Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5430 vulnerabilities reference this CWE, most recent first.

GHSA-G8FQ-94R8-Q3PF

Vulnerability from github – Published: 2021-12-04 00:00 – Updated: 2021-12-07 00:00
VLAI
Details

An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44020 and 44021.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-03T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44020 and 44021.",
  "id": "GHSA-g8fq-94r8-q3pf",
  "modified": "2021-12-07T00:00:59Z",
  "published": "2021-12-04T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44019"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/000289230"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G8FX-3PPX-CPQ4

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42
VLAI
Details

An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In webvrpcs Run Key Privilege Escalation in installation folder of WebAccess, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13553"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-17T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In webvrpcs Run Key Privilege Escalation in installation folder of WebAccess, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.",
  "id": "GHSA-g8fx-3ppx-cpq4",
  "modified": "2022-05-24T17:42:26Z",
  "published": "2022-05-24T17:42:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13553"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1169"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G8H8-PG73-GCW3

Vulnerability from github – Published: 2023-04-04 15:30 – Updated: 2023-04-11 18:30
VLAI
Details

An issue was discovered in Acuant AcuFill SDK before 10.22.02.03. During installation, an EXE gets executed out of C:\Windows\Temp. A standard user can create the path file ahead of time and obtain elevated code execution. Permissions need to be modified to prevent manipulation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-04T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Acuant AcuFill SDK before 10.22.02.03. During installation, an EXE gets executed out of C:\\Windows\\Temp. A standard user can create the path file ahead of time and obtain elevated code execution. Permissions need to be modified to prevent manipulation.",
  "id": "GHSA-g8h8-pg73-gcw3",
  "modified": "2023-04-11T18:30:28Z",
  "published": "2023-04-04T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48226"
    },
    {
      "type": "WEB",
      "url": "https://acuant.com"
    },
    {
      "type": "WEB",
      "url": "https://hackandpwn.com/disclosures/CVE-2022-48226.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G8QR-XV6V-97FW

Vulnerability from github – Published: 2022-05-24 17:23 – Updated: 2022-05-24 17:23
VLAI
Details

An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions, aka 'Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1372.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-14T23:15:00Z",
    "severity": "LOW"
  },
  "details": "An elevation of privilege vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions, aka \u0027Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1372.",
  "id": "GHSA-g8qr-xv6v-97fw",
  "modified": "2022-05-24T17:23:04Z",
  "published": "2022-05-24T17:23:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1405"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1405"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G8QW-MGJX-RWJR

Vulnerability from github – Published: 2025-06-16 16:01 – Updated: 2025-06-17 19:26
VLAI
Summary
New authd users logging in via SSH are members of the root group
Details

Impact

When an authd user logs in via SSH for the first time (meaning they do not yet exist in the authd user database) and successfully authenticates via the configured broker, the user is considered a member of the root group in the context of that SSH session. This situation may allow the user to read and write files that are accessible by the root group, to which they should not have access. The user does not get root privileges or any capabilities beyond the access granted to the root group.

Preconditions under which this vulnerability affects a system * authd was installed via the PPA. * An OAuth 2.0 application was registered in Microsoft Entra ID or Google IAM, and the respective authd broker was installed (authd-msentraid or authd-google) and configured. * sshd was configured to enable SSH access with authd, i.e.: UsePAM yes KbdInteractiveAuthentication yes * The username is allowed by the ssh_allowed_suffixes option in the broker configuriation. * The user is allowed by the allowed_users option in the broker configuration. * The user successfully authenticates via the authd broker (Entra ID or Google IAM). * The user did not log in locally before.

