CWE-250
AllowedExecution with Unnecessary Privileges
Abstraction: Base · Status: Draft
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
575 vulnerabilities reference this CWE, most recent first.
GHSA-2CF4-4HV6-CCXC
Vulnerability from github – Published: 2025-05-10 03:30 – Updated: 2025-05-10 03:30IBM Storage Scale 5.2.2.0 and 5.2.2.1, under certain configurations, could allow an authenticated user to execute privileged commands due to improper input neutralization.
{
"affected": [],
"aliases": [
"CVE-2025-1137"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-10T03:15:22Z",
"severity": "HIGH"
},
"details": "IBM Storage Scale 5.2.2.0 and 5.2.2.1, under certain configurations, could allow an authenticated user to execute privileged commands due to improper input neutralization.",
"id": "GHSA-2cf4-4hv6-ccxc",
"modified": "2025-05-10T03:30:23Z",
"published": "2025-05-10T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1137"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7233085"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2GHC-9393-F9WV
Vulnerability from github – Published: 2025-12-23 18:30 – Updated: 2025-12-23 18:30NVIDIA Isaac Launchable contains a vulnerability where an attacker could cause an execution with unnecessary privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, information disclosure and data tampering.
{
"affected": [],
"aliases": [
"CVE-2025-33223"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-23T17:15:47Z",
"severity": "CRITICAL"
},
"details": "NVIDIA Isaac Launchable contains a vulnerability where an attacker could cause an execution with unnecessary privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, information disclosure and data tampering.",
"id": "GHSA-2ghc-9393-f9wv",
"modified": "2025-12-23T18:30:27Z",
"published": "2025-12-23T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33223"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5749"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-33223"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2J3P-GQW5-G59J
Vulnerability from github – Published: 2026-03-02 17:44 – Updated: 2026-03-02 21:59Impact
Vulnerability Type: Local Privilege Escalation (LPE) / Improper Privilege Management / Arbitrary Command Execution.
The application automatically re-executes the previously failed command but does not properly drop elevated privileges during this process.
When the tool is executed with sudo or otherwise runs with an effective UID of root, it records the last executed command and attempts to rerun it. However, the application fails to restore the original unprivileged user context before re-executing the command. As a result, the retried command is executed with root privileges, even if the original command was issued by an unprivileged user.
This allows a local attacker to intentionally trigger a failed command under elevated execution and gain arbitrary command execution as root via the retry mechanism.
Who is impacted:
Any system where this tool is executed with elevated privileges is affected. The risk is especially high in environments where the tool is permitted to run via sudo, including configurations with NOPASSWD, as an unprivileged user can escalate privileges to root without additional interaction.
Proof of Concept
To verify the vulnerability without a shell, attempt to create a file in a root-protected directory.
1. Verify the file does not exist
sudo ls /root/proof_of_lpe
# Output: No such file or directory
2. Run the vulnerable command
sudo bash -c "SH_PREV_CMD='touch /root/proof_of_lpe' target/release/theshit fix"
3. Check if the file was created by root
sudo ls -l /root/proof_of_lpe
Expected Result:
The command succeeds silently, and the file /root/proof_of_lpe is created, confirming arbitrary command execution with root privileges.
Patches
The issue has been fixed in version 0.1.2.
The patch ensures that privilege levels are correctly handled during command re-execution. Before retrying any previously executed command, the application now explicitly resets the effective UID and GID to the original invoking user.
Workarounds
If upgrading is not possible, users should avoid executing the application with sudo or as the root user.
As a temporary mitigation, administrators should restrict the use of the tool in privileged contexts and ensure it is not included in sudoers configurations, particularly with NOPASSWD. Running the tool strictly as an unprivileged user prevents exploitation of the retry mechanism.
