Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5439 vulnerabilities reference this CWE, most recent first.

GHSA-P976-H52C-26P6

Vulnerability from github – Published: 2023-06-06 02:00 – Updated: 2024-09-16 15:07
VLAI
Summary
Rancher vulnerable to Privilege Escalation via manipulation of Secrets
Details

Impact

A vulnerability has been identified which enables Standard users or above to elevate their permissions to Administrator in the local cluster.

The local cluster means the cluster where Rancher is installed. It is named local inside the list of clusters in the Rancher UI.

Standard users could leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster.

Users that have custom global roles which grant create and delete permissions on secrets would also be able to exploit this vulnerability.

Users with audit logs enabled in Rancher can try to identify possible abuses of this issue by going through the logs. To sieve through the data filter by kind: Secret with type: provisioning.cattle.io/cloud-credential, then investigate all log entries that affect that specific resource. A secondary check would be to filter by all operations with Opaque Secrets within the cattle-global-data namespace.

After patching, it is recommended that users review access methods to Rancher (including RBAC policies, tokens, and host-level node access), to ensure that no changes were made to persist access to users who have leveraged this vulnerability.

Patches

Patched versions include releases 2.6.13, 2.7.4 and later versions.

Workarounds

There is no direct mitigation besides updating Rancher to a patched version.

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-22647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-267",
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-06T02:00:28Z",
    "nvd_published_at": "2023-06-01T13:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nA vulnerability has been identified which enables [Standard users](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/manage-role-based-access-control-rbac/global-permissions) or above to elevate their permissions to Administrator in the `local` cluster.\n\nThe `local` cluster means the cluster where Rancher is installed. It is named `local` inside the list of clusters in the Rancher UI.\n\nStandard users could leverage their existing permissions to manipulate Kubernetes secrets in the `local` cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the `local` cluster.\n\nUsers that have custom global roles which grant `create` and `delete` permissions on `secrets` would also be able to exploit this vulnerability.\n\nUsers with [audit logs enabled](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#enabling-api-audit-log) in Rancher can try to identify possible abuses of this issue by going through the logs. To sieve through the data filter by `kind: Secret` with `type: provisioning.cattle.io/cloud-credential`, then investigate all log entries that affect that specific resource. A secondary check would be to filter by all operations with `Opaque` Secrets within the `cattle-global-data` namespace.\n\nAfter patching, it is recommended that users review access methods to Rancher (including RBAC policies, tokens, and host-level node access), to ensure that no changes were made to persist access to users who have leveraged this vulnerability.\n\n### Patches\n\nPatched versions include releases `2.6.13`, `2.7.4` and later versions. \n\n### Workarounds\n\nThere is no direct mitigation besides updating Rancher to a patched version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
  "id": "GHSA-p976-h52c-26p6",
  "modified": "2024-09-16T15:07:40Z",
  "published": "2023-06-06T02:00:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-p976-h52c-26p6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22647"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-22647"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rancher"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/releases/tag/v2.6.13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/releases/tag/v2.7.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Rancher vulnerable to Privilege Escalation via manipulation of Secrets"
}

GHSA-P99H-PFG6-QRFG

Vulnerability from github – Published: 2023-12-12 03:31 – Updated: 2024-09-30 18:51
VLAI
Summary
Duplicate Advisory: Privilege escalation in sap-xssec
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-6mjg-37cp-42x5. This link is maintained to preserve external references.

Original Description

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sap-xssec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-639",
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-15T03:18:45Z",
    "nvd_published_at": "2023-12-12T02:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-6mjg-37cp-42x5. This link is maintained to preserve external references.\n\n## Original Description\nSAP\u00a0BTP\u00a0Security Services Integration Library ([Python]\u00a0sap-xssec) - versions \u003c 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\n\n",
  "id": "GHSA-p99h-pfg6-qrfg",
  "modified": "2024-09-30T18:51:33Z",
  "published": "2023-12-12T03:31:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50423"
    },
    {
      "type": "WEB",
      "url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SAP/cloud-pysec"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3411067"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/sap-xssec"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Privilege escalation in sap-xssec",
  "withdrawn": "2024-09-30T18:51:33Z"
}