Patches

Fixed by https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab

Workarounds

Configure the SSH server to not allow authenticating via authd, for example by setting UsePAM no or KbdInteractiveAuthentication no in the sshd_config (see https://documentation.ubuntu.com/authd/stable/howto/login-ssh/#ssh-configuration).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ubuntu/authd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-5689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-16T16:01:10Z",
    "nvd_published_at": "2025-06-16T12:15:19Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen an authd user logs in via SSH for the first time (meaning they do not yet exist in the authd user database) and successfully authenticates via the configured broker, the user is considered a member of the root group in the context of that SSH session. This situation may allow the user to read and write files that are accessible by the root group, to which they should not have access. The user does not get root privileges or any capabilities beyond the access granted to the root group.\n\n**Preconditions under which this vulnerability affects a system**\n* authd was [installed via the PPA](https://documentation.ubuntu.com/authd/latest/howto/install-authd/#install-authd).\n* An OAuth 2.0 application was registered in Microsoft Entra ID or Google IAM, and the respective authd broker was installed ([authd-msentraid](https://snapcraft.io/authd-msentraid) or [authd-google](https://snapcraft.io/authd-google)) and [configured](https://documentation.ubuntu.com/authd/latest/howto/configure-authd/#broker-configuration).\n* sshd was [configured to enable SSH](https://documentation.ubuntu.com/authd/latest/howto/login-ssh/) access with authd, i.e.:\n  ```\n  UsePAM yes\n  KbdInteractiveAuthentication yes\n  ```\n* The username is allowed by the `ssh_allowed_suffixes` option in the [broker configuriation](https://documentation.ubuntu.com/authd/latest/howto/login-ssh/#broker-configuration).\n* The user is allowed by the [`allowed_users` option in the broker configuration](https://documentation.ubuntu.com/authd/latest/howto/configure-authd/#configure-allowed-users).\n* The user successfully authenticates via the authd broker (Entra ID or Google IAM).\n* The user did not log in locally before.\n\n### Patches\nFixed by https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab\n\n### Workarounds\nConfigure the SSH server to not allow authenticating via authd, for example by setting `UsePAM no` or `KbdInteractiveAuthentication no` in the `sshd_config` (see https://documentation.ubuntu.com/authd/stable/howto/login-ssh/#ssh-configuration).",
  "id": "GHSA-g8qw-mgjx-rwjr",
  "modified": "2025-06-17T19:26:35Z",
  "published": "2025-06-16T16:01:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ubuntu/authd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "New authd users logging in via SSH are members of the root group"
}

GHSA-G8RR-7RJ2-F627

Vulnerability from github – Published: 2026-06-01 14:24 – Updated: 2026-06-01 14:24
VLAI
Summary
praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id}
Details

Summary

Type: Authorization bypass enabling destructive action. The DELETE /workspaces/{workspace_id} endpoint is gated only by require_workspace_member(workspace_id) (default min_role="member"). Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project, issue, comment, agent, label, and member record (cascading via the foreign-key relationships). There is no owner-role gate, no confirmation token, no soft-delete window, no recovery path. File: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 77-86; services/workspace_service.py's delete() method. Root cause: the route uses Depends(require_workspace_member) which defaults to min_role="member" and is never overridden. The service method WorkspaceService.delete(workspace_id) performs the destructive operation without any caller-permission verification. The role hierarchy (MemberService.has_role, member_service.py:80-96) is implemented but unused for this endpoint.

Affected Code

File: src/praisonai-platform/praisonai_platform/api/routes/workspaces.py, lines 77-86.

@router.delete("/{workspace_id}", status_code=status.HTTP_204_NO_CONTENT)
async def delete_workspace(
    workspace_id: str,
    user: AuthIdentity = Depends(require_workspace_member),         # <-- BUG: defaults to min_role="member"
    session: AsyncSession = Depends(get_db),
):
    ws_svc = WorkspaceService(session)
    deleted = await ws_svc.delete(workspace_id)                     # <-- destructive, no role check
    if not deleted:
        raise HTTPException(status_code=404, detail="Workspace not found")

Why it's wrong: workspace deletion is the most destructive single action in this product — it wipes every member, project, issue, comment, agent, and label belonging to the tenant. The standard convention is to gate this on owner role, ideally with a confirmation parameter (typed workspace name) and a recovery window. This endpoint does none of that. The require_workspace_member(min_role) parameter exists precisely for this kind of tightening but is never invoked with anything other than the default.

Exploit Chain

  1. Attacker is a member of workspace W (joined via invite, signup default, or any other route into membership). State: attacker holds JWT with Member(workspace_id=W, user_id=attacker, role="member").
  2. Attacker sends DELETE /workspaces/W with Authorization: Bearer <attacker_jwt>. State: control flow enters delete_workspace.
  3. require_workspace_member(W, attacker) passes (attacker is a member, default min_role="member" satisfied). WorkspaceService.delete(W) removes the workspace row; SQLAlchemy cascade rules drop every related row (members, projects, issues, comments, agents, labels). State: workspace W no longer exists.
  4. Final state: a low-privilege member has wiped the workspace. The legitimate owner has no recovery: no soft-delete, no audit-trail event for the deletion (the Activity log row would have been deleted too as part of the cascade). The same primitive at scale (script that DELETEs every workspace_id the attacker can enumerate) becomes a multi-tenant griefing tool.

Security Impact

Severity: sec-high. CVSS 8.1: network attack, low complexity, low privileges, no user interaction, scope unchanged, no confidentiality (just destruction), high integrity (every workspace child row wiped), high availability (workspace gone for legitimate owner). Attacker capability: with one workspace-member token plus one DELETE request, the attacker irreversibly deletes the workspace and every child resource. The deletion is silent and immediate. Preconditions: praisonai-platform is deployed multi-tenant; the attacker has any membership token in the target workspace. Differential: source-inspection-verified. The asymmetry between require_workspace_member's clearly-tunable min_role parameter and this endpoint's use of the default value confirms the gap. With the suggested fix below, member-tier tokens fail the gate at the dependency, the destructive action never reaches the service layer, and the endpoint returns 403 instead of 204.

