Common Weakness Enumeration

CWE-270

Allowed

Privilege Context Switching Error

Abstraction: Base · Status: Draft

The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

45 vulnerabilities reference this CWE, most recent first.

CVE-2021-3493 (GCVE-0-2021-3493)

Vulnerability from cvelistv5 – Published: 2021-04-17 04:20 – Updated: 2025-10-21 23:25
VLAI
Summary
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.
SSVC
Exploitation: active Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-270 - Privilege Context Switching Error
Assigner
Impacted products
Vendor Product Version
Ubuntu linux kernel Affected: 5.8 kernel , < 5.8.0-50.56 (custom)
Affected: 5.4 kernel , < 5.4.0-72.80 (custom)
Affected: 4.15 kernel , < 4.15.0-142.146 (custom)
Affected: 4.4 kernel , < 4.4.0-209.241 (custom)
Create a notification for this product.
Date Public
2021-04-15 00:00
Credits
An independent security researcher reporting to the SSD Secure Disclosure program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:53:17.827Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ubuntu.com/security/notices/USN-4917-1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2021/04/16/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/162434/Kernel-Live-Patch-Security-Notice-LSN-0076-1.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/162866/Ubuntu-OverlayFS-Local-Privilege-Escalation.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/165151/Ubuntu-Overlayfs-Local-Privilege-Escalation.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-3493",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-07T12:30:18.913674Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-10-20",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3493"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:25:48.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3493"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-10-20T00:00:00.000Z",
            "value": "CVE-2021-3493 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "linux kernel",
          "vendor": "Ubuntu",
          "versions": [
            {
              "lessThan": "5.8.0-50.56",
              "status": "affected",
              "version": "5.8 kernel",
              "versionType": "custom"
            },
            {
              "lessThan": "5.4.0-72.80",
              "status": "affected",
              "version": "5.4 kernel",
              "versionType": "custom"
            },
            {
              "lessThan": "4.15.0-142.146",
              "status": "affected",
              "version": "4.15 kernel",
              "versionType": "custom"
            },
            {
              "lessThan": "4.4.0-209.241",
              "status": "affected",
              "version": "4.4 kernel",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "An independent security researcher reporting to the SSD Secure Disclosure program"
        }
      ],
      "datePublic": "2021-04-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270: Privilege Context Switching Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-03T19:06:06.000Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ubuntu.com/security/notices/USN-4917-1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2021/04/16/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/162434/Kernel-Live-Patch-Security-Notice-LSN-0076-1.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/162866/Ubuntu-OverlayFS-Local-Privilege-Escalation.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/165151/Ubuntu-Overlayfs-Local-Privilege-Escalation.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Apply https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "workarounds": [
        {
          "lang": "en",
          "value": "Disable unprivileged user namespaces."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@ubuntu.com",
          "DATE_PUBLIC": "2021-04-15T00:00:00.000Z",
          "ID": "CVE-2021-3493",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "linux kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.8 kernel",
                            "version_value": "5.8.0-50.56"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.4 kernel",
                            "version_value": "5.4.0-72.80"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "4.15 kernel",
                            "version_value": "4.15.0-142.146"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "4.4 kernel",
                            "version_value": "4.4.0-209.241"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Ubuntu"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "An independent security researcher reporting to the SSD Secure Disclosure program"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-270: Privilege Context Switching Error"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ubuntu.com/security/notices/USN-4917-1",
              "refsource": "MISC",
              "url": "https://ubuntu.com/security/notices/USN-4917-1"
            },
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52"
            },
            {
              "name": "https://www.openwall.com/lists/oss-security/2021/04/16/1",
              "refsource": "MISC",
              "url": "https://www.openwall.com/lists/oss-security/2021/04/16/1"
            },
            {
              "name": "http://packetstormsecurity.com/files/162434/Kernel-Live-Patch-Security-Notice-LSN-0076-1.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/162434/Kernel-Live-Patch-Security-Notice-LSN-0076-1.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/162866/Ubuntu-OverlayFS-Local-Privilege-Escalation.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/162866/Ubuntu-OverlayFS-Local-Privilege-Escalation.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/165151/Ubuntu-Overlayfs-Local-Privilege-Escalation.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/165151/Ubuntu-Overlayfs-Local-Privilege-Escalation.html"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Apply https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52"
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Disable unprivileged user namespaces."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2021-3493",
    "datePublished": "2021-04-17T04:20:16.706Z",
    "dateReserved": "2021-04-12T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:25:48.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-7020 (GCVE-0-2020-7020)

