CWE-273
AllowedImproper Check for Dropped Privileges
Abstraction: Base · Status: Incomplete
The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.
54 vulnerabilities reference this CWE, most recent first.
CVE-2022-0358 (GCVE-0-2022-0358)
Vulnerability from cvelistv5 – Published: 2022-08-29 00:00 – Updated: 2024-08-02 23:25- CWE-273 - - Improper Check for Dropped Privileges.
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | QEMU/virtiofsd |
Affected:
Fixed in qemu v6.2.0-7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044863"
},
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2022-0358"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221007-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QEMU/virtiofsd",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in qemu v6.2.0-7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-273",
"description": "CWE-273 - Improper Check for Dropped Privileges.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-07T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044863"
},
{
"url": "https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2022-0358"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221007-0008/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-0358",
"datePublished": "2022-08-29T00:00:00.000Z",
"dateReserved": "2022-01-25T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37839 (GCVE-0-2021-37839)
Vulnerability from cvelistv5 – Published: 2022-07-06 12:35 – Updated: 2024-08-04 01:30- CWE-273 - Improper Check for Dropped Privileges
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/pwqyxxmn5gh7cnw3q… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Superset |
Affected:
Apache Superset , < 1.5.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:30:08.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Superset",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.5.1",
"status": "affected",
"version": "Apache Superset",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Superset would like to thank Dinesh for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-273",
"description": "CWE-273 Improper Check for Dropped Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-06T14:06:28.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper access to dataset metadata information",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to 1.5.1 or higher"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-37839",
"STATE": "PUBLIC",
"TITLE": "Improper access to dataset metadata information"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Superset",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Superset",
"version_value": "1.5.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Superset would like to thank Dinesh for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Superset up to 1.5.1 allowed for authenticated users to access metadata information related to datasets they have no permission on. This metadata included the dataset name, columns and metrics."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-273 Improper Check for Dropped Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to 1.5.1 or higher"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-37839",
"datePublished": "2022-07-06T12:35:10.000Z",
"dateReserved": "2021-08-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:30:08.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36372 (GCVE-0-2021-36372)
Vulnerability from cvelistv5 – Published: 2021-11-19 09:20 – Updated: 2024-08-04 00:54- CWE-273 - Improper Check for Dropped Privileges
| URL | Tags |
|---|---|
| https://mail-archives.apache.org/mod_mbox/ozone-d… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2021/11/19/1 | mailing-listx_refsource_MLIST |
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Ozone |
Affected:
1.1 , ≤ 1.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:54:51.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E"
},
{
"name": "[oss-security] 20211118 CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrieved",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Ozone",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.1",
"status": "affected",
"version": "1.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-273",
"description": "CWE-273 Improper Check for Dropped Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-31T09:30:38.799Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E"
},
{
"name": "[oss-security] 20211118 CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrieved",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/1"
}
],
"source": {
"defect": [
"HDDS-5315"
],
"discovery": "UNKNOWN"
},
"title": "Original block tokens are persisted and can be retrieved",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache Ozone release version 1.2.0"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-36372",
"STATE": "PUBLIC",
"TITLE": "Original block tokens are persisted and can be retrieved"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Ozone",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.1",
"version_value": "1.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Ozone would like to thank Marton Elek for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-273 Improper Check for Dropped Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E",
"refsource": "MISC",
"url": "https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C5029c1ac-4685-8492-e3cb-ab48c5c370cf%40apache.org%3E"
},
{
"name": "[oss-security] 20211118 CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrieved",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/19/1"
}
]
},
"source": {
"defect": [
"HDDS-5315"
],
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache Ozone release version 1.2.0"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-36372",
"datePublished": "2021-11-19T09:20:16.000Z",
"dateReserved": "2021-07-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T00:54:51.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3982 (GCVE-0-2021-3982)
Vulnerability from cvelistv5 – Published: 2022-04-29 00:00 – Updated: 2024-08-03 17:09| Vendor | Product | Version | |
|---|---|---|---|
| n/a | gnome-shell |
Affected:
gnome-shell downstream versions using CAP_SYS_NICE
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2284"
},
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2060"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gnome-shell",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "gnome-shell downstream versions using CAP_SYS_NICE"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Linux distributions using CAP_SYS_NICE for gnome-shell may be exposed to a privilege escalation issue. An attacker, with low privilege permissions, may take advantage of the way CAP_SYS_NICE is currently implemented and eventually load code to increase its process scheduler priority leading to possible DoS of other services running in the same machine."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-273",
"description": "CWE-273",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-28T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2284"
},
{
"url": "https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2060"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-3982",
"datePublished": "2022-04-29T00:00:00.000Z",
"dateReserved": "2021-11-19T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:09:09.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-26MH-FMRH-48W9
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2023-02-02 21:33The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2016-9962, that was previously corrected in the docker packages in Red Hat Enterprise Linux 7 Extras via RHSA-2017:0116 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was assigned to this security regression and it is specific to the docker packages produced by Red Hat. The original issue - CVE-2016-9962 - could possibly allow a process inside container to compromise a process entering container namespace and execute arbitrary code outside of the container. This could lead to compromise of the container host or other containers running on the same container host. This issue only affects a single version of Docker, 1.13.1-108.git4ef4b30, shipped in Red Hat Enterprise Linux 7. Both earlier and later versions are not affected.
