Common Weakness Enumeration

CWE-274

Discouraged

Improper Handling of Insufficient Privileges

Abstraction: Base · Status: Draft

The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.

54 vulnerabilities reference this CWE, most recent first.

GHSA-HXGG-WCJC-H5JF

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:52
VLAI
Details

SiberianCMS - CWE-274: Improper Handling of Insufficient Privileges

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39375"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-274"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:18:55Z",
    "severity": "CRITICAL"
  },
  "details": "\nSiberianCMS - CWE-274: Improper Handling of Insufficient Privileges\n\n",
  "id": "GHSA-hxgg-wcjc-h5jf",
  "modified": "2024-04-04T07:52:00Z",
  "published": "2023-09-27T15:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39375"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/Departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8X2-2M5W-J939

Vulnerability from github – Published: 2022-12-12 14:38 – Updated: 2023-04-03 19:24
VLAI
Summary
Amazon CloudWatch Agent for Windows has Privilege Escalation Vector
Details

Impact

A privilege escalation issue exists within the Amazon CloudWatch Agent for Windows in versions up to and including v1.247354. When users trigger a repair of the Agent, a pop-up window opens with SYSTEM permissions. Users with administrative access to affected hosts may use this to create a new command prompt as NT AUTHORITY\SYSTEM.

To trigger this issue, the third party must be able to access the affected host and elevate their privileges such that they’re able to trigger the agent repair process. They must also be able to install the tools required to trigger the issue.

This issue does not affect the CloudWatch Agent for macOS or Linux.

Patches

Maintainers recommend that Agent users upgrade to the latest available version of the CloudWatch Agent to address this issue.

Workarounds

There is no recommended work around. Affected users must update the installed version of the CloudWatch Agent to address this issue.

References

https://github.com/aws/amazon-cloudwatch-agent/commit/6119858864c317ff26f41f576c169148d1250837

For more information

If you have any questions or comments about this advisory, contact AWS/Amazon Security via their vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/amazon-cloudwatch-agent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.247355.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-274"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-12T14:38:28Z",
    "nvd_published_at": "2022-12-12T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA privilege escalation issue exists within the Amazon CloudWatch Agent for Windows in versions up to and including v1.247354. When users trigger a repair of the Agent, a pop-up window opens with SYSTEM permissions. Users with administrative access to affected hosts may use this to create a new command prompt as NT AUTHORITY\\SYSTEM. \n \nTo trigger this issue, the third party must be able to access the affected host and elevate their privileges such that they\u2019re able to trigger the agent repair process. They must also be able to install the tools required to trigger the issue. \n\nThis issue does not affect the CloudWatch Agent for macOS or Linux. \n\n### Patches\nMaintainers recommend that Agent users upgrade to the latest available version of the CloudWatch Agent to address this issue. \n\n### Workarounds\nThere is no recommended work around. Affected users must update the installed version of the CloudWatch Agent to address this issue.\n\n### References\nhttps://github.com/aws/amazon-cloudwatch-agent/commit/6119858864c317ff26f41f576c169148d1250837\n\n### For more information \n \nIf you have any questions or comments about this advisory, contact AWS/Amazon Security via their [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n",
  "id": "GHSA-j8x2-2m5w-j939",
  "modified": "2023-04-03T19:24:00Z",
  "published": "2022-12-12T14:38:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/amazon-cloudwatch-agent/security/advisories/GHSA-j8x2-2m5w-j939"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23511"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/amazon-cloudwatch-agent/commit/6119858864c317ff26f41f576c169148d1250837"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/amazon-cloudwatch-agent/commit/6119858864c317ff26f41f576c169148d1250837#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/amazon-cloudwatch-agent"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Amazon CloudWatch Agent for Windows has Privilege Escalation Vector"
}

GHSA-W6GM-FVFM-9M36

Vulnerability from github – Published: 2026-05-15 03:30 – Updated: 2026-05-15 03:30
VLAI
Details

Improper handling of insufficient privileges in the AMD Secure Processor (ASP) could allow an attacker to provide an input value to a function without sufficient privileges and successfully write data, potentially resulting in loss of integrity of availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-274"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-15T03:16:22Z",
    "severity": "MODERATE"
  },
  "details": "Improper handling of insufficient privileges in the AMD Secure Processor (ASP) could allow an attacker to provide an input value to a function without sufficient privileges and successfully write data, potentially resulting in loss of integrity of availability.",
  "id": "GHSA-w6gm-fvfm-9m36",
  "modified": "2026-05-15T03:30:37Z",
  "published": "2026-05-15T03:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54511"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XH35-W7WG-95V3

Vulnerability from github – Published: 2024-01-08 16:25 – Updated: 2024-01-09 16:12
VLAI
Summary
XWiki has no right protection on rollback action
Details

Impact

The rollback action is missing a right protection: it means that a user can rollback to a previous version of the page to gain rights they don't have anymore. This vulnerability impacts all version of XWiki since rollback action is available.

Patches

The problem has been patched in XWiki 14.10.16, 15.5.3 and 15.8-rc-1 by ensuring that the rights are checked before performing the rollback.

Workarounds

There's no workaround for this vulnerability, except paying attention to delete old versions of documents that could allow users to gain more rights.

References

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0"
            },
            {
              "fixed": "14.10.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0-rc-1"
            },
            {
              "fixed": "15.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.6-rc-1"
            },
            {
              "fixed": "15.8-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-274"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-08T16:25:58Z",
    "nvd_published_at": "2024-01-09T00:15:44Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe rollback action is missing a right protection: it means that a user can rollback to a previous version of the page to gain rights they don\u0027t have anymore. \nThis vulnerability impacts all version of XWiki since rollback action is available. \n\n### Patches\n\nThe problem has been patched in XWiki 14.10.16, 15.5.3 and 15.8-rc-1 by ensuring that the rights are checked before performing the rollback. \n\n### Workarounds\n\nThere\u0027s no workaround for this vulnerability, except paying attention to delete old versions of documents that could allow users to gain more rights. \n\n### References\n\n* JIRA ticket: https://jira.xwiki.org/browse/XWIKI-21257\n* Commit: [4de72875ca49602796165412741033bfdbf1e680](https://github.com/xwiki/xwiki-platform/commit/4de72875ca49602796165412741033bfdbf1e680)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-xh35-w7wg-95v3",
  "modified": "2024-01-09T16:12:35Z",
  "published": "2024-01-08T16:25:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xh35-w7wg-95v3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21648"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/1f3220f14bb3a4dcbd10d31134c39a06037f9a74"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/4de72875ca49602796165412741033bfdbf1e680"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/4fa7f302b14da6f05a6904a14e3741c4c06c40a1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-21257"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki has no right protection on rollback action"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.