Vulnerability from cvelistv5 – Published: 2020-10-22 16:30 – Updated: 2024-08-04 09:18
VLAI
Summary
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Severity
No CVSS data available.
CWE
  • CWE-270 - Privilege Context Switching Error
Assigner
Impacted products
Vendor Product Version
Elastic Elasticsearch Affected: before 6.8.13 and 7.9.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:18:02.985Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://staging-website.elastic.co/community/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20201123-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Elasticsearch",
          "vendor": "Elastic",
          "versions": [
            {
              "status": "affected",
              "version": "before 6.8.13 and 7.9.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270: Privilege Context Switching Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-23T11:06:12.000Z",
        "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
        "shortName": "elastic"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://staging-website.elastic.co/community/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20201123-0001/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@elastic.co",
          "ID": "CVE-2020-7020",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Elasticsearch",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 6.8.13 and 7.9.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Elastic"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-270: Privilege Context Switching Error"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://staging-website.elastic.co/community/security/",
              "refsource": "MISC",
              "url": "https://staging-website.elastic.co/community/security/"
            },
            {
              "name": "https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033",
              "refsource": "MISC",
              "url": "https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20201123-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20201123-0001/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
    "assignerShortName": "elastic",
    "cveId": "CVE-2020-7020",
    "datePublished": "2020-10-22T16:30:15.000Z",
    "dateReserved": "2020-01-14T00:00:00.000Z",
    "dateUpdated": "2024-08-04T09:18:02.985Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-7019 (GCVE-0-2020-7019)

Vulnerability from cvelistv5 – Published: 2020-08-18 16:40 – Updated: 2024-08-04 09:18
VLAI
Summary
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
Severity
No CVSS data available.
CWE
  • CWE-270 - Privilege Context Switching Error
Assigner
References
Impacted products
Vendor Product Version
Elastic Elasticsearch Affected: before 7.9.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:18:02.598Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200827-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Elasticsearch",
          "vendor": "Elastic",
          "versions": [
            {
              "status": "affected",
              "version": "before 7.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270: Privilege Context Switching Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-27T10:06:20.000Z",
        "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
        "shortName": "elastic"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200827-0001/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@elastic.co",
          "ID": "CVE-2020-7019",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Elasticsearch",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 7.9.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Elastic"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-270: Privilege Context Switching Error"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456",
              "refsource": "MISC",
              "url": "https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200827-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200827-0001/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
    "assignerShortName": "elastic",
    "cveId": "CVE-2020-7019",
    "datePublished": "2020-08-18T16:40:14.000Z",
    "dateReserved": "2020-01-14T00:00:00.000Z",
    "dateUpdated": "2024-08-04T09:18:02.598Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-1719 (GCVE-0-2020-1719)

Vulnerability from cvelistv5 – Published: 2021-06-07 16:23 – Updated: 2024-08-04 06:46
VLAI
Summary
A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected.
Severity
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
n/a Wildfly Affected: wildfly 20.0.0.Final
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:46:30.328Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796617"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Wildfly",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "wildfly 20.0.0.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-07T16:23:44.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796617"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-1719",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Wildfly",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "wildfly 20.0.0.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-270"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1796617",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796617"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-1719",
    "datePublished": "2021-06-07T16:23:44.000Z",
    "dateReserved": "2019-11-27T00:00:00.000Z",
    "dateUpdated": "2024-08-04T06:46:30.328Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14819 (GCVE-0-2019-14819)

