CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14609 vulnerabilities reference this CWE, most recent first.
GHSA-HJGQ-FF5J-5V2M
Vulnerability from github – Published: 2026-02-25 12:30 – Updated: 2026-03-25 21:30A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.
{
"affected": [],
"aliases": [
"CVE-2026-26104"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-25T11:16:03Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.",
"id": "GHSA-hjgq-ff5j-5v2m",
"modified": "2026-03-25T21:30:25Z",
"published": "2026-02-25T12:30:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/storaged-project/udisks/security/advisories/GHSA-fcvx-497g-6xmw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26104"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3476"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5831"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-26104"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJJ6-VXPV-57GC
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2025-48617"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:19:13Z",
"severity": "HIGH"
},
"details": "In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-hjj6-vxpv-57gc",
"modified": "2026-06-17T18:35:42Z",
"published": "2026-06-17T18:35:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48617"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/android-17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJMJ-5VPM-4784
Vulnerability from github – Published: 2023-11-01 12:30 – Updated: 2023-11-08 03:30In validationtools, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed
{
"affected": [],
"aliases": [
"CVE-2023-42641"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-01T10:15:10Z",
"severity": "MODERATE"
},
"details": "In validationtools, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed",
"id": "GHSA-hjmj-5vpm-4784",
"modified": "2023-11-08T03:30:32Z",
"published": "2023-11-01T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42641"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1719615756246777857"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJQ2-G54R-CFW9
Vulnerability from github – Published: 2024-11-20 12:30 – Updated: 2026-04-08 18:33The Yaad Sarig Payment Gateway For WC plugin for WordPress is vulnerable to unauthorized modification & access of data due to a missing capability check on the yaadpay_view_log_callback() and yaadpay_delete_log_callback() functions in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete logs.
{
"affected": [],
"aliases": [
"CVE-2024-10665"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-20T10:15:04Z",
"severity": "MODERATE"
},
"details": "The Yaad Sarig Payment Gateway For WC plugin for WordPress is vulnerable to unauthorized modification \u0026 access of data due to a missing capability check on the yaadpay_view_log_callback() and yaadpay_delete_log_callback() functions in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete logs.",
"id": "GHSA-hjq2-g54r-cfw9",
"modified": "2026-04-08T18:33:40Z",
"published": "2024-11-20T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10665"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/yaad-sarig-payment-gateway-for-wc/trunk/classes/class-wc-gateway-yaadpay.php#L2518"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3197312%40yaad-sarig-payment-gateway-for-wc\u0026new=3197312%40yaad-sarig-payment-gateway-for-wc\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10409673-43dc-4c05-a996-120d753ebd6d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJR5-Q2V6-7CHX
Vulnerability from github – Published: 2025-01-08 21:32 – Updated: 2025-01-08 21:32An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects.
{
"affected": [],
"aliases": [
"CVE-2024-12431"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T21:15:11Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthorized users could manipulate the status of issues in public projects.",
"id": "GHSA-hjr5-q2v6-7chx",
"modified": "2025-01-08T21:32:26Z",
"published": "2025-01-08T21:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12431"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2877710"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2025/01/08/patch-release-gitlab-17-7-1-released/#unauthorized-user-can-manipulate-status-of-issues-in-public-projects"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/508742"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJR6-44RC-43VH
Vulnerability from github – Published: 2024-12-09 15:31 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in HashThemes Square allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Square: from n/a through 2.0.0.
{
"affected": [],
"aliases": [
"CVE-2023-30486"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T13:15:27Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in HashThemes Square allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Square: from n/a through 2.0.0.",
"id": "GHSA-hjr6-44rc-43vh",
"modified": "2026-04-28T21:35:18Z",
"published": "2024-12-09T15:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30486"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/square/vulnerability/wordpress-square-theme-2-0-0-broken-access-control?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJRH-286V-8QR4
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure.
{
"affected": [],
"aliases": [
"CVE-2018-1116"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-10T19:29:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure.",
"id": "GHSA-hjrh-286v-8qr4",
"modified": "2022-05-13T01:26:59Z",
"published": "2022-05-13T01:26:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1116"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1116"
},
{
"type": "WEB",
"url": "https://cgit.freedesktop.org/polkit/commit/?id=bc7ffad5364"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00042.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201908-14"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3717-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HJWC-26PJ-V3PM
Vulnerability from github – Published: 2026-06-18 17:20 – Updated: 2026-06-18 17:20Summary
A low-privileged authenticated AgenticMail agent can enumerate another agent's pending/claimed tasks by supplying the target agent name to GET /api/agenticmail/tasks/pending?assignee=<name>. The returned task objects include the task IDs and payloads. The same task IDs can then be used with the capability-style task mutation endpoints (/tasks/:id/claim, /tasks/:id/result, /tasks/:id/complete, /tasks/:id/fail) to claim, complete, or fail tasks assigned to a different agent.
