is called. Possible values of AUTHID are DEFINER (the rights of the user who defined the function) and CURRENT_USER. If the definer has broader rights than the current user, a privilege escalation can occur when invoking the function. In case of package or type the same applies to all procedures / function of the package and all methods of the type.

Functions and procedures are usually defined by the superuser SYS, which increases the impact of a possible attack.

References

  1. CWE-269: Improper Privilege Management
  2. Using Invoker’s Rights Versus Definer’s Rights (AUTHID Clause) - docs.oracle.com
  3. Oracle Security papers - petefinnigan.com
  4. OWASP Top 10 2017-A5-Broken Access Control
MEDIUM

DerScanner Severity Score

Do you want to fix PL or SQL : AUTHID unspecified in your application?

See also

PL/SQL

PL or SQL : Open redirect

PL/SQL

PL or SQL : Cross-site scripting (XSS)

PL/SQL

PL or SQL : Weak hashing algorithm