Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5433 vulnerabilities reference this CWE, most recent first.

GHSA-H3JQ-4749-5XMP

Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-16 00:00
VLAI
Details

Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-26786, CVE-2022-26787, CVE-2022-26789, CVE-2022-26790, CVE-2022-26791, CVE-2022-26792, CVE-2022-26793, CVE-2022-26794, CVE-2022-26795, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows Print Spooler Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-26786, CVE-2022-26787, CVE-2022-26789, CVE-2022-26790, CVE-2022-26791, CVE-2022-26792, CVE-2022-26793, CVE-2022-26794, CVE-2022-26795, CVE-2022-26797, CVE-2022-26798, CVE-2022-26801, CVE-2022-26802, CVE-2022-26803.",
  "id": "GHSA-h3jq-4749-5xmp",
  "modified": "2022-04-16T00:00:33Z",
  "published": "2022-04-16T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26796"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26796"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26796"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3P2-PF2R-9CVV

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2023-05-22 18:30
VLAI
Details

A vulnerability in the application-hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. The attacker could execute IOS XE commands outside the application-hosting subsystem Docker container as well as on the underlying Linux operating system. These commands could be run as the root user. The vulnerability is due to a combination of two factors: (a) incomplete input validation of the user payload of CLI commands, and (b) improper role-based access control (RBAC) when commands are issued at the command line within the application-hosting subsystem. An attacker could exploit this vulnerability by using a CLI command with crafted user input. A successful exploit could allow the lower-privileged attacker to execute arbitrary CLI commands with root privileges. The attacker would need valid user credentials to exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-3393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-24T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the application-hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. The attacker could execute IOS XE commands outside the application-hosting subsystem Docker container as well as on the underlying Linux operating system. These commands could be run as the root user. The vulnerability is due to a combination of two factors: (a) incomplete input validation of the user payload of CLI commands, and (b) improper role-based access control (RBAC) when commands are issued at the command line within the application-hosting subsystem. An attacker could exploit this vulnerability by using a CLI command with crafted user input. A successful exploit could allow the lower-privileged attacker to execute arbitrary CLI commands with root privileges. The attacker would need valid user credentials to exploit this vulnerability.",
  "id": "GHSA-h3p2-pf2r-9cvv",
  "modified": "2023-05-22T18:30:18Z",
  "published": "2022-05-24T17:29:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3393"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-iox-app-host-mcZcnsBt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3QH-V838-7H38

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42
VLAI
Details

NetApp StorageGRID Webscale 10.2.x before 10.2.2.3, 10.3.x before 10.3.0.4, and 10.4.x before 10.4.0.2 allow remote authenticated users to delete arbitrary objects via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12422"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-29T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "NetApp StorageGRID Webscale 10.2.x before 10.2.2.3, 10.3.x before 10.3.0.4, and 10.4.x before 10.4.0.2 allow remote authenticated users to delete arbitrary objects via unspecified vectors.",
  "id": "GHSA-h3qh-v838-7h38",
  "modified": "2022-05-13T01:42:41Z",
  "published": "2022-05-13T01:42:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12422"
    },
    {
      "type": "WEB",
      "url": "https://kb.netapp.com/support/s/article/NTAP-20170825-0001"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100535"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3VQ-5R52-R6HP

Vulnerability from github – Published: 2024-06-14 09:31 – Updated: 2024-06-14 09:31
VLAI
Details

Privilege escalation vulnerability in the AMS module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36500"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-14T08:15:40Z",
    "severity": "HIGH"
  },
  "details": "Privilege escalation vulnerability in the AMS module\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.",
  "id": "GHSA-h3vq-5r52-r6hp",
  "modified": "2024-06-14T09:31:17Z",
  "published": "2024-06-14T09:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36500"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2024/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3WW-Q6XX-W7X3

Vulnerability from github – Published: 2026-05-14 20:28 – Updated: 2026-07-15 21:50
VLAI
Summary
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
Details

Summary

The LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment "Insert with default role first to avoid TOCTOU race", but the LDAP and OAuth code paths were never updated with the same fix.