Because ordinary authenticated agents can discover agent names through GET /api/agenticmail/accounts/directory, the task ID effectively stops being a secret capability. This turns the intended capability model into a cross-agent authorization bypass.
Affected component
Package: @agenticmail/api
Observed version: 0.9.62
Repository: agenticmail/agenticmail
Relevant code paths:
packages/api/src/app.ts:createAuthMiddleware(...)is mounted beforecreateAccountRoutes(...)andcreateTaskRoutes(...), so these routes are reachable by any valid bearer token.packages/api/src/routes/accounts.ts:GET /accounts/directoryis available to any authenticated user and returns agent names.packages/api/src/routes/tasks.ts:GET /tasks/pending?assignee=nameresolves arbitrary agent names and returns that agent's pending/claimed tasks.packages/api/src/routes/tasks.ts:/tasks/:id/claim,/tasks/:id/result,/tasks/:id/complete,/tasks/:id/fail, and/tasks/:iddo not check whether the authenticated caller is the task assignee, assigner, or otherwise authorized for the task.
Impact
An attacker only needs a valid agent API key. They can:
- List agent names using
/accounts/directory. - Query another agent's task queue using
/tasks/pending?assignee=<victimName>. - Read sensitive task payloads intended for the victim agent.
- Use the disclosed task ID to complete/fail/claim the victim's task or submit attacker-controlled results.
Local reproduction
I reproduced this locally with a focused Vitest test mounted directly on createTaskRoutes. The test creates two agents, Alice and Bob, and one pending task assigned to Bob. Alice authenticates with her own agent key and performs the following sequence:
GET /api/agenticmail/tasks/pending?assignee=BobwithAuthorization: Bearer ak_alice.- The response is HTTP 200 and includes Bob's task ID and payload:
task-for-bob,{ "task": "secret task intended for Bob" }. - Alice then sends
POST /api/agenticmail/tasks/task-for-bob/completewith her own bearer token and an attacker-controlled result. - The task status becomes
completedand the stored result is controlled by Alice.
The local verification command was:
npm run test --workspace=@agenticmail/api -- task-routes-authz.test.ts
Result:
PASS src/__tests__/task-routes-authz.test.ts (1 test)
Expected behavior
Task listing and task mutation endpoints should enforce an authorization relationship between the authenticated caller and the task. For example:
GET /tasks/pending?assignee=<name>should either be restricted to the current agent, master/admin callers, or an explicit delegated relationship./tasks/:id/claim,/tasks/:id/result,/tasks/:id/complete,/tasks/:id/fail, and/tasks/:idshould verify that the caller is the assignee, assigner, master/admin, or otherwise explicitly authorized.- If capability-based task IDs are retained, the API should not expose those IDs to unrelated agents through the assignee-name listing path.