{
"affected": [],
"aliases": [
"CVE-2020-14300"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-13T22:15:00Z",
"severity": "MODERATE"
},
"details": "The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2016-9962, that was previously corrected in the docker packages in Red Hat Enterprise Linux 7 Extras via RHSA-2017:0116 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was assigned to this security regression and it is specific to the docker packages produced by Red Hat. The original issue - CVE-2016-9962 - could possibly allow a process inside container to compromise a process entering container namespace and execute arbitrary code outside of the container. This could lead to compromise of the container host or other containers running on the same container host. This issue only affects a single version of Docker, 1.13.1-108.git4ef4b30, shipped in Red Hat Enterprise Linux 7. Both earlier and later versions are not affected.",
"id": "GHSA-26mh-fmrh-48w9",
"modified": "2023-02-02T21:33:41Z",
"published": "2022-05-24T17:22:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14300"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2020:0427"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:2653"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2016-9962"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2020-14300"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/vulnerabilities/cve-2016-9962"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/vulnerabilities/runc-regression-docker-1.13.1-108"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848829"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9962"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2J3P-GQW5-G59J
Vulnerability from github – Published: 2026-03-02 17:44 – Updated: 2026-03-02 21:59Impact
Vulnerability Type: Local Privilege Escalation (LPE) / Improper Privilege Management / Arbitrary Command Execution.
The application automatically re-executes the previously failed command but does not properly drop elevated privileges during this process.
When the tool is executed with sudo or otherwise runs with an effective UID of root, it records the last executed command and attempts to rerun it. However, the application fails to restore the original unprivileged user context before re-executing the command. As a result, the retried command is executed with root privileges, even if the original command was issued by an unprivileged user.
This allows a local attacker to intentionally trigger a failed command under elevated execution and gain arbitrary command execution as root via the retry mechanism.
Who is impacted:
Any system where this tool is executed with elevated privileges is affected. The risk is especially high in environments where the tool is permitted to run via sudo, including configurations with NOPASSWD, as an unprivileged user can escalate privileges to root without additional interaction.
Proof of Concept
To verify the vulnerability without a shell, attempt to create a file in a root-protected directory.
1. Verify the file does not exist
sudo ls /root/proof_of_lpe
# Output: No such file or directory
2. Run the vulnerable command
sudo bash -c "SH_PREV_CMD='touch /root/proof_of_lpe' target/release/theshit fix"
3. Check if the file was created by root
sudo ls -l /root/proof_of_lpe
Expected Result:
The command succeeds silently, and the file /root/proof_of_lpe is created, confirming arbitrary command execution with root privileges.
Patches
The issue has been fixed in version 0.1.2.
The patch ensures that privilege levels are correctly handled during command re-execution. Before retrying any previously executed command, the application now explicitly resets the effective UID and GID to the original invoking user.
Workarounds
If upgrading is not possible, users should avoid executing the application with sudo or as the root user.
As a temporary mitigation, administrators should restrict the use of the tool in privileged contexts and ensure it is not included in sudoers configurations, particularly with NOPASSWD. Running the tool strictly as an unprivileged user prevents exploitation of the retry mechanism.
