Common Weakness Enumeration

CWE-288

Allowed

Authentication Bypass Using an Alternate Path or Channel

Abstraction: Base · Status: Incomplete

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

1072 vulnerabilities reference this CWE, most recent first.

GHSA-9QQ2-XHMC-H9QR

Vulnerability from github – Published: 2021-06-23 17:57 – Updated: 2022-04-25 20:20
VLAI
Summary
Access Control Bypass
Details

An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-20321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-12T18:10:58Z",
    "nvd_published_at": "2019-04-10T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute administrative privileged commands against the k8s cluster. This could be mitigated by isolating the default namespace in a separate project, where only cluster admins can be given permissions to access. As of 2018-12-20, this bug affected ALL clusters created or imported by Rancher.",
  "id": "GHSA-9qq2-xhmc-h9qr",
  "modified": "2022-04-25T20:20:41Z",
  "published": "2021-06-23T17:57:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20321"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/commit/6ea187fcc2309d5a7a14ed47de5688bf6573f448"
    },
    {
      "type": "WEB",
      "url": "https://forums.rancher.com/c/announcements"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rancher"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/releases/tag/v2.1.6"
    },
    {
      "type": "WEB",
      "url": "https://rancher.com/blog/2019/2019-01-29-explaining-security-vulnerabilities-addressed-in-rancher-v2-1-6-and-v2-0-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Access Control Bypass"
}

GHSA-9QVW-JH6C-FFCQ

Vulnerability from github – Published: 2023-11-01 18:30 – Updated: 2023-11-01 18:30
VLAI
Details

A vulnerability in the remote access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to bypass a configured multiple certificate authentication policy and connect using only a valid username and password. This vulnerability is due to improper error handling during remote access VPN authentication. An attacker could exploit this vulnerability by sending crafted requests during remote access VPN session establishment. A successful exploit could allow the attacker to bypass the configured multiple certificate authentication policy while retaining the privileges and permissions associated with the original connection profile.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-01T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the remote access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to bypass a configured multiple certificate authentication policy and connect using only a valid username and password. This vulnerability is due to improper error handling during remote access VPN authentication. An attacker could exploit this vulnerability by sending crafted requests during remote access VPN session establishment. A successful exploit could allow the attacker to bypass the configured multiple certificate authentication policy while retaining the privileges and permissions associated with the original connection profile.",
  "id": "GHSA-9qvw-jh6c-ffcq",
  "modified": "2023-11-01T18:30:33Z",
  "published": "2023-11-01T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20247"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-multi-cert-dzA3h5PT"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9R5V-WVVQ-6V9F

Vulnerability from github – Published: 2026-07-01 21:36 – Updated: 2026-07-09 21:31
VLAI
Details

Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass.

This issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-01T19:16:57Z",
    "severity": "MODERATE"
  },
  "details": "Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass.\n\nThis issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.",
  "id": "GHSA-9r5v-wvvq-6v9f",
  "modified": "2026-07-09T21:31:14Z",
  "published": "2026-07-01T21:36:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58517"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/c/1305376"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T428833"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9RH7-H5VH-RR6F

Vulnerability from github – Published: 2025-03-01 09:30 – Updated: 2025-03-01 09:30
VLAI
Details

The SetSail Membership plugin for WordPress is vulnerable to in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a users identity through the social login. This makes it possible for unauthenticated attackers to log in as any user, including administrators and take over access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-01T08:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "The SetSail Membership plugin for WordPress is vulnerable to  in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a users identity through the social login. This makes it possible for unauthenticated attackers to log in as any user, including administrators and take over access to their account.",
  "id": "GHSA-9rh7-h5vh-rr6f",
  "modified": "2025-03-01T09:30:29Z",
  "published": "2025-03-01T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1564"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/setsail-travel-agency-theme/22832625"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2c2385e-0d1e-435a-9b82-972964084148?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9V2F-MJHV-CGQ5

Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30
VLAI
Details

ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-13T13:16:42Z",
    "severity": "CRITICAL"
  },
  "details": "ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.",
  "id": "GHSA-9v2f-mjhv-cgq5",
  "modified": "2026-05-13T18:30:52Z",
  "published": "2026-05-13T18:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40621"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN03037325"
    },
    {
      "type": "WEB",
      "url": "https://www.elecom.co.jp/news/security/20260512-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9VQF-P3V5-QMH2

Vulnerability from github – Published: 2025-05-04 00:30 – Updated: 2025-05-04 00:30
VLAI
Details