Vulnerable Code

LDAP (auths.py, lines 479-490)

# Line 482 - CHECK: is the user table empty?
role = 'admin' if not Users.has_users(db=db) else request.app.state.config.DEFAULT_USER_ROLE

# Lines 484-490 - USE: create user with the role determined above
user = Auths.insert_new_auth(
    email=email,
    password=str(uuid.uuid4()),
    name=cn,
    role=role,   # <-- role was determined BEFORE insert, race window exists
    db=db,
)

OAuth (oauth.py, lines 1103-1112, 1566-1574)

# Line 1104 - CHECK: count users
def get_user_role(self, user, user_data):
    user_count = Users.get_num_users()
    if not user and user_count == 0:
        return 'admin'    # Line 1112

# Lines 1566-1574 - USE: create user with pre-determined role
user = Auths.insert_new_auth(
    ...
    role=self.get_user_role(None, user_data),  # Line 1571
    ...
)

Both paths determine the role BEFORE inserting the user, creating a race window where multiple concurrent requests on a fresh instance can all observe an empty database and all receive the admin role.

Comparison with Patched Signup

The signup_handler (auths.py, line 663) was explicitly fixed:

# Insert with default role first to avoid TOCTOU race
user = Auths.insert_new_auth(..., role=DEFAULT_USER_ROLE, ...)
# Then check if this is the only user and upgrade
if Users.get_num_users() == 1:
    Users.update_user_role_by_id(user.id, 'admin')

The LDAP and OAuth paths did NOT receive this fix.

Exploitation

  1. Deploy Open WebUI with LDAP or OAuth enabled on a fresh instance (no existing users)
  2. Send multiple concurrent authentication requests from different users
  3. Multiple requests pass the has_users() / get_num_users() == 0 check simultaneously
  4. All concurrent users become administrators

DATABASE_ENABLE_SESSION_SHARING defaults to False (env.py:387), so each call uses its own database session, widening the race window.

Impact

Any LDAP/OAuth user who times their first login concurrently with the legitimate first admin can escalate to full admin privileges, gaining access to all user data, system configuration, API keys, and connected LLM backends.

Suggested Fix

Apply the same insert-then-check pattern used in signup_handler: insert the user with DEFAULT_USER_ROLE first, then atomically check if this is the only user and upgrade to admin only if so.

Resolution

Fixed in PR #23626 (commit 96a0b3239), first released in v0.9.0 (Apr 2026). Both LDAP (routers/auths.py) and OAuth (utils/oauth.py) registration paths now use the same insert-first-check-after pattern that signup_handler already had:

  1. Insert the new user with DEFAULT_USER_ROLE unconditionally — no pre-insert role decision based on user count.
  2. After the insert commits, atomically call Users.get_num_users() == 1 to check whether this is the sole user.
  3. Only the sole user gets promoted to admin via Users.update_user_role_by_id.

OAuthManager.get_user_role was also updated to return DEFAULT_USER_ROLE (not admin) for first-user bootstrap; admin promotion is deferred to the post-insert check above. With this ordering, two concurrent first-user registrations that both observe an empty table can both insert, but only one will see get_num_users() == 1 afterward — the other will see == 2 and not be promoted.