References
- Commit fixing the issue
- CWE-269: Improper Privilege Management
- CWE-273: Improper Check for Dropped Privileges
- CWE-250: Execution with Unnecessary Privileges
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "theshit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-21882"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-269",
"CWE-273"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T17:44:53Z",
"nvd_published_at": "2026-03-02T20:16:26Z",
"severity": "HIGH"
},
"details": "### Impact\n\n**Vulnerability Type:** Local Privilege Escalation (LPE) / Improper Privilege Management / Arbitrary Command Execution.\n\nThe application automatically re-executes the previously failed command but does not properly drop elevated privileges during this process.\n\nWhen the tool is executed with `sudo` or otherwise runs with an effective UID of root, it records the last executed command and attempts to rerun it. However, the application fails to restore the original unprivileged user context before re-executing the command. As a result, the retried command is executed with root privileges, even if the original command was issued by an unprivileged user.\n\nThis allows a local attacker to intentionally trigger a failed command under elevated execution and gain arbitrary command execution as root via the retry mechanism.\n\n**Who is impacted:**\nAny system where this tool is executed with elevated privileges is affected. The risk is especially high in environments where the tool is permitted to run via `sudo`, including configurations with `NOPASSWD`, as an unprivileged user can escalate privileges to root without additional interaction.\n\n### Proof of Concept\n\nTo verify the vulnerability without a shell, attempt to create a file in a root-protected directory.\n\n**1. Verify the file does not exist**\n```bash\nsudo ls /root/proof_of_lpe\n# Output: No such file or directory\n```\n\n**2. Run the vulnerable command**\n```bash\nsudo bash -c \"SH_PREV_CMD=\u0027touch /root/proof_of_lpe\u0027 target/release/theshit fix\"\n```\n\n**3. Check if the file was created by root**\n```bash\nsudo ls -l /root/proof_of_lpe\n```\n\n**Expected Result:**\nThe command succeeds silently, and the file `/root/proof_of_lpe` is created, confirming arbitrary command execution with root privileges.\n\n### Patches\n\nThe issue has been fixed in version **0.1.2**.\n\nThe patch ensures that privilege levels are correctly handled during command re-execution. Before retrying any previously executed command, the application now explicitly resets the effective UID and GID to the original invoking user.\n\n### Workarounds\n\nIf upgrading is not possible, users should avoid executing the application with `sudo` or as the root user.\n\nAs a temporary mitigation, administrators should restrict the use of the tool in privileged contexts and ensure it is not included in `sudoers` configurations, particularly with `NOPASSWD`. Running the tool strictly as an unprivileged user prevents exploitation of the retry mechanism.\n\n### References\n\n* [Commit fixing the issue](https://github.com/AsfhtgkDavid/theshit/commit/5293957b119e55212dce2c6dcbaf1d7eb794602a)\n* CWE-269: Improper Privilege Management\n* CWE-273: Improper Check for Dropped Privileges\n* CWE-250: Execution with Unnecessary Privileges",
"id": "GHSA-2j3p-gqw5-g59j",
"modified": "2026-03-02T21:59:23Z",
"published": "2026-03-02T17:44:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AsfhtgkDavid/theshit/security/advisories/GHSA-2j3p-gqw5-g59j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21882"
},
{
"type": "WEB",
"url": "https://github.com/AsfhtgkDavid/theshit/commit/5293957b119e55212dce2c6dcbaf1d7eb794602a"
},
{
"type": "PACKAGE",
"url": "https://github.com/AsfhtgkDavid/theshit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "theshit\u0027s Improper Privilege Dropping Allows Local Privilege Escalation via Command Re-execution"
}
GHSA-3QXP-P56X-R4H3
Vulnerability from github – Published: 2024-01-05 18:30 – Updated: 2025-11-04 21:30For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this means running on the shadow of the guest root page table.
In the course of dealing with shortage of memory in the shadow pool associated with a domain, shadows of page tables may be torn down. This tearing down may include the shadow root page table that the CPU in question is presently running on. While a precaution exists to supposedly prevent the tearing down of the underlying live page table, the time window covered by that precaution isn't large enough.
