Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14630 vulnerabilities reference this CWE, most recent first.

GHSA-9GG6-9679-VVJW

Vulnerability from github – Published: 2025-01-09 12:30 – Updated: 2026-04-08 21:32
VLAI
Details

The Bitly's WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 2.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and retrieve plugin settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T11:15:14Z",
    "severity": "MODERATE"
  },
  "details": "The Bitly\u0026#039;s WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 2.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and retrieve plugin settings.",
  "id": "GHSA-9gg6-9679-vvjw",
  "modified": "2026-04-08T21:32:59Z",
  "published": "2025-01-09T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12616"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-bitly/trunk/includes/class-wp-bitly-auth.php#L115"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3272740"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1312c34-45c6-41e5-b6fc-a45ac2c8a0ca?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GGP-G58Q-5Q4W

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

A CWE-862: Missing Authorization vulnerability exists in Easergy T300 (firmware 2.7 and older), that could cause a wide range of problems, including information exposures, denial of service, and arbitrary code execution when access control checks are not applied consistently.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-11T01:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A CWE-862: Missing Authorization vulnerability exists in Easergy T300 (firmware 2.7 and older), that could cause a wide range of problems, including information exposures, denial of service, and arbitrary code execution when access control checks are not applied consistently.",
  "id": "GHSA-9ggp-g58q-5q4w",
  "modified": "2022-05-24T17:36:05Z",
  "published": "2022-05-24T17:36:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28215"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-03"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9GR5-3R4C-WX78

Vulnerability from github – Published: 2025-01-27 15:30 – Updated: 2026-04-01 18:33
VLAI
Details

Missing Authorization vulnerability in Marian Kanev Cab fare calculator allows Stored XSS. This issue affects Cab fare calculator: from n/a through 1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T15:15:13Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in Marian Kanev Cab fare calculator allows Stored XSS. This issue affects Cab fare calculator: from n/a through 1.1.",
  "id": "GHSA-9gr5-3r4c-wx78",
  "modified": "2026-04-01T18:33:29Z",
  "published": "2025-01-27T15:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23982"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/fare-calculator/vulnerability/wordpress-fare-calculator-plugin-1-1-csrf-to-stored-cross-site-scripting-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/cab-fare-calculator/vulnerability/wordpress-fare-calculator-plugin-1-1-csrf-to-stored-cross-site-scripting-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GR5-Q4FV-5C5X

Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-01-26 18:31
VLAI
Details

Missing Authorization vulnerability in Ashan Perera LifePress lifepress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LifePress: from n/a through <= 2.1.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-23T15:16:13Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Ashan Perera LifePress lifepress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LifePress: from n/a through \u003c= 2.1.3.",
  "id": "GHSA-9gr5-q4fv-5c5x",
  "modified": "2026-01-26T18:31:28Z",
  "published": "2026-01-23T15:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24563"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/lifepress/vulnerability/wordpress-lifepress-plugin-2-1-3-broken-access-control-vulnerability-2?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GX3-JQV2-VPHR

Vulnerability from github – Published: 2024-08-13 06:30 – Updated: 2024-08-13 06:30
VLAI
Details

SAP shared service framework allows an authenticated non-administrative user to call a remote-enabled function, which will allow them to insert value entries into a non-sensitive table, causing low impact on integrity of the application

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T04:15:11Z",
    "severity": "MODERATE"
  },
  "details": "SAP shared service framework allows an\nauthenticated non-administrative user to call a remote-enabled function, which\nwill allow them to insert value entries into a non-sensitive table, causing low\nimpact on integrity of the application",
  "id": "GHSA-9gx3-jqv2-vphr",
  "modified": "2024-08-13T06:30:48Z",
  "published": "2024-08-13T06:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42377"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3474590"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H25-7CGQ-FHVV

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32
VLAI
Details

Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-26T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.",
  "id": "GHSA-9h25-7cgq-fhvv",
  "modified": "2022-05-24T17:32:11Z",
  "published": "2022-05-24T17:32:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26878"
    },
    {
      "type": "WEB",
      "url": "https://adepts.of0x.cc"
    },
    {
      "type": "WEB",
      "url": "https://adepts.of0x.cc/ruckus-vriot-rce"
    },
    {
      "type": "WEB",
      "url": "https://support.ruckuswireless.com/documents"
    },
    {
      "type": "WEB",
      "url": "https://support.ruckuswireless.com/security_bulletins/305"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/TheXC3LL"
    },
    {
      "type": "WEB",
      "url": "https://x-c3ll.github.io"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9H27-89MR-2QM2