Inedo ProGet through 2024.22 allows remote attackers to reach restricted functionality through the C# reflection layer, as demonstrated by causing a denial of service (when an attacker executes a loop calling RestartWeb) or obtaining potentially sensitive information. Exploitation can occur if Anonymous access is enabled, or if there is a successful CSRF attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-03T23:15:48Z",
    "severity": "HIGH"
  },
  "details": "Inedo ProGet through 2024.22 allows remote attackers to reach restricted functionality through the C# reflection layer, as demonstrated by causing a denial of service (when an attacker executes a loop calling RestartWeb) or obtaining potentially sensitive information. Exploitation can occur if Anonymous access is enabled, or if there is a successful CSRF attack.",
  "id": "GHSA-9vqf-p3v5-qmh2",
  "modified": "2025-05-04T00:30:36Z",
  "published": "2025-05-04T00:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47244"
    },
    {
      "type": "WEB",
      "url": "https://docs.inedo.com/docs/proget/installation/installation-guide"
    },
    {
      "type": "WEB",
      "url": "https://forums.inedo.com"
    },
    {
      "type": "WEB",
      "url": "https://my.inedo.com/downloads/installers?product=ProGet"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2025/Apr/30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9VR5-8J2W-55F6

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-27 18:31
VLAI
Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in ahachat AhaChat Messenger Marketing ahachat-messenger-marketing allows Password Recovery Exploitation.This issue affects AhaChat Messenger Marketing: from n/a through <= 1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68895"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T16:22:15Z",
    "severity": "MODERATE"
  },
  "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in ahachat AhaChat Messenger Marketing ahachat-messenger-marketing allows Password Recovery Exploitation.This issue affects AhaChat Messenger Marketing: from n/a through \u003c= 1.1.",
  "id": "GHSA-9vr5-8j2w-55f6",
  "modified": "2026-02-27T18:31:01Z",
  "published": "2026-02-20T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68895"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/ahachat-messenger-marketing/vulnerability/wordpress-ahachat-messenger-marketing-plugin-1-1-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9W9F-6MG8-JP7W

Vulnerability from github – Published: 2022-06-03 22:17 – Updated: 2025-05-08 16:45
VLAI
Summary
Missing Role Based Access Control for the REST handlers in bleve/http package
Details

Impact

What kind of vulnerability is it? Who is impacted?

Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. (https://github.com/blevesearch/bleve-explorer) These HTTP methods paves way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (http/index_create.go) and DeleteIndexHandler (http/index_delete.go) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account.

Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted.

Patches

Has the problem been patched? What versions should users upgrade to?

No. The http package is purely intended to be used for demonstration purposes. And bleve is never designed to be handling the RBACs or it was ever advertised to be used in that way. Hence the collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. So it is recommended to not use that in production use cases.

For more information

If you have any questions or comments about this advisory: * Open an issue here. * Email us at [mailto:security@couchbase.com, fts-team@couchbase.com].

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/blevesearch/bleve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.10.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/blevesearch/bleve/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-03T22:17:51Z",
    "nvd_published_at": "2022-06-01T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nBleve includes HTTP utilities under bleve/http package, that are used by its sample application. \n(https://github.com/blevesearch/bleve-explorer)\nThese HTTP methods paves way for exploitation of a node\u2019s filesystem where the bleve index resides, \nif the user has used bleve\u2019s own HTTP (bleve/http) handlers for exposing the access to the indexes. \nFor instance, the CreateIndexHandler (http/index_create.go) and DeleteIndexHandler (http/index_delete.go) \nenable an attacker to create a bleve index (directory structure) anywhere where the user running the server \nhas the write permissions and to delete recursively any directory owned by the same user account.\n \nUsers who have used the bleve/http package for exposing access to bleve index without the explicit \nhandling for the Role Based Access Controls(RBAC) of the index assets would be impacted.\n\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n**No**. The http package is purely intended to be used for demonstration purposes. \nAnd bleve is never designed to be handling the RBACs or it was ever advertised to be used in that way. \nHence the collaborators of this project have decided to stay away from adding any authentication or \nauthorization to bleve project at the moment.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThe bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user \ninputs as well as any authentication and authorization measures. \nSo it is recommended to not use that in production use cases.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue [here](https://github.com/blevesearch/bleve/issues).\n* Email us at [mailto:security@couchbase.com, fts-team@couchbase.com].",
  "id": "GHSA-9w9f-6mg8-jp7w",
  "modified": "2025-05-08T16:45:25Z",
  "published": "2022-06-03T22:17:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/blevesearch/bleve/security/advisories/GHSA-9w9f-6mg8-jp7w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31022"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blevesearch/bleve/commit/af9e3111dadfedf9d30f0448506b4a57fecc8550"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0470"
    },
    {
      "type": "PACKAGE",
      "url": "github.com/blevesearch/bleve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing Role Based Access Control for the REST handlers in bleve/http package"
}

GHSA-9WCP-Q959-7MQ8

Vulnerability from github – Published: 2025-05-13 18:30 – Updated: 2025-10-22 00:33
VLAI
Details

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T16:15:32Z",
    "severity": "MODERATE"
  },
  "details": "An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.",
  "id": "GHSA-9wcp-q959-7mq8",
  "modified": "2025-10-22T00:33:18Z",
  "published": "2025-05-13T18:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4427"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-4427"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9WGG-QJJM-45VR

Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01
VLAI
Details

Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-11T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Navigating to a specific URL with a patient ID number will result in the server generating a PDF of a lab report without authentication and rate limiting.",
  "id": "GHSA-9wgg-qjjm-45vr",
  "modified": "2022-04-19T00:01:25Z",
  "published": "2022-04-12T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1067"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-095-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.