Users on >= 0.9.0 are not affected.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "open-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:28:46Z",
    "nvd_published_at": "2026-05-15T20:16:49Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (`signup_handler` in auths.py, line 663) was explicitly patched to prevent this race with the comment *\"Insert with default role first to avoid TOCTOU race\"*, but the LDAP and OAuth code paths were never updated with the same fix.\n\n## Vulnerable Code\n\n### LDAP (auths.py, lines 479-490)\n```python\n# Line 482 - CHECK: is the user table empty?\nrole = \u0027admin\u0027 if not Users.has_users(db=db) else request.app.state.config.DEFAULT_USER_ROLE\n\n# Lines 484-490 - USE: create user with the role determined above\nuser = Auths.insert_new_auth(\n    email=email,\n    password=str(uuid.uuid4()),\n    name=cn,\n    role=role,   # \u003c-- role was determined BEFORE insert, race window exists\n    db=db,\n)\n```\n\n### OAuth (oauth.py, lines 1103-1112, 1566-1574)\n```python\n# Line 1104 - CHECK: count users\ndef get_user_role(self, user, user_data):\n    user_count = Users.get_num_users()\n    if not user and user_count == 0:\n        return \u0027admin\u0027    # Line 1112\n\n# Lines 1566-1574 - USE: create user with pre-determined role\nuser = Auths.insert_new_auth(\n    ...\n    role=self.get_user_role(None, user_data),  # Line 1571\n    ...\n)\n```\n\nBoth paths determine the role BEFORE inserting the user, creating a race window where multiple concurrent requests on a fresh instance can all observe an empty database and all receive the `admin` role.\n\n## Comparison with Patched Signup\n\nThe `signup_handler` (auths.py, line 663) was explicitly fixed:\n```python\n# Insert with default role first to avoid TOCTOU race\nuser = Auths.insert_new_auth(..., role=DEFAULT_USER_ROLE, ...)\n# Then check if this is the only user and upgrade\nif Users.get_num_users() == 1:\n    Users.update_user_role_by_id(user.id, \u0027admin\u0027)\n```\n\nThe LDAP and OAuth paths did NOT receive this fix.\n\n## Exploitation\n\n1. Deploy Open WebUI with LDAP or OAuth enabled on a fresh instance (no existing users)\n2. Send multiple concurrent authentication requests from different users\n3. Multiple requests pass the `has_users()` / `get_num_users() == 0` check simultaneously\n4. All concurrent users become administrators\n\n`DATABASE_ENABLE_SESSION_SHARING` defaults to `False` (env.py:387), so each call uses its own database session, widening the race window.\n\n## Impact\n\nAny LDAP/OAuth user who times their first login concurrently with the legitimate first admin can escalate to full admin privileges, gaining access to all user data, system configuration, API keys, and connected LLM backends.\n\n## Suggested Fix\n\nApply the same insert-then-check pattern used in `signup_handler`: insert the user with `DEFAULT_USER_ROLE` first, then atomically check if this is the only user and upgrade to admin only if so.\n\n## Resolution\n\nFixed in PR [#23626](https://github.com/open-webui/open-webui/pull/23626) (commit [96a0b3239](https://github.com/open-webui/open-webui/commit/96a0b3239b1aadb23fc359bf10849c9ba12fd6ec)), first released in **v0.9.0** (Apr 2026). Both LDAP (`routers/auths.py`) and OAuth (`utils/oauth.py`) registration paths now use the same insert-first-check-after pattern that `signup_handler` already had:\n\n1. Insert the new user with `DEFAULT_USER_ROLE` unconditionally \u2014 no pre-insert role decision based on user count.\n2. After the insert commits, atomically call `Users.get_num_users() == 1` to check whether this is the sole user.\n3. Only the sole user gets promoted to `admin` via `Users.update_user_role_by_id`.\n\n`OAuthManager.get_user_role` was also updated to return `DEFAULT_USER_ROLE` (not `admin`) for first-user bootstrap; admin promotion is deferred to the post-insert check above. With this ordering, two concurrent first-user registrations that both observe an empty table can both insert, but only one will see `get_num_users() == 1` afterward \u2014 the other will see `== 2` and not be promoted.\n\nUsers on `\u003e= 0.9.0` are not affected.",
  "id": "GHSA-h3ww-q6xx-w7x3",
  "modified": "2026-07-15T21:50:58Z",
  "published": "2026-05-14T20:28:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-h3ww-q6xx-w7x3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45675"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/pull/23626"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/commit/96a0b3239b1aadb23fc359bf10849c9ba12fd6ec"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-webui/open-webui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-webui/open-webui/releases/tag/v0.9.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/open-webui/PYSEC-2026-2730.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts"
}