Vulnerability from cvelistv5 – Published: 2020-01-07 17:02 – Updated: 2024-08-05 00:26
VLAI
Summary
A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.118Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14819"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openshift-ansible",
          "vendor": "[Red Hat]",
          "versions": [
            {
              "status": "affected",
              "version": "3.x"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "CWE-266",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-01-07T17:02:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14819"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14819",
    "datePublished": "2020-01-07T17:02:01.000Z",
    "dateReserved": "2019-08-10T00:00:00.000Z",
    "dateUpdated": "2024-08-05T00:26:39.118Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-2663 (GCVE-0-2017-2663)

Vulnerability from cvelistv5 – Published: 2018-07-27 20:00 – Updated: 2024-08-05 14:02
VLAI
Summary
It was found that subscription-manager's DBus interface before 1.19.4 let unprivileged user access the com.redhat.RHSM1.Facts.GetFacts and com.redhat.RHSM1.Config.Set methods. An unprivileged local attacker could use these methods to gain access to private information, or launch a privilege escalation attack.
CWE
Assigner
References
Impacted products
Date Public
2017-03-20 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:02:07.221Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "97015",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97015"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/candlepin/subscription-manager/commit/2aa48ef65"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2663"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "subscription-manager",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "1.19.4"
            }
          ]
        }
      ],
      "datePublic": "2017-03-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that subscription-manager\u0027s DBus interface before 1.19.4 let unprivileged user access the com.redhat.RHSM1.Facts.GetFacts and com.redhat.RHSM1.Config.Set methods. An unprivileged local attacker could use these methods to gain access to private information, or launch a privilege escalation attack."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-28T09:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "97015",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97015"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/candlepin/subscription-manager/commit/2aa48ef65"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2663"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2017-2663",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "subscription-manager",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.19.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that subscription-manager\u0027s DBus interface before 1.19.4 let unprivileged user access the com.redhat.RHSM1.Facts.GetFacts and com.redhat.RHSM1.Config.Set methods. An unprivileged local attacker could use these methods to gain access to private information, or launch a privilege escalation attack."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "8.2/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-270"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "97015",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97015"
            },
            {
              "name": "https://github.com/candlepin/subscription-manager/commit/2aa48ef65",
              "refsource": "CONFIRM",
              "url": "https://github.com/candlepin/subscription-manager/commit/2aa48ef65"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2663",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2663"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2017-2663",
    "datePublished": "2018-07-27T20:00:00.000Z",
    "dateReserved": "2016-12-01T00:00:00.000Z",
    "dateUpdated": "2024-08-05T14:02:07.221Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2FJ2-4H38-3C72

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2025-10-22 00:32
VLAI
Details

The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-270",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-17T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.",
  "id": "GHSA-2fj2-4h38-3c72",
  "modified": "2025-10-22T00:32:06Z",
  "published": "2022-05-24T17:47:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3493"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/notices/USN-4917-1"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3493"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2021/04/16/1"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/162434/Kernel-Live-Patch-Security-Notice-LSN-0076-1.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/162866/Ubuntu-OverlayFS-Local-Privilege-Escalation.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165151/Ubuntu-Overlayfs-Local-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2RFP-WR5H-6Q7X

Vulnerability from github – Published: 2025-02-22 15:30 – Updated: 2025-02-24 18:32
VLAI
Details

Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data into another Guest's virtualised GPU memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46975"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-270"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-22T15:15:10Z",
    "severity": "HIGH"
  },
  "details": "Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data into another Guest\u0027s virtualised GPU memory.",
  "id": "GHSA-2rfp-wr5h-6q7x",
  "modified": "2025-02-24T18:32:41Z",
  "published": "2025-02-22T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46975"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-35J5-M29R-XFQ5

Vulnerability from github – Published: 2023-10-25 21:07 – Updated: 2023-11-01 06:11
VLAI
Summary
XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro
Details

Impact

The footnote macro executed its content in a potentially different context than the one in which it was defined. In particular in combination with the include macro, this allows privilege escalation from a simple user account in XWiki to programming rights and thus remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce, perform the following steps:

  1. Edit your user profile with the object editor and add an object of type DocumentSheetBinding with value XWiki.ClassSheet
  2. Edit your user profile with the wiki editor and add the syntax {{footnote}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/footnote}}

When the text "Hello from groovy!" is displayed at the bottom of the document, the installation is vulnerable. Instead, an error should be displayed.

