Article - CS332773
Security implications of authorization model flaw in ThingWorx 9.1 and earlier
Modified: 05-May-2021
Applies To
- ThingWorx Platform 8.4 to 9.1
- and earlier versions
Description
- As part of its continuing effort to analyze and improve the security and functionality of the ThingWorx permissions model, PTC identified an architectural flaw in the way in which ThingWorx Foundation permissions were stored in versions before 9.2.0
- When creating a new user with the exact same name as a previous user, the new user assumes all the permissions of the old user
- After deleting a user account and creating a new one with the same exact name (but representing a different actual person), the new user inherits the permissions of the previous user
- This specific issue could potentially allow for a user to be deleted by an Administrator, and then subsequently, if a user with the same name were re-recreated, this new user would assume the permissions of the old one
- Although there is a relatively small set of circumstances in which this could represent a security vulnerability, PTC re-architected the ThingWorx permissions scheme in order to resolve it
This is a printer-friendly version of Article 332773 and may be out of date. For the latest version click CS332773