{
"affected": [],
"aliases": [
"CVE-2023-34322"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-05T17:15:08Z",
"severity": "HIGH"
},
"details": "For migration as well as to work around kernels unaware of L1TF (see\nXSA-273), PV guests may be run in shadow paging mode. Since Xen itself\nneeds to be mapped when PV guests run, Xen and shadowed PV guests run\ndirectly the respective shadow page tables. For 64-bit PV guests this\nmeans running on the shadow of the guest root page table.\n\nIn the course of dealing with shortage of memory in the shadow pool\nassociated with a domain, shadows of page tables may be torn down. This\ntearing down may include the shadow root page table that the CPU in\nquestion is presently running on. While a precaution exists to\nsupposedly prevent the tearing down of the underlying live page table,\nthe time window covered by that precaution isn\u0027t large enough.",
"id": "GHSA-3qxp-p56x-r4h3",
"modified": "2025-11-04T21:30:54Z",
"published": "2024-01-05T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34322"
},
{
"type": "WEB",
"url": "https://xenbits.xenproject.org/xsa/advisory-438.html"
},
{
"type": "WEB",
"url": "http://xenbits.xen.org/xsa/advisory-438.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4532-MWP5-JCCG
Vulnerability from github – Published: 2022-05-01 07:03 – Updated: 2025-04-03 04:34artswrapper in aRts, when running setuid root on Linux 2.6.0 or later versions, does not check the return value of the setuid function call, which allows local users to gain root privileges by causing setuid to fail, which prevents artsd from dropping privileges.
{
"affected": [],
"aliases": [
"CVE-2006-2916"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2006-06-15T10:02:00Z",
"severity": "MODERATE"
},
"details": "artswrapper in aRts, when running setuid root on Linux 2.6.0 or later versions, does not check the return value of the setuid function call, which allows local users to gain root privileges by causing setuid to fail, which prevents artsd from dropping privileges.",
"id": "GHSA-4532-mwp5-jccg",
"modified": "2025-04-03T04:34:37Z",
"published": "2022-05-01T07:03:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-2916"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27221"
},
{
"type": "WEB",
"url": "http://dot.kde.org/1150310128"
},
{
"type": "WEB",
"url": "http://mail.gnome.org/archives/beast/2006-December/msg00025.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20677"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20786"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20827"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20868"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20899"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/25032"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/25059"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200704-22.xml"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1016298"
},
{
"type": "WEB",
"url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2006\u0026m=slackware-security.468256"
},
{
"type": "WEB",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200606-22.xml"
},
{
"type": "WEB",
"url": "http://www.kde.org/info/security/advisory-20060614-2.txt"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2006:107"
},
{
"type": "WEB",
"url": "http://www.novell.com/linux/security/advisories/2006_38_security.html"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/26506"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/437362/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/18429"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/23697"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2006/2357"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/0409"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-47C7-QRM7-MQW7
Vulnerability from github – Published: 2026-07-06 20:16 – Updated: 2026-07-06 20:16The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.
Zellic finding 3.72. Reported in the Zellic uutils coreutils Program Security Assessment (for Canonical, Jan 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "uu_id"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35370"
],
"database_specific": {
"cwe_ids": [
"CWE-273",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T20:16:46Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user\u0027s real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes rely on the output of id to make security-critical access-control or permission decisions, this discrepancy can lead to unauthorized access or security misconfigurations.\n\n---\n_Zellic finding 3.72. Reported in the Zellic *uutils coreutils Program Security Assessment* (for Canonical, Jan 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`._",
"id": "GHSA-47c7-qrm7-mqw7",
"modified": "2026-07-06T20:16:46Z",
"published": "2026-07-06T20:16:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/security/advisories/GHSA-47c7-qrm7-mqw7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35370"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/issues/10006"
},
{
"type": "PACKAGE",
"url": "https://github.com/uutils/coreutils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "id: groups= computed from real GID instead of effective GID"
}
GHSA-4F7R-XVF5-VJ98
Vulnerability from github – Published: 2023-06-29 15:30 – Updated: 2024-04-04 05:17Play With Docker < 0.0.2 has an insecure CAP_SYS_ADMIN privileged mode causing the docker container to escape.
{
"affected": [],
"aliases": [
"CVE-2023-34844"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-29T15:15:09Z",
"severity": "CRITICAL"
},
"details": "Play With Docker \u003c 0.0.2 has an insecure CAP_SYS_ADMIN privileged mode causing the docker container to escape.",
"id": "GHSA-4f7r-xvf5-vj98",
"modified": "2024-04-04T05:17:36Z",
"published": "2023-06-29T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34844"
},
{
"type": "WEB",
"url": "https://hacku.top/wl/?id=MACBtnorZyp6hC3E5bw2CqBAusuWoKe3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-53
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
In Windows, make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003). Code that relies on impersonation for security must ensure that the impersonation succeeded, i.e., that a proper privilege demotion happened.
No CAPEC attack patterns related to this CWE.