References
- Commit fixing the issue
- CWE-269: Improper Privilege Management
- CWE-273: Improper Check for Dropped Privileges
- CWE-250: Execution with Unnecessary Privileges
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "theshit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-21882"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-269",
"CWE-273"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T17:44:53Z",
"nvd_published_at": "2026-03-02T20:16:26Z",
"severity": "HIGH"
},
"details": "### Impact\n\n**Vulnerability Type:** Local Privilege Escalation (LPE) / Improper Privilege Management / Arbitrary Command Execution.\n\nThe application automatically re-executes the previously failed command but does not properly drop elevated privileges during this process.\n\nWhen the tool is executed with `sudo` or otherwise runs with an effective UID of root, it records the last executed command and attempts to rerun it. However, the application fails to restore the original unprivileged user context before re-executing the command. As a result, the retried command is executed with root privileges, even if the original command was issued by an unprivileged user.\n\nThis allows a local attacker to intentionally trigger a failed command under elevated execution and gain arbitrary command execution as root via the retry mechanism.\n\n**Who is impacted:**\nAny system where this tool is executed with elevated privileges is affected. The risk is especially high in environments where the tool is permitted to run via `sudo`, including configurations with `NOPASSWD`, as an unprivileged user can escalate privileges to root without additional interaction.\n\n### Proof of Concept\n\nTo verify the vulnerability without a shell, attempt to create a file in a root-protected directory.\n\n**1. Verify the file does not exist**\n```bash\nsudo ls /root/proof_of_lpe\n# Output: No such file or directory\n```\n\n**2. Run the vulnerable command**\n```bash\nsudo bash -c \"SH_PREV_CMD=\u0027touch /root/proof_of_lpe\u0027 target/release/theshit fix\"\n```\n\n**3. Check if the file was created by root**\n```bash\nsudo ls -l /root/proof_of_lpe\n```\n\n**Expected Result:**\nThe command succeeds silently, and the file `/root/proof_of_lpe` is created, confirming arbitrary command execution with root privileges.\n\n### Patches\n\nThe issue has been fixed in version **0.1.2**.\n\nThe patch ensures that privilege levels are correctly handled during command re-execution. Before retrying any previously executed command, the application now explicitly resets the effective UID and GID to the original invoking user.\n\n### Workarounds\n\nIf upgrading is not possible, users should avoid executing the application with `sudo` or as the root user.\n\nAs a temporary mitigation, administrators should restrict the use of the tool in privileged contexts and ensure it is not included in `sudoers` configurations, particularly with `NOPASSWD`. Running the tool strictly as an unprivileged user prevents exploitation of the retry mechanism.\n\n### References\n\n* [Commit fixing the issue](https://github.com/AsfhtgkDavid/theshit/commit/5293957b119e55212dce2c6dcbaf1d7eb794602a)\n* CWE-269: Improper Privilege Management\n* CWE-273: Improper Check for Dropped Privileges\n* CWE-250: Execution with Unnecessary Privileges",
"id": "GHSA-2j3p-gqw5-g59j",
"modified": "2026-03-02T21:59:23Z",
"published": "2026-03-02T17:44:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AsfhtgkDavid/theshit/security/advisories/GHSA-2j3p-gqw5-g59j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21882"
},
{
"type": "WEB",
"url": "https://github.com/AsfhtgkDavid/theshit/commit/5293957b119e55212dce2c6dcbaf1d7eb794602a"
},
{
"type": "PACKAGE",
"url": "https://github.com/AsfhtgkDavid/theshit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "theshit\u0027s Improper Privilege Dropping Allows Local Privilege Escalation via Command Re-execution"
}
GHSA-2MMX-JX99-8CMF
Vulnerability from github – Published: 2025-10-28 21:30 – Updated: 2026-01-21 21:30HP ThinPro 8.1 System management application failed to verify user's true id. HP has released HP ThinPro 8.1 SP8, which includes updates to mitigate potential vulnerabilities.
{
"affected": [],
"aliases": [
"CVE-2025-43017"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-28T21:15:37Z",
"severity": "HIGH"
},
"details": "HP ThinPro 8.1 System management application failed to verify user\u0027s true id. HP has released HP ThinPro 8.1 SP8, which includes updates to mitigate potential vulnerabilities.",
"id": "GHSA-2mmx-jx99-8cmf",
"modified": "2026-01-21T21:30:28Z",
"published": "2025-10-28T21:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43017"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_13164593-13164617-16/hpsbhf04066"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2RHX-QHXP-5JPW
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2026-04-06 17:19A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/submariner-io/submariner-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0.16.0-m0"
},
{
"fixed": "0.16.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/submariner-io/submariner-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0.17.0-m0"
},
{
"fixed": "0.17.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/submariner-io/submariner-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.15.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/submariner-io/submariner-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0.18.0-m0"
},
{
"fixed": "0.18.0-rc0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-5042"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-17T20:03:57Z",