GHSA-P9C5-GGPR-4RPQ

Vulnerability from github – Published: 2022-05-24 17:23 – Updated: 2022-05-24 17:23
VLAI
Details

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1336.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-14T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka \u0027Windows Kernel Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-1336.",
  "id": "GHSA-p9c5-ggpr-4rpq",
  "modified": "2022-05-24T17:23:06Z",
  "published": "2022-05-24T17:23:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1411"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P9CQ-92F2-WGQ6

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22
VLAI
Details

An elevation of privilege vulnerability exists in Avast Free Antivirus and AVG AntiVirus Free before 20.4 due to improperly handling hard links. The vulnerability allows local users to take control of arbitrary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13657"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-29T18:15:00Z",
    "severity": "LOW"
  },
  "details": "An elevation of privilege vulnerability exists in Avast Free Antivirus and AVG AntiVirus Free before 20.4 due to improperly handling hard links. The vulnerability allows local users to take control of arbitrary files.",
  "id": "GHSA-p9cq-92f2-wgq6",
  "modified": "2022-05-24T17:22:01Z",
  "published": "2022-05-24T17:22:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13657"
    },
    {
      "type": "WEB",
      "url": "https://forum.avast.com/index.php?topic=232423.0"
    },
    {
      "type": "WEB",
      "url": "https://forum.avast.com/index.php?topic=234638.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P9FR-8RPJ-73H9

Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2025-04-20 03:43
VLAI
Details

An Improper Privilege Management issue was discovered in Fuji Electric Monitouch V-SFT versions prior to Version 5.4.43.0. Monitouch V-SFT is installed in a directory with weak access controls by default, which could allow an authenticated attacker with local access to escalate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-14T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Privilege Management issue was discovered in Fuji Electric Monitouch V-SFT versions prior to Version 5.4.43.0. Monitouch V-SFT is installed in a directory with weak access controls by default, which could allow an authenticated attacker with local access to escalate privileges.",
  "id": "GHSA-p9fr-8rpj-73h9",
  "modified": "2025-04-20T03:43:07Z",
  "published": "2022-05-13T01:48:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9662"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-222-04"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100268"
    },
    {
      "type": "WEB",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-17-646"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9G3-7674-85F5

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-12-31 21:30
VLAI
Details

Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17010.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-17038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-11T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2020-17010.",
  "id": "GHSA-p9g3-7674-85f5",
  "modified": "2023-12-31T21:30:26Z",
  "published": "2022-05-24T17:33:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17038"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17038"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9G7-PMR8-CM48

Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2022-05-24 17:14
VLAI
Details

An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0934, CVE-2020-0983, CVE-2020-1011, CVE-2020-1015.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists in the way that the Microsoft Store Install Service handles file operations in protected locations, aka \u0027Windows Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-0934, CVE-2020-0983, CVE-2020-1011, CVE-2020-1015.",
  "id": "GHSA-p9g7-pmr8-cm48",
  "modified": "2022-05-24T17:14:36Z",
  "published": "2022-05-24T17:14:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1009"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P9M3-293J-MH24

Vulnerability from github – Published: 2024-10-11 15:30 – Updated: 2024-10-11 15:30
VLAI
Details

CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-11T14:15:06Z",
    "severity": "HIGH"
  },
  "details": "CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized\naccess, loss of confidentiality, integrity, and availability of the workstation when non-admin\nauthenticated user tries to perform privilege escalation by tampering with the binaries",
  "id": "GHSA-p9m3-293j-mh24",
  "modified": "2024-10-11T15:30:33Z",
  "published": "2024-10-11T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9002"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-282-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-282-03.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9P4-X3GF-GJM8

Vulnerability from github – Published: 2022-04-06 00:01 – Updated: 2022-04-06 00:01
VLAI
Details

