Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14616 vulnerabilities reference this CWE, most recent first.

GHSA-VG6G-2P3V-PX29

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-04-01 18:36
VLAI
Details

Missing Authorization vulnerability in Stylemix MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MasterStudy LMS: from n/a through 3.6.15.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54744"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T17:15:38Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Stylemix MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MasterStudy LMS: from n/a through 3.6.15.",
  "id": "GHSA-vg6g-2p3v-px29",
  "modified": "2026-04-01T18:36:07Z",
  "published": "2025-09-05T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54744"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/masterstudy-lms-learning-management-system/vulnerability/wordpress-masterstudy-lms-plugin-3-6-15-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VG6X-6PG9-6QWG

Vulnerability from github – Published: 2026-07-16 20:08 – Updated: 2026-07-16 20:08
VLAI
Summary
ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)
Details

Impact

The fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an UPDATE_SCHEMA authorization check to a single schema-mutating method (LocalDocumentType.createProperty). The remaining public schema mutators were left unchecked, so an authenticated identity (including a read-only API token) that lacks the UPDATE_SCHEMA permission could still mutate the database schema on its own database:

  • DROP PROPERTY <type>.<property>
  • ALTER TYPE <name> SUPERTYPE +<other> / -<other> (change the inheritance hierarchy)
  • ALTER TYPE <name> NAME <newName> (rename a type)
  • type alias and bucket changes
  • ALTER PROPERTY <type>.<property> ... (MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) — the LocalProperty setters had no check at all

This does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises UPDATE_SCHEMA as the gating right for schema mutation.

Affected component

Engine schema layer: engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java and engine/src/main/java/com/arcadedb/schema/LocalProperty.java, reachable via the SQL DROP PROPERTY, ALTER TYPE, and ALTER PROPERTY statements over the database command/query HTTP endpoints.

Patches

Every public schema-mutating method on LocalDocumentType and LocalProperty now enforces checkPermissionsOnDatabase(UPDATE_SCHEMA) via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.

Workarounds

Grant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.

Resources

Incomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.

Credit

Reported by Kai Aizen (SnailSploit).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.arcadedb:arcadedb-engine"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-16T20:08:24Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe fix for CVE-2026-44221 (GHSA-fxc7-fm93-6q77) added an `UPDATE_SCHEMA` authorization check to a single schema-mutating method (`LocalDocumentType.createProperty`). The remaining public schema mutators were left unchecked, so an authenticated identity (including a **read-only API token**) that lacks the `UPDATE_SCHEMA` permission could still mutate the database schema on its own database:\n\n- `DROP PROPERTY \u003ctype\u003e.\u003cproperty\u003e`\n- `ALTER TYPE \u003cname\u003e SUPERTYPE +\u003cother\u003e` / `-\u003cother\u003e` (change the inheritance hierarchy)\n- `ALTER TYPE \u003cname\u003e NAME \u003cnewName\u003e` (rename a type)\n- type alias and bucket changes\n- `ALTER PROPERTY \u003ctype\u003e.\u003cproperty\u003e ...` (MANDATORY, READONLY, NOTNULL, MIN, MAX, REGEXP, DEFAULT, OF, CUSTOM) \u2014 the `LocalProperty` setters had no check at all\n\nThis does not directly disclose or write record data, but it corrupts the meaning of every stored record and breaches the documented permission model, which advertises `UPDATE_SCHEMA` as the gating right for schema mutation.\n\n### Affected component\n\nEngine schema layer: `engine/src/main/java/com/arcadedb/schema/LocalDocumentType.java` and `engine/src/main/java/com/arcadedb/schema/LocalProperty.java`, reachable via the SQL `DROP PROPERTY`, `ALTER TYPE`, and `ALTER PROPERTY` statements over the database command/query HTTP endpoints.\n\n### Patches\n\nEvery public schema-mutating method on `LocalDocumentType` and `LocalProperty` now enforces `checkPermissionsOnDatabase(UPDATE_SCHEMA)` via a shared helper. The check is a no-op in embedded mode and in system contexts with no bound user (schema load at startup, HA replication apply), so internal paths and administrators are unaffected.\n\n### Workarounds\n\nGrant write access only to trusted users and API tokens; treat all schema DDL as administrator-only at the application layer until upgraded.\n\n### Resources\n\nIncomplete-fix sibling of CVE-2026-44221 / GHSA-fxc7-fm93-6q77.\n\n### Credit\n\nReported by Kai Aizen (SnailSploit).",
  "id": "GHSA-vg6x-6pg9-6qwg",
  "modified": "2026-07-16T20:08:24Z",
  "published": "2026-07-16T20:08:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ArcadeData/arcadedb/security/advisories/GHSA-vg6x-6pg9-6qwg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ArcadeData/arcadedb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ArcadeData/arcadedb/releases/tag/26.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)"
}

GHSA-VG73-QC4G-3QVJ

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13
VLAI
Details

This issue was addressed with improved checks. This issue is fixed in iOS 14.5 and iPadOS 14.5. A person with physical access to an iOS device may be able to access notes from the lock screen.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-08T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved checks. This issue is fixed in iOS 14.5 and iPadOS 14.5. A person with physical access to an iOS device may be able to access notes from the lock screen.",
  "id": "GHSA-vg73-qc4g-3qvj",
  "modified": "2022-05-24T19:13:36Z",
  "published": "2022-05-24T19:13:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1835"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT212317"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VG87-MCFX-5M8M

Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2026-04-01 18:34
VLAI
Details

Missing Authorization vulnerability in themeqx GDPR Cookie Notice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GDPR Cookie Notice: from n/a through 1.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T15:16:13Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in themeqx GDPR Cookie Notice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GDPR Cookie Notice: from n/a through 1.2.0.",
  "id": "GHSA-vg87-mcfx-5m8m",
  "modified": "2026-04-01T18:34:19Z",
  "published": "2025-04-01T15:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31765"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/gdpr-cookie-notice/vulnerability/wordpress-gdpr-cookie-notice-plugin-1-2-0-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VG9C-H9CW-9M5J

Vulnerability from github – Published: 2024-12-16 18:31 – Updated: 2026-04-01 18:32
VLAI
Details

Missing Authorization vulnerability in David Cramer Caldera SMTP Mailer.This issue affects Caldera SMTP Mailer: from n/a through 1.0.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-16T16:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in David Cramer Caldera SMTP Mailer.This issue affects Caldera SMTP Mailer: from n/a through 1.0.1.",
  "id": "GHSA-vg9c-h9cw-9m5j",
  "modified": "2026-04-01T18:32:52Z",
  "published": "2024-12-16T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56003"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/caldera-smtp-mailer/vulnerability/wordpress-caldera-smtp-mailer-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGCV-58JW-XRWF

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09
VLAI
Details

In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a group with a group could grant project access to unauthorized users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-17T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In GitLab Enterprise Edition (EE) 12.5.0 through 12.7.5, sharing a group with a group could grant project access to unauthorized users.",
  "id": "GHSA-vgcv-58jw-xrwf",
  "modified": "2022-05-24T17:09:11Z",
  "published": "2022-05-24T17:09:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8795"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2020/02/13/critical-security-release-gitlab-12-dot-7-dot-6-released"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/categories/releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VGF4-3X2C-798R

Vulnerability from github – Published: 2022-04-26 00:00 – Updated: 2022-05-13 00:01
VLAI
Details

The myCred WordPress plugin before 2.4.4 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-25T16:16:00Z",
    "severity": "MODERATE"
  },
  "details": "The myCred WordPress plugin before 2.4.4 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog",
  "id": "GHSA-vgf4-3x2c-798r",
  "modified": "2022-05-13T00:01:10Z",
  "published": "2022-04-26T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1092"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/95759d5c-8802-4493-b7e5-7f2bc546af61"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGGC-MR6V-MRRJ

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-04-01 18:36
VLAI
Details

Missing Authorization vulnerability in Rouergue Création Editor Custom Color Palette allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editor Custom Color Palette: from n/a through 3.4.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-22T19:15:46Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Rouergue Cr\u00e9ation Editor Custom Color Palette allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editor Custom Color Palette: from n/a through 3.4.8.",
  "id": "GHSA-vggc-mr6v-mrrj",
  "modified": "2026-04-01T18:36:10Z",
  "published": "2025-09-22T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57909"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/editor-custom-color-palette/vulnerability/wordpress-editor-custom-color-palette-plugin-3-4-8-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGJG-248P-RFM2

Vulnerability from github – Published: 2026-03-24 17:27 – Updated: 2026-03-25 21:00
VLAI
Summary
Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
Details

Summary

A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint.

The endpoint returns private editing metadata without per-asset authorization validation.

Root-cause analysis:

  1. actionImageEditor() accepts assetId from the request body.
  2. The asset is loaded, and the focal-point data is read.
  3. Response returns html and focalPoint.
  4. No explicit authorization check is applied before the response.

Impact

Affected deployments:

  • Craft sites where asset edit metadata should remain restricted to authorized users.

Security consequence:

  • Unauthorized users can extract private editor metadata and related editor context for inaccessible assets.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.9.13"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.9.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.17.7"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.17.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33161"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T17:27:17Z",
    "nvd_published_at": "2026-03-24T18:16:10Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nA low-privileged authenticated user can call `assets/image-editor` with the ID of a private asset they cannot view and still receive editor response data, including `focalPoint`.\n\nThe endpoint returns private editing metadata without per-asset authorization validation.\n\nRoot-cause analysis:\n\n1. `actionImageEditor()` accepts `assetId` from the request body.\n2. The asset is loaded, and the focal-point data is read.\n3. Response returns `html` and `focalPoint`.\n4. No explicit authorization check is applied before the response.\n\n### Impact\n\n## Affected deployments:\n\n* Craft sites where asset edit metadata should remain restricted to authorized users.\n\n## Security consequence:\n\n* Unauthorized users can extract private editor metadata and related editor context for inaccessible assets.",
  "id": "GHSA-vgjg-248p-rfm2",
  "modified": "2026-03-25T21:00:22Z",
  "published": "2026-03-24T17:27:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/4.17.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.9.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS\u0027 anonymous \"assets/image-editor\" calls return private asset editor metadata to unauthorized users"
}

GHSA-VGJQ-43QM-8F24

Vulnerability from github – Published: 2023-02-12 06:30 – Updated: 2023-02-21 21:30
VLAI
Details

In log service, there is a missing permission check. This could lead to local denial of service in log service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47360"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-12T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In log service, there is a missing permission check. This could lead to local denial of service in log service.",
  "id": "GHSA-vgjq-43qm-8f24",
  "modified": "2023-02-21T21:30:19Z",
  "published": "2023-02-12T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47360"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1621031430231134210"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.