Vulnerability from github – Published: 2023-04-20 09:30 – Updated: 2024-04-04 03:36
VLAI
Details

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-20T09:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token.\n",
  "id": "GHSA-9h27-89mr-2qm2",
  "modified": "2024-04-04T03:36:38Z",
  "published": "2023-04-20T09:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2193"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H54-F8P4-357G

Vulnerability from github – Published: 2024-06-11 15:31 – Updated: 2024-06-11 15:31
VLAI
Details

Missing Authorization vulnerability in Woo WooCommerce Canada Post Shipping.This issue affects WooCommerce Canada Post Shipping: from n/a through 2.8.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T15:15:55Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Woo WooCommerce Canada Post Shipping.This issue affects WooCommerce Canada Post Shipping: from n/a through 2.8.3.",
  "id": "GHSA-9h54-f8p4-357g",
  "modified": "2024-06-11T15:31:14Z",
  "published": "2024-06-11T15:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51498"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/woocommerce-shipping-canada-post/wordpress-woocommerce-canada-post-shipping-plugin-2-8-3-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H56-23GJ-953R

Vulnerability from github – Published: 2026-03-02 21:31 – Updated: 2026-03-06 06:30
VLAI
Details

In relayoutWindow of WindowManagerService.java, there is a possible tapjack attack due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-02T19:16:27Z",
    "severity": "HIGH"
  },
  "details": "In relayoutWindow of WindowManagerService.java, there is a possible tapjack attack due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-9h56-23gj-953r",
  "modified": "2026-03-06T06:30:29Z",
  "published": "2026-03-02T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48634"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2026-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H64-2846-7X7F

Vulnerability from github – Published: 2026-05-06 23:13 – Updated: 2026-05-06 23:13
VLAI
Summary
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening
Details

Summary

Eight independently-filed bug fixes in the v7.1.3 → v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is a single platform upgrade.

Affected versions

< 7.5.0. Specific items affect different earlier minors; see Impact below.

Patched versions

>= 7.5.0.

Impact

# Item Affected Patched CWE
1 MAP execution multi-tenant isolation. A body-supplied org_id could override the Basic-auth-derived org for both execution recording and policy evaluation. In multi-tenant deployments with shared agents, this could record one tenant's request under another tenant's audit log and evaluate it under the wrong tenant's policy set. < 7.4.5 >= 7.4.5 CWE-863
2 Cross-tenant audit-log leak via evidence/explain handlers. The handlers behind /api/v1/evidence/* and /api/v1/decisions/*/explain failed open when the tenant context was missing, returning data scoped to a different tenant or returning data without scope. < 7.2.0 >= 7.2.0 CWE-200, CWE-863
3 License-validation bypass on onboard-customer. The portal customer-onboard endpoint lacked authentication and license-key validation, allowing unauthenticated callers to invoke the onboard flow. < 7.2.0 >= 7.2.0 CWE-862
4 Tenant-scope fail-open on evidence/explain. Distinct from item 2: when tenant headers were absent, the handler defaulted to a permissive read scope rather than refusing the request. < 7.2.0 >= 7.2.0 CWE-862
5 Internal-service auth fallback bypass in non-Community modes. Evaluation/Enterprise builds carried an auth fallback path that, under specific request shapes, could be exploited to bypass apiAuthMiddleware. < 7.2.0 >= 7.2.0 CWE-863
6 Login timing / org-existence disclosure on the portal. The login handler returned different timing and response bodies for invalid-org vs invalid-password, allowing org enumeration. < 7.1.3 >= 7.1.3 CWE-208
7 Portal DoS via unbounded request body. The portal accepted unbounded request bodies, allowing memory-exhaustion attacks. Capped at 1 MiB. < 7.1.5 >= 7.1.5 CWE-770
8 SQL-injection enforcement regression on try.getaxonflow.com. The Community SaaS hosted endpoint inherited the warn SQLi default introduced in v6.2.0, allowing SQL-injection-shaped requests to pass governance to the LLM. Self-hosted deployments were unaffected unless they manually changed the default. < 7.5.0 (try.getaxonflow.com only) >= 7.5.0 CWE-89

Remediation

Upgrade to AxonFlow platform v7.5.0 or later. No configuration changes required — the platform is purely additive and existing API/SDK callers continue to work.

For users who can't upgrade immediately, item-specific mitigations:

  • Items 1–5: ensure the agent middleware sets X-Org-ID / X-Tenant-ID from authenticated identity at the ingress, never accepting body-supplied identity.
  • Item 8 (Community SaaS): SQLI_ACTION=block can be set explicitly via the agent task definition; v7.5.0 makes this the default.

