CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5433 vulnerabilities reference this CWE, most recent first.
GHSA-H2VJ-4WWX-54Q4
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.
{
"affected": [],
"aliases": [
"CVE-2018-16838"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-25T18:29:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.",
"id": "GHSA-h2vj-4wwx-54q4",
"modified": "2022-05-13T01:14:41Z",
"published": "2022-05-13T01:14:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16838"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2177"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3651"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2018-16838"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640820"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16838"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00042.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00051.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2X8-6H3C-4JP7
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36A privilege escalation vulnerability exists in the WinRing0x64 Driver IRP 0x9c402088 functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet (IRP) can cause increased privileges. An attacker can send a malicious IRP to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-13519"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-18T20:15:00Z",
"severity": "HIGH"
},
"details": "A privilege escalation vulnerability exists in the WinRing0x64 Driver IRP 0x9c402088 functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet (IRP) can cause increased privileges. An attacker can send a malicious IRP to trigger this vulnerability.",
"id": "GHSA-h2x8-6h3c-4jp7",
"modified": "2022-05-24T17:36:50Z",
"published": "2022-05-24T17:36:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13519"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1116"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H338-W3FH-545J
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-13 00:01The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash).
{
"affected": [],
"aliases": [
"CVE-2021-21991"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-22T19:15:00Z",
"severity": "HIGH"
},
"details": "The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash).",
"id": "GHSA-h338-w3fh-545j",
"modified": "2022-07-13T00:01:07Z",
"published": "2022-05-24T19:15:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21991"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2021-0020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H346-G45R-R5RW
Vulnerability from github – Published: 2023-02-17 18:30 – Updated: 2023-02-25 03:30IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to information Disclosure due to improper privilege management when a specially crafted table access is used. IBM X-Force ID: 241671.
{
"affected": [],
"aliases": [
"CVE-2022-43927"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-17T17:15:00Z",
"severity": "HIGH"
},
"details": "IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to information Disclosure due to improper privilege management when a specially crafted table access is used. IBM X-Force ID: 241671.",
"id": "GHSA-h346-g45r-r5rw",
"modified": "2023-02-25T03:30:16Z",
"published": "2023-02-17T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43927"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/241671"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6953759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H38R-WG7Q-9555
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-18 12:00An Execution with Unnecessary Privileges vulnerability in Management Daemon (mgd) of Juniper Networks Junos OS Evolved allows a locally authenticated attacker with low privileges to escalate their privileges on the device and potentially remote systems. This vulnerability allows a locally authenticated attacker with access to the ssh operational command to escalate their privileges on the system to root, or if there is user interaction on the local device to potentially escalate privileges on a remote system to root. This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R3-S5-EVO; 21.1-EVO versions prior to 21.1R3-EVO; 21.2-EVO versions prior to 21.2R2-S1-EVO, 21.2R3-EVO; 21.3-EVO versions prior to 21.3R2-EVO. This issue does not affect Juniper Networks Junos OS.
{
"affected": [],
"aliases": [
"CVE-2022-22239"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-18T03:15:00Z",
"severity": "HIGH"
},
"details": "An Execution with Unnecessary Privileges vulnerability in Management Daemon (mgd) of Juniper Networks Junos OS Evolved allows a locally authenticated attacker with low privileges to escalate their privileges on the device and potentially remote systems. This vulnerability allows a locally authenticated attacker with access to the ssh operational command to escalate their privileges on the system to root, or if there is user interaction on the local device to potentially escalate privileges on a remote system to root. This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R3-S5-EVO; 21.1-EVO versions prior to 21.1R3-EVO; 21.2-EVO versions prior to 21.2R2-S1-EVO, 21.2R3-EVO; 21.3-EVO versions prior to 21.3R2-EVO. This issue does not affect Juniper Networks Junos OS.",
"id": "GHSA-h38r-wg7q-9555",
"modified": "2022-10-18T12:00:30Z",
"published": "2022-10-18T12:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22239"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA69895"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H39C-PGPJ-7W25
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe provides "NT AUTHORITY\SYSTEM" access to unprivileged users via the --system option.
{
"affected": [],
"aliases": [
"CVE-2018-18252"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-15T15:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe provides \"NT AUTHORITY\\SYSTEM\" access to unprivileged users via the --system option.",
"id": "GHSA-h39c-pgpj-7w25",
"modified": "2022-05-13T01:50:37Z",
"published": "2022-05-13T01:50:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18252"
},
{
"type": "WEB",
"url": "https://improsec.com/tech-blog/cam1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3CG-Q59M-96G4
Vulnerability from github – Published: 2022-05-24 17:23 – Updated: 2022-05-24 17:23An elevation of privilege vulnerability exists when the Windows Print Workflow Service improperly handles objects in memory, aka 'Windows Print Workflow Service Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-1366"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-14T23:15:00Z",
"severity": "MODERATE"
},
"details": "An elevation of privilege vulnerability exists when the Windows Print Workflow Service improperly handles objects in memory, aka \u0027Windows Print Workflow Service Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-h3cg-q59m-96g4",
"modified": "2022-05-24T17:23:01Z",
"published": "2022-05-24T17:23:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1366"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1366"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H3CX-2WCP-GFFV
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2024-01-04 03:30An elevation of privilege vulnerability exists when the Windows Function Discovery SSDP Provider improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-1579"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-17T19:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when the Windows Function Discovery SSDP Provider improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka \u0027Windows Function Discovery SSDP Provider Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-h3cx-2wcp-gffv",
"modified": "2024-01-04T03:30:37Z",
"published": "2022-05-24T17:26:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1579"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1579"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3F8-QCMG-JP7M
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43An authentication vulnerability in HPE SiteScope product versions 11.2x and 11.3x, allows read-only accounts to view all SiteScope interfaces and monitors, potentially exposing sensitive data.
{
"affected": [],
"aliases": [
"CVE-2017-14349"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-30T01:29:00Z",
"severity": "CRITICAL"
},
"details": "An authentication vulnerability in HPE SiteScope product versions 11.2x and 11.3x, allows read-only accounts to view all SiteScope interfaces and monitors, potentially exposing sensitive data.",
"id": "GHSA-h3f8-qcmg-jp7m",
"modified": "2022-05-13T01:43:23Z",
"published": "2022-05-13T01:43:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14349"
},
{
"type": "WEB",
"url": "https://softwaresupport.hpe.com/km/KM02948051"
},
{
"type": "WEB",
"url": "https://www.auscert.org.au/bulletins/52758"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100989"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3HH-M6R7-4Q65
Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-17 00:02Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-21967"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-09T17:15:00Z",
"severity": "HIGH"
},
"details": "Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability.",
"id": "GHSA-h3hh-m6r7-4q65",
"modified": "2022-03-17T00:02:40Z",
"published": "2022-03-10T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21967"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21967"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21967"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.