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24475, CVE-2022-26891, CVE-2022-26894, CVE-2022-26895, CVE-2022-26900, CVE-2022-26908, CVE-2022-26912.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-05T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24475, CVE-2022-26891, CVE-2022-26894, CVE-2022-26895, CVE-2022-26900, CVE-2022-26908, CVE-2022-26912.",
  "id": "GHSA-p9p4-x3gf-gjm8",
  "modified": "2022-04-06T00:01:26Z",
  "published": "2022-04-06T00:01:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26909"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26909"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26909"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9W4-585H-G3C7

Vulnerability from github – Published: 2024-07-31 21:15 – Updated: 2024-08-05 21:14
VLAI
Summary
biscuit-auth vulnerable to public key confusion in third party block
Details

Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent, providing only the necessary info to generate a third-party block and to sign it:

  • the public key of the previous block (used in the signature)
  • the public keys part of the token symbol table (for public key interning in datalog expressions)

A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.

Consider the following example (nominal case)

  • Authority A emits the following token: check if thirdparty("b") trusting ${pubkeyB}
  • The well-behaving holder then generates a third-party block request based on the token and sends it to third-party authority B
  • Third-party B generates the following third-party block thirdparty("b"); check if thirdparty("c") trusting ${pubkeyC}
  • The token holder now must obtain a third-party block from third party C to be able to use the token

Now, with a malicious user: - Authority A emits the following token: check if thirdparty("b") trusting ${pubkeyB} - The holder then attenuates the token with the following third party block thirdparty("c"), signed with a keypair pubkeyD, privkeyD) they generate - The holder then generates a third-party block request based on this token, but alter the ThirdPartyBlockRequest publicKeys field and replace pubkeyD with pubkeyC - Third-party B generates the following third-party block thirdparty("b"); check if thirdparty("c") trusting ${pubkeyC} - Due to the altered symbol table, the actual meaning of the block is thirdparty("b"); check if thirdparty("c") trusting ${pubkeyD} - The attacker can now use the token without obtaining a third-party block from C.

Impact

Tokens with third-party blocks containing trusted annotations generated through a third party block request

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "biscuit-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-41949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-31T21:15:41Z",
    "nvd_published_at": "2024-08-01T22:15:28Z",
    "severity": "LOW"
  },
  "details": "Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it:\n\n- the public key of the previous block (used in the signature)\n- the public keys part of the token symbol table (for public key interning in datalog expressions)\n\nA third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair.\n\nConsider the following example (nominal case)\n\n- Authority `A` emits the following token: `check if thirdparty(\"b\") trusting ${pubkeyB}`\n- The well-behaving holder then generates a third-party block request based on the token and sends it to third-party authority `B`\n- Third-party `B` generates the following third-party block `thirdparty(\"b\"); check if thirdparty(\"c\") trusting ${pubkeyC}`\n- The token holder now must obtain a third-party block from third party `C` to be able to use the token\n\nNow, with a malicious user:\n- Authority `A` emits the following token: `check if thirdparty(\"b\") trusting ${pubkeyB}`\n- The holder then attenuates the token with the following third party block `thirdparty(\"c\")`, signed with a keypair `pubkeyD, privkeyD)` they generate\n- The holder then generates a third-party block request based on this token, but alter the `ThirdPartyBlockRequest` `publicKeys` field and replace `pubkeyD` with `pubkeyC`\n- Third-party `B` generates the following third-party block `thirdparty(\"b\"); check if thirdparty(\"c\") trusting ${pubkeyC}`\n- Due to the altered symbol table, the actual meaning of the block is `thirdparty(\"b\"); check if thirdparty(\"c\") trusting ${pubkeyD}`\n- The attacker can now use the token without obtaining a third-party block from `C`.\n\n### Impact\n\nTokens with third-party blocks containing `trusted` annotations generated through a third party block request\n",
  "id": "GHSA-p9w4-585h-g3c7",
  "modified": "2024-08-05T21:14:26Z",
  "published": "2024-07-31T21:15:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/biscuit-auth/biscuit-rust/security/advisories/GHSA-p9w4-585h-g3c7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41949"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/biscuit-auth/biscuit-rust"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "biscuit-auth vulnerable to public key confusion in third party block"
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.