"nvd_published_at": "2024-05-17T14:15:21Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.",
"id": "GHSA-2rhx-qhxp-5jpw",
"modified": "2026-04-06T17:19:54Z",
"published": "2024-05-17T15:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5042"
},
{
"type": "WEB",
"url": "https://github.com/submariner-io/submariner-operator/issues/3041"
},
{
"type": "WEB",
"url": "https://github.com/submariner-io/submariner-operator/pull/3040"
},
{
"type": "WEB",
"url": "https://github.com/submariner-io/submariner-operator/pull/3045"
},
{
"type": "WEB",
"url": "https://github.com/submariner-io/submariner-operator/pull/3046"
},
{
"type": "WEB",
"url": "https://github.com/submariner-io/submariner-operator/pull/3049"
},
{
"type": "WEB",
"url": "https://github.com/submariner-io/submariner-operator/commit/b27a04c4270e53cbff6ff8ac6245db10c204bcab"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4591"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6503"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-5042"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280921"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2rhx-qhxp-5jpw"
},
{
"type": "PACKAGE",
"url": "https://github.com/submariner-io/submariner-operator"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Submariner Operator sets unnecessary RBAC permissions"
}
GHSA-2RJ3-5W4F-4XJJ
Vulnerability from github – Published: 2025-08-12 06:34 – Updated: 2025-08-12 06:34ACAP applications can be executed with elevated privileges, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
{
"affected": [],
"aliases": [
"CVE-2025-3892"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T06:15:26Z",
"severity": "MODERATE"
},
"details": "ACAP applications can be executed with elevated privileges, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP\u00a0applications, and if an attacker convinces the victim to install a malicious ACAP application.",
"id": "GHSA-2rj3-5w4f-4xjj",
"modified": "2025-08-12T06:34:24Z",
"published": "2025-08-12T06:34:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3892"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/ae/19/16/cve-2025-3892pdf-en-US-492760.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WVH-87G2-89HR
Vulnerability from github – Published: 2026-04-23 14:17 – Updated: 2026-04-23 14:17Vulnerability Type: Execution with Unnecessary Privileges Attack type: Authenticated remote Impact: Data disclosure/manipulation, privilege escalation Affected components: The following docker images: • Openc3inc/openc3-COSMOS-script-runner-api
The Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network.
Figure 1: Environment variables, including Redis credentials, found in the Script Runner container A Ruby script is used to expose the Redis username, password, hostname, and port. These credentials might also be found from the source code or through a brute-force attack.
Figure 2: A Python script is used to add data to Redis and retrieve the new data
A Python script is then used to create a new entry in the Redis database called openc3__settings_hacked with a key of store_url and a value of http://hacked.com.
Figure 3: The new data found in the Redis database
The new entry was successfully added to the Redis database, as is confirmed by using redis-cli.
The following example shows how an attacker might change the plugin store URL file that is stored in the config bucket.
Figure 4: Uploading file to change the plugin store URL setting
Figure 5: The URL file was successfully changed
Steps To Reproduce
- Run the following Ruby code to find the Redis credentials:
puts `env | grep redis`
- Add the following Python script with the credentials to create a new entry and read it
import redis
import json
import time
r = redis.Redis(
host = 'openc3-redis',
port = 6379,
username = 'openc3',
password = 'openc3password',
decode_responses=True
)
# Save a setting
setting_data = {
'name': 'store_url',
'data': 'http://hacked.com',
'updated_at': time.time_ns()
}
r.hset('openc3__settings_hacked','store_url',json.dumps(setting_data))
print(r.hget('openc3__settings_hacked','store_url'))
Recommendations
• Limit the permissions of the script runner API to prevent lower level users from performing administrative actions
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "openc3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0-rc3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-23T14:17:53Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "**Vulnerability Type: Execution with Unnecessary Privileges\nAttack type: Authenticated remote\nImpact: Data disclosure/manipulation, privilege escalation\nAffected components: The following docker images:\n\u2022\tOpenc3inc/openc3-COSMOS-script-runner-api**\n\nThe Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. \n \n\u003cimg width=\"940\" height=\"473\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bf524163-127d-4349-999b-cefc53d4374d\" /\u003e\n\nFigure 1: Environment variables, including Redis credentials, found in the Script Runner container\nA Ruby script is used to expose the Redis username, password, hostname, and port. These credentials might also be found from the source code or through a brute-force attack.\n \n\u003cimg width=\"940\" height=\"507\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6d3ccad4-949d-4eeb-a5f8-3aca48bbe815\" /\u003e\n\nFigure 2: A Python script is used to add data to Redis and retrieve the new data\nA Python script is then used to create a new entry in the Redis database called `openc3__settings_hacked` with a key of `store_url` and a value of `http://hacked.com`.