GHSA-H3XG-RPR6-5HM7

Vulnerability from github – Published: 2025-12-03 18:30 – Updated: 2025-12-03 18:30
VLAI
Details

A local privilege escalation vulnerability exists in the Plugin Alliance InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 on macOS. Due to the absence of a hardened runtime and a __RESTRICT segment, a local user may exploit the DYLD_INSERT_LIBRARIES environment variable to inject a dynamic library, potentially resulting in code execution with elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-03T17:15:52Z",
    "severity": "MODERATE"
  },
  "details": "A local privilege escalation vulnerability exists in the Plugin Alliance InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 on macOS. Due to the absence of a hardened runtime and a __RESTRICT segment, a local user may exploit the DYLD_INSERT_LIBRARIES environment variable to inject a dynamic library, potentially resulting in code execution with elevated privileges.",
  "id": "GHSA-h3xg-rpr6-5hm7",
  "modified": "2025-12-03T18:30:26Z",
  "published": "2025-12-03T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62686"
    },
    {
      "type": "WEB",
      "url": "https://almightysec.com/plugin-alliance-installationhelper-dylib-injection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H43F-9GCW-QMPF

Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2024-01-04 03:30
VLAI
Details

An elevation of privilege vulnerability exists when the Windows Speech Runtime improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Speech Runtime Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1522.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1521"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-17T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An elevation of privilege vulnerability exists when the Windows Speech Runtime improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka \u0027Windows Speech Runtime Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1522.",
  "id": "GHSA-h43f-9gcw-qmpf",
  "modified": "2024-01-04T03:30:34Z",
  "published": "2022-05-24T17:25:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1521"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1521"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H465-J378-365G

Vulnerability from github – Published: 2023-01-11 00:30 – Updated: 2023-01-11 00:30
VLAI
Details

Microsoft Cryptographic Services Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21551, CVE-2023-21730.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-10T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Cryptographic Services Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21551, CVE-2023-21730.",
  "id": "GHSA-h465-j378-365g",
  "modified": "2023-01-11T00:30:47Z",
  "published": "2023-01-11T00:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21561"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21561"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21561"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H495-HFPG-XW55

Vulnerability from github – Published: 2022-05-27 00:00 – Updated: 2022-06-09 00:00
VLAI
Details

A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. An application may be able to gain elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-26T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. An application may be able to gain elevated privileges.",
  "id": "GHSA-h495-hfpg-xw55",
  "modified": "2022-06-09T00:00:29Z",
  "published": "2022-05-27T00:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26691"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0026/MNDT-2022-0026.md"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00039.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQ6TD7F3VRITPEHFDHZHK7MU6FEBMZ5U"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YQRIT4H75XV6M42K7ZTARWZ7YLLYQHPO"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213183"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213184"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213185"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5149"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H496-35PX-76WP

Vulnerability from github – Published: 2024-09-30 18:31 – Updated: 2024-10-01 00:33
VLAI
Details

An issue in the TP-Link MQTT Broker and API gateway of TP-Link Kasa KP125M v1.0.3 allows attackers to establish connections by impersonating devices owned by other users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46549"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-30T17:15:04Z",
    "severity": "HIGH"
  },
  "details": "An issue in the TP-Link MQTT Broker and API gateway of TP-Link Kasa KP125M v1.0.3 allows attackers to establish connections by impersonating devices owned by other users.",
  "id": "GHSA-h496-35px-76wp",
  "modified": "2024-10-01T00:33:40Z",
  "published": "2024-09-30T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46549"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chapoly1305/tp-link-cve/blob/main/CVE-2024-46549.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.