Patches

This vulnerability has been patched in XWiki 14.10.6 and 15.1-rc-1.

Workarounds

There is no workaround apart from upgrading to a fixed version of the footnote macro.

References

  • https://jira.xwiki.org/browse/XRENDERING-688
  • https://github.com/xwiki/xwiki-rendering/commit/5f558b8fac8b716d19999225f38cb8ed0814116e
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-macro-footnotes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-macro-footnotes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0-rc-1"
            },
            {
              "fixed": "15.1-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-core-rendering-macro-footnotes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-37912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-270"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-25T21:07:42Z",
    "nvd_published_at": "2023-10-25T18:17:28Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe footnote macro executed its content in a potentially different context than the one in which it was defined. In particular in combination with the include macro, this allows privilege escalation from a simple user account in XWiki to programming rights and thus remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce, perform the following steps:\n\n1. Edit your user profile with the object editor and add an object of type DocumentSheetBinding with value XWiki.ClassSheet\n2. Edit your user profile with the wiki editor and add the syntax `{{footnote}}{{groovy}}println(\"Hello \" + \"from groovy!\"){{/groovy}}{{/footnote}}`\n\nWhen the text \"Hello from groovy!\" is displayed at the bottom of the document, the installation is vulnerable. Instead, an error should be displayed.\n\n### Patches\nThis vulnerability has been patched in XWiki 14.10.6 and 15.1-rc-1.\n\n### Workarounds\nThere is no workaround apart from upgrading to a fixed version of the footnote macro.\n\n### References\n* https://jira.xwiki.org/browse/XRENDERING-688\n* https://github.com/xwiki/xwiki-rendering/commit/5f558b8fac8b716d19999225f38cb8ed0814116e\n",
  "id": "GHSA-35j5-m29r-xfq5",
  "modified": "2023-11-01T06:11:10Z",
  "published": "2023-10-25T21:07:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-35j5-m29r-xfq5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37912"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/commit/5f558b8fac8b716d19999225f38cb8ed0814116e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-rendering"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XRENDERING-688"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Rendering\u0027s footnote macro vulnerable to privilege escalation via the footnote macro"
}

GHSA-7MR7-4F54-VCX5

Vulnerability from github – Published: 2024-11-07 21:57 – Updated: 2024-11-08 13:55
VLAI
Summary
HTTP Client uses incorrect token after refresh
Details

Impact

HTTP Clients created by AddUserAccessTokenHttpClient may use a different user's access token after a token refresh. This occurs because a refreshed token will be captured in pooled HttpClient instances, which may be used by a different user.

Workarounds

Instead of using AddUserAccessTokenHttpClient to create an HttpClient that automatically adds a managed token to outgoing requests, you can use the HttpConext.GetUserAccessTokenAsync extension method or the IUserTokenManagementService.GetAccessTokenAsync method.

Patches

This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Duende.AccessTokenManagement.OpenIdConnect"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-270"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-07T21:57:52Z",
    "nvd_published_at": "2024-11-08T00:15:15Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nHTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user\u0027s access token after a token refresh. This occurs because a refreshed token will be captured in pooled `HttpClient` instances, which may be used by a different user.\n\n### Workarounds\nInstead of using `AddUserAccessTokenHttpClient` to create an `HttpClient` that automatically adds a managed token to outgoing requests, you can use the `HttpConext.GetUserAccessTokenAsync` extension method or the `IUserTokenManagementService.GetAccessTokenAsync` method.\n\n### Patches\nThis issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1.\n\n",
  "id": "GHSA-7mr7-4f54-vcx5",
  "modified": "2024-11-08T13:55:27Z",
  "published": "2024-11-07T21:57:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement/security/advisories/GHSA-7mr7-4f54-vcx5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51987"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement/commit/09c73e32b182da5c6d7b55ec790cb2271cc4b63f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DuendeSoftware/Duende.AccessTokenManagement/releases/tag/3.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HTTP Client uses incorrect token after refresh"
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-30: Hijacking a Privileged Thread of Execution

An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.