Suggested Fix

--- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py
+++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py
@@ -75,11 +75,15 @@
+def _require_workspace_owner(workspace_id: str, user, session):
+    return require_workspace_member(workspace_id, user, session, min_role="owner")
+
 @router.delete("/{workspace_id}", status_code=status.HTTP_204_NO_CONTENT)
 async def delete_workspace(
     workspace_id: str,
-    user: AuthIdentity = Depends(require_workspace_member),
+    user: AuthIdentity = Depends(_require_workspace_owner),
     session: AsyncSession = Depends(get_db),
 ):
     ws_svc = WorkspaceService(session)
     deleted = await ws_svc.delete(workspace_id)
     if not deleted:
         raise HTTPException(status_code=404, detail="Workspace not found")

Defence-in-depth: require a typed-confirmation parameter (e.g. body {"confirm_name": "<workspace_name>"}) and implement a 30-day soft-delete with restore. The four companion workspace-mutation endpoints (update_workspace, add_member, update_member_role, remove_member) exhibit the same default-min-role gap and are filed as their own advisories.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai-platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-01T14:24:39Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n**Type:** Authorization bypass enabling destructive action. The `DELETE /workspaces/{workspace_id}` endpoint is gated only by `require_workspace_member(workspace_id)` (default `min_role=\"member\"`). Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project, issue, comment, agent, label, and member record (cascading via the foreign-key relationships). There is no owner-role gate, no confirmation token, no soft-delete window, no recovery path.\n**File:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 77-86; `services/workspace_service.py`\u0027s `delete()` method.\n**Root cause:** the route uses `Depends(require_workspace_member)` which defaults to `min_role=\"member\"` and is never overridden. The service method `WorkspaceService.delete(workspace_id)` performs the destructive operation without any caller-permission verification. The role hierarchy (`MemberService.has_role`, member_service.py:80-96) is implemented but unused for this endpoint.\n\n## Affected Code\n\n**File:** `src/praisonai-platform/praisonai_platform/api/routes/workspaces.py`, lines 77-86.\n\n```python\n@router.delete(\"/{workspace_id}\", status_code=status.HTTP_204_NO_CONTENT)\nasync def delete_workspace(\n    workspace_id: str,\n    user: AuthIdentity = Depends(require_workspace_member),         # \u003c-- BUG: defaults to min_role=\"member\"\n    session: AsyncSession = Depends(get_db),\n):\n    ws_svc = WorkspaceService(session)\n    deleted = await ws_svc.delete(workspace_id)                     # \u003c-- destructive, no role check\n    if not deleted:\n        raise HTTPException(status_code=404, detail=\"Workspace not found\")\n```\n\n**Why it\u0027s wrong:** workspace deletion is the most destructive single action in this product \u2014 it wipes every member, project, issue, comment, agent, and label belonging to the tenant. The standard convention is to gate this on owner role, ideally with a confirmation parameter (typed workspace name) and a recovery window. This endpoint does none of that. The `require_workspace_member(min_role)` parameter exists precisely for this kind of tightening but is never invoked with anything other than the default.\n\n## Exploit Chain\n\n1. Attacker is a member of workspace `W` (joined via invite, signup default, or any other route into membership). State: attacker holds JWT with `Member(workspace_id=W, user_id=attacker, role=\"member\")`.\n2. Attacker sends `DELETE /workspaces/W` with `Authorization: Bearer \u003cattacker_jwt\u003e`. State: control flow enters `delete_workspace`.\n3. `require_workspace_member(W, attacker)` passes (attacker is a member, default min_role=\"member\" satisfied). `WorkspaceService.delete(W)` removes the workspace row; SQLAlchemy cascade rules drop every related row (members, projects, issues, comments, agents, labels). State: workspace `W` no longer exists.\n4. Final state: a low-privilege member has wiped the workspace. The legitimate owner has no recovery: no soft-delete, no audit-trail event for the deletion (the `Activity` log row would have been deleted too as part of the cascade). The same primitive at scale (script that DELETEs every workspace_id the attacker can enumerate) becomes a multi-tenant griefing tool.\n\n## Security Impact\n\n**Severity:** sec-high. CVSS 8.1: network attack, low complexity, low privileges, no user interaction, scope unchanged, no confidentiality (just destruction), high integrity (every workspace child row wiped), high availability (workspace gone for legitimate owner).\n**Attacker capability:** with one workspace-member token plus one DELETE request, the attacker irreversibly deletes the workspace and every child resource. The deletion is silent and immediate.\n**Preconditions:** `praisonai-platform` is deployed multi-tenant; the attacker has any membership token in the target workspace.\n**Differential:** source-inspection-verified. The asymmetry between `require_workspace_member`\u0027s clearly-tunable `min_role` parameter and this endpoint\u0027s use of the default value confirms the gap. With the suggested fix below, member-tier tokens fail the gate at the dependency, the destructive action never reaches the service layer, and the endpoint returns 403 instead of 204.\n\n## Suggested Fix\n\n```diff\n--- a/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py\n+++ b/src/praisonai-platform/praisonai_platform/api/routes/workspaces.py\n@@ -75,11 +75,15 @@\n+def _require_workspace_owner(workspace_id: str, user, session):\n+    return require_workspace_member(workspace_id, user, session, min_role=\"owner\")\n+\n @router.delete(\"/{workspace_id}\", status_code=status.HTTP_204_NO_CONTENT)\n async def delete_workspace(\n     workspace_id: str,\n-    user: AuthIdentity = Depends(require_workspace_member),\n+    user: AuthIdentity = Depends(_require_workspace_owner),\n     session: AsyncSession = Depends(get_db),\n ):\n     ws_svc = WorkspaceService(session)\n     deleted = await ws_svc.delete(workspace_id)\n     if not deleted:\n         raise HTTPException(status_code=404, detail=\"Workspace not found\")\n```\n\nDefence-in-depth: require a typed-confirmation parameter (e.g. body `{\"confirm_name\": \"\u003cworkspace_name\u003e\"}`) and implement a 30-day soft-delete with restore. The four companion workspace-mutation endpoints (`update_workspace`, `add_member`, `update_member_role`, `remove_member`) exhibit the same default-min-role gap and are filed as their own advisories.",
  "id": "GHSA-g8rr-7rj2-f627",
  "modified": "2026-06-01T14:24:39Z",
  "published": "2026-06-01T14:24:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g8rr-7rj2-f627"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id}"
}