\n \n\u003cimg width=\"940\" height=\"70\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fcef13be-5416-4627-9c95-617a24674ee0\" /\u003e\n\nFigure 3: The new data found in the Redis database\nThe new entry was successfully added to the Redis database, as is confirmed by using `redis-cli`. \nThe following example shows how an attacker might change the plugin store URL file that is stored in the config bucket.\n \n\u003cimg width=\"940\" height=\"640\" alt=\"image\" src=\"https://github.com/user-attachments/assets/681b4dd6-4b6e-4a91-8480-0c9fbff76ede\" /\u003e\n\nFigure 4: Uploading file to change the plugin store URL setting\n \n\u003cimg width=\"940\" height=\"189\" alt=\"image\" src=\"https://github.com/user-attachments/assets/630db0bb-217e-4205-be1d-e9891516b22f\" /\u003e\n\nFigure 5: The URL file was successfully changed\n###\tSteps To Reproduce\n1.\tRun the following Ruby code to find the Redis credentials:\n```ruby\nputs `env | grep redis`\n```\n3.\tAdd the following Python script with the credentials to create a new entry and read it\n```python\nimport redis\nimport json\nimport time\n\nr = redis.Redis(\n host = \u0027openc3-redis\u0027,\n port = 6379,\n username = \u0027openc3\u0027, \n password = \u0027openc3password\u0027, \n decode_responses=True\n)\n\n# Save a setting\nsetting_data = {\n \u0027name\u0027: \u0027store_url\u0027,\n \u0027data\u0027: \u0027http://hacked.com\u0027,\n \u0027updated_at\u0027: time.time_ns()\n}\nr.hset(\u0027openc3__settings_hacked\u0027,\u0027store_url\u0027,json.dumps(setting_data))\nprint(r.hget(\u0027openc3__settings_hacked\u0027,\u0027store_url\u0027))\n```\n\n###\tRecommendations\n\u2022\tLimit the permissions of the script runner API to prevent lower level users from performing administrative actions",
"id": "GHSA-2wvh-87g2-89hr",
"modified": "2026-04-23T14:17:53Z",
"published": "2026-04-23T14:17:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenC3/cosmos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool"
}
GHSA-2X8R-WP6Q-WHXR
Vulnerability from github – Published: 2023-07-04 00:31 – Updated: 2024-04-04 05:21NVIDIA DGX A100/A800 contains a vulnerability in SBIOS where an attacker may cause execution with unnecessary privileges by leveraging a weakness whereby proper input parameter validation is not performed. A successful exploit of this vulnerability may lead to denial of service, information disclosure, and data tampering.
{
"affected": [],
"aliases": [
"CVE-2023-25521"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-04T00:15:09Z",
"severity": "HIGH"
},
"details": "\n\n\n\n\nNVIDIA DGX A100/A800 contains a vulnerability in SBIOS where an attacker may cause execution with unnecessary privileges by leveraging a weakness whereby proper input parameter validation is not performed. A successful exploit of this vulnerability may lead to denial of service, information disclosure, and data tampering.\n\n\n\n\n\n",
"id": "GHSA-2x8r-wp6q-whxr",
"modified": "2024-04-04T05:21:08Z",
"published": "2023-07-04T00:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25521"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5461"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-32F6-JRX4-X77H
Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-05 18:31Nagios XI versions prior to 5.8.7 used a temporary directory for Highcharts exports with overly permissive ownership/permissions under the Apache user. Local or co-hosted processes could read/overwrite export artifacts or manipulate paths, risking disclosure or tampering and potential code execution depending on deployment.
{
"affected": [],
"aliases": [
"CVE-2021-47700"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T22:15:41Z",
"severity": "HIGH"
},
"details": "Nagios XI versions prior to\u00a05.8.7\u00a0used a temporary directory for Highcharts exports with overly permissive ownership/permissions under the Apache user. Local or co-hosted processes could read/overwrite export artifacts or manipulate paths, risking disclosure or tampering and potential code execution depending on deployment.",
"id": "GHSA-32f6-jrx4-x77h",
"modified": "2025-11-05T18:31:30Z",
"published": "2025-10-31T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47700"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/nagios-xi"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nagios-xi-insecure-permissions-on-highcharts-temporary-directory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-32WF-9FVJ-8HX8
Vulnerability from github – Published: 2024-05-31 18:31 – Updated: 2024-05-31 18:31A local privilege escalation vulnerability in Ivanti Secure Access Client for Windows allows a low privileged user to execute code as SYSTEM.
{
"affected": [],
"aliases": [
"CVE-2023-38042"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-31T18:15:09Z",
"severity": "HIGH"
},
"details": "A local privilege escalation vulnerability in Ivanti Secure Access Client for Windows allows a low privileged user to execute code as SYSTEM. ",
"id": "GHSA-32wf-9fvj-8hx8",
"modified": "2024-05-31T18:31:16Z",
"published": "2024-05-31T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38042"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-May-2024?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-18
Strategy: Separation of Privilege
Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation MIT-18
Strategy: Attack Surface Reduction
Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation
Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.
Mitigation MIT-19
When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.
Mitigation
If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.
Mitigation MIT-37
Strategy: Environment Hardening
Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-470: Expanding Control over the Operating System from the Database
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.