Resources

  • AxonFlow v7.5.0 CHANGELOG entry: https://github.com/getaxonflow/axonflow/blob/main/CHANGELOG.md
  • AxonFlow v7.5.0 GitHub Release: https://github.com/getaxonflow/axonflow/releases/tag/v7.5.0

Credit

Identified by AxonFlow internal security review during the April 2026 quality-freeze epic.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/getaxonflow/axonflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-208",
      "CWE-770",
      "CWE-862",
      "CWE-863",
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:13:27Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nEight independently-filed bug fixes in the v7.1.3 \u2192 v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is a single platform upgrade.\n\n## Affected versions\n\n`\u003c 7.5.0`. Specific items affect different earlier minors; see Impact below.\n\n## Patched versions\n\n`\u003e= 7.5.0`.\n\n## Impact\n\n| # | Item | Affected | Patched | CWE |\n|---|---|---|---|---|\n| 1 | **MAP execution multi-tenant isolation.** A body-supplied `org_id` could override the Basic-auth-derived org for both execution recording and policy evaluation. In multi-tenant deployments with shared agents, this could record one tenant\u0027s request under another tenant\u0027s audit log and evaluate it under the wrong tenant\u0027s policy set. | `\u003c 7.4.5` | `\u003e= 7.4.5` | CWE-863 |\n| 2 | **Cross-tenant audit-log leak via evidence/explain handlers.** The handlers behind `/api/v1/evidence/*` and `/api/v1/decisions/*/explain` failed open when the tenant context was missing, returning data scoped to a different tenant or returning data without scope. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-200, CWE-863 |\n| 3 | **License-validation bypass on `onboard-customer`.** The portal customer-onboard endpoint lacked authentication and license-key validation, allowing unauthenticated callers to invoke the onboard flow. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-862 |\n| 4 | **Tenant-scope fail-open on evidence/explain.** Distinct from item 2: when tenant headers were absent, the handler defaulted to a permissive read scope rather than refusing the request. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-862 |\n| 5 | **Internal-service auth fallback bypass in non-Community modes.** Evaluation/Enterprise builds carried an auth fallback path that, under specific request shapes, could be exploited to bypass `apiAuthMiddleware`. | `\u003c 7.2.0` | `\u003e= 7.2.0` | CWE-863 |\n| 6 | **Login timing / org-existence disclosure on the portal.** The login handler returned different timing and response bodies for invalid-org vs invalid-password, allowing org enumeration. | `\u003c 7.1.3` | `\u003e= 7.1.3` | CWE-208 |\n| 7 | **Portal DoS via unbounded request body.** The portal accepted unbounded request bodies, allowing memory-exhaustion attacks. Capped at 1 MiB. | `\u003c 7.1.5` | `\u003e= 7.1.5` | CWE-770 |\n| 8 | **SQL-injection enforcement regression on `try.getaxonflow.com`.** The Community SaaS hosted endpoint inherited the `warn` SQLi default introduced in v6.2.0, allowing SQL-injection-shaped requests to pass governance to the LLM. Self-hosted deployments were unaffected unless they manually changed the default. | `\u003c 7.5.0` (try.getaxonflow.com only) | `\u003e= 7.5.0` | CWE-89 |\n\n## Remediation\n\nUpgrade to AxonFlow platform **v7.5.0** or later. No configuration changes required \u2014 the platform is purely additive and existing API/SDK callers continue to work.\n\nFor users who can\u0027t upgrade immediately, item-specific mitigations:\n\n- **Items 1\u20135:** ensure the agent middleware sets `X-Org-ID` / `X-Tenant-ID` from authenticated identity at the ingress, never accepting body-supplied identity.\n- **Item 8 (Community SaaS):** `SQLI_ACTION=block` can be set explicitly via the agent task definition; v7.5.0 makes this the default.\n\n## Resources\n\n- AxonFlow v7.5.0 CHANGELOG entry: https://github.com/getaxonflow/axonflow/blob/main/CHANGELOG.md\n- AxonFlow v7.5.0 GitHub Release: https://github.com/getaxonflow/axonflow/releases/tag/v7.5.0\n\n## Credit\n\nIdentified by AxonFlow internal security review during the April 2026 quality-freeze epic.",
  "id": "GHSA-9h64-2846-7x7f",
  "modified": "2026-05-06T23:13:27Z",
  "published": "2026-05-06T23:13:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getaxonflow/axonflow/security/advisories/GHSA-9h64-2846-7x7f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getaxonflow/axonflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getaxonflow/axonflow/blob/main/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getaxonflow/axonflow/releases/tag/v7.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.