GHSA-G8XH-HWCC-GH8M

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2024-10-08 18:33
VLAI
Details

Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-12T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows CSC Service Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1652, CVE-2021-1653, CVE-2021-1654, CVE-2021-1655, CVE-2021-1659, CVE-2021-1688.",
  "id": "GHSA-g8xh-hwcc-gh8m",
  "modified": "2024-10-08T18:33:01Z",
  "published": "2022-05-24T17:38:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1693"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1693"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1693"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G97P-G75W-CW67

Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2022-05-24 17:06
VLAI
Details

An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka 'Windows Search Indexer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-14T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka \u0027Windows Search Indexer Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633.",
  "id": "GHSA-g97p-g75w-cw67",
  "modified": "2022-05-24T17:06:18Z",
  "published": "2022-05-24T17:06:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0628"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0628"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G982-9MJV-353C

Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2022-05-24 17:11
VLAI
Details

An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka 'Windows Search Indexer Elevation of Privilege Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-12T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An elevation of privilege vulnerability exists in the way that the Windows Search Indexer handles objects in memory, aka \u0027Windows Search Indexer Elevation of Privilege Vulnerability\u0027.",
  "id": "GHSA-g982-9mjv-353c",
  "modified": "2022-05-24T17:11:01Z",
  "published": "2022-05-24T17:11:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0857"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0857"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G98P-WQR8-R32R

Vulnerability from github – Published: 2025-07-25 00:30 – Updated: 2025-07-30 15:35
VLAI
Details

This Medium severity ACE (Arbitrary Code Execution) vulnerability was introduced in version 4.2.8 of Sourcetree for Mac.

This ACE (Arbitrary Code Execution) vulnerability, with a CVSS Score of 5.9, allows a locally authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. 

Atlassian recommends that Sourcetree for Mac users upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://www.sourcetreeapp.com/download-archives .

You can download the latest version of Sourcetree for Mac from the download center https://www.sourcetreeapp.com/download-archives .

This vulnerability was found through the Atlassian Bug Bounty Program by Karol Mazurek (AFINE).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-24T23:15:26Z",
    "severity": "MODERATE"
  },
  "details": "This Medium severity ACE (Arbitrary Code Execution) vulnerability was introduced in version 4.2.8 of Sourcetree for Mac.\n\nThis ACE (Arbitrary Code Execution) vulnerability, with a CVSS Score of 5.9, allows a locally authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\u00a0\n\nAtlassian recommends that Sourcetree for Mac users upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://www.sourcetreeapp.com/download-archives .\n\nYou can download the latest version of Sourcetree for Mac from the download center https://www.sourcetreeapp.com/download-archives .\n\nThis vulnerability was found through the Atlassian Bug Bounty Program by Karol Mazurek (AFINE).",
  "id": "GHSA-g98p-wqr8-r32r",
  "modified": "2025-07-30T15:35:50Z",
  "published": "2025-07-25T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22165"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/SRCTREE-8217"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.