Credit
Please credit the finder as: Yaohui Wang
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@agenticmail/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.64"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T17:20:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nA low-privileged authenticated AgenticMail agent can enumerate another agent\u0027s pending/claimed tasks by supplying the target agent name to `GET /api/agenticmail/tasks/pending?assignee=\u003cname\u003e`. The returned task objects include the task IDs and payloads. The same task IDs can then be used with the capability-style task mutation endpoints (`/tasks/:id/claim`, `/tasks/:id/result`, `/tasks/:id/complete`, `/tasks/:id/fail`) to claim, complete, or fail tasks assigned to a different agent.\n\nBecause ordinary authenticated agents can discover agent names through `GET /api/agenticmail/accounts/directory`, the task ID effectively stops being a secret capability. This turns the intended capability model into a cross-agent authorization bypass.\n\n## Affected component\n\nPackage: `@agenticmail/api`\nObserved version: `0.9.62`\nRepository: `agenticmail/agenticmail`\n\nRelevant code paths:\n\n- `packages/api/src/app.ts`: `createAuthMiddleware(...)` is mounted before `createAccountRoutes(...)` and `createTaskRoutes(...)`, so these routes are reachable by any valid bearer token.\n- `packages/api/src/routes/accounts.ts`: `GET /accounts/directory` is available to any authenticated user and returns agent names.\n- `packages/api/src/routes/tasks.ts`: `GET /tasks/pending?assignee=name` resolves arbitrary agent names and returns that agent\u0027s pending/claimed tasks.\n- `packages/api/src/routes/tasks.ts`: `/tasks/:id/claim`, `/tasks/:id/result`, `/tasks/:id/complete`, `/tasks/:id/fail`, and `/tasks/:id` do not check whether the authenticated caller is the task assignee, assigner, or otherwise authorized for the task.\n\n## Impact\n\nAn attacker only needs a valid agent API key. They can:\n\n1. List agent names using `/accounts/directory`.\n2. Query another agent\u0027s task queue using `/tasks/pending?assignee=\u003cvictimName\u003e`.\n3. Read sensitive task payloads intended for the victim agent.\n4. Use the disclosed task ID to complete/fail/claim the victim\u0027s task or submit attacker-controlled results.\n\n## Local reproduction\n\nI reproduced this locally with a focused Vitest test mounted directly on `createTaskRoutes`. The test creates two agents, Alice and Bob, and one pending task assigned to Bob. Alice authenticates with her own agent key and performs the following sequence:\n\n1. `GET /api/agenticmail/tasks/pending?assignee=Bob` with `Authorization: Bearer ak_alice`.\n2. The response is HTTP 200 and includes Bob\u0027s task ID and payload: `task-for-bob`, `{ \"task\": \"secret task intended for Bob\" }`.\n3. Alice then sends `POST /api/agenticmail/tasks/task-for-bob/complete` with her own bearer token and an attacker-controlled result.\n4. The task status becomes `completed` and the stored result is controlled by Alice.\n\nThe local verification command was:\n\n```bash\nnpm run test --workspace=@agenticmail/api -- task-routes-authz.test.ts\n```\n\nResult:\n\n```text\nPASS src/__tests__/task-routes-authz.test.ts (1 test)\n```\n\n## Expected behavior\n\nTask listing and task mutation endpoints should enforce an authorization relationship between the authenticated caller and the task. For example:\n\n- `GET /tasks/pending?assignee=\u003cname\u003e` should either be restricted to the current agent, master/admin callers, or an explicit delegated relationship.\n- `/tasks/:id/claim`, `/tasks/:id/result`, `/tasks/:id/complete`, `/tasks/:id/fail`, and `/tasks/:id` should verify that the caller is the assignee, assigner, master/admin, or otherwise explicitly authorized.\n- If capability-based task IDs are retained, the API should not expose those IDs to unrelated agents through the assignee-name listing path.\n\n## Credit\n\nPlease credit the finder as: Yaohui Wang",
"id": "GHSA-hjwc-26pj-v3pm",
"modified": "2026-06-18T17:20:55Z",
"published": "2026-06-18T17:20:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/agenticmail/agenticmail/security/advisories/GHSA-hjwc-26pj-v3pm"
},
{
"type": "PACKAGE",
"url": "https://github.com/agenticmail/agenticmail"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AgenticMail: Cross-agent task authorization bypass in AgenticMail API"
}
GHSA-HM53-HRHH-GWFQ
Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2022-12-13 14:04openstack-heat Plugin 1.5 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:openstack-heat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36912"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-11T14:48:02Z",
"nvd_published_at": "2022-07-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "openstack-heat Plugin 1.5 and earlier does not perform permission checks in methods implementing form validation.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified URL.",
"id": "GHSA-hm53-hrhh-gwfq",
"modified": "2022-12-13T14:04:44Z",
"published": "2022-07-28T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36912"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/openstack-heat-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2105%20(1)"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/07/27/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing permission checks in Jenkins openstack-heat Plugin"
}
GHSA-HM6M-FQM4-J6W8
Vulnerability from github – Published: 2026-06-16 21:32 – Updated: 2026-06-17 21:34In Camera, there is a possible unauthorized way to access photos due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2026-0158"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T20:16:26Z",
"severity": "LOW"
},
"details": "In Camera, there is a possible unauthorized way to access photos due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-hm6m-fqm4-j6w8",
"modified": "2026-06-17T21:34:38Z",
"published": "2026-06-16T21:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0158"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/pixel/2026/2026-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.