Common Weakness Enumeration

CWE-281

Allowed

Improper Preservation of Permissions

Abstraction: Base · Status: Draft

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

432 vulnerabilities reference this CWE, most recent first.

GHSA-HR65-QQ6P-87R4

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-06-22 18:23
VLAI
Summary
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Details

In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.11.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.elasticsearch:elasticsearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.11.0"
            },
            {
              "fixed": "7.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.8.14"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.elasticsearch:elasticsearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.8.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-22137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-22T18:23:44Z",
    "nvd_published_at": "2021-05-13T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.",
  "id": "GHSA-hr65-qq6p-87r4",
  "modified": "2022-06-22T18:23:44Z",
  "published": "2022-05-24T19:02:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22137"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elastic/elasticsearch"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210625-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch"
}

GHSA-HRXH-9W67-G4CV

Vulnerability from github – Published: 2024-11-19 20:36 – Updated: 2024-11-19 20:36
VLAI
Summary
Rclone has Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata
Details

tl;dr:

unprivileged user creates a symlink to /etc/sudoers, /etc/shadow or similar and waits for a privileged user or process to copy/backup/mirror users data (using --links and --metadata). unprivileged user now owns /etc/sudoers.

Summary

Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files (e.g., /etc/shadow), compromising system integrity, confidentiality, and availability.

For instance, an unprivileged user could set a symlink to a sensitive file within their home directory, waiting for an administrator or automated process (e.g., a cron job running with elevated privileges) to copy their files with rclone using the --links and --metadata options. Upon copying, rclone will incorrectly apply chown and chmod to the symlink’s target file rather than just the symlink itself, resulting in ownership and permission changes on the sensitive file.

Who is affected

If you are not using --metadata and --links and copying files to the local backend you are not affected by this issue.

If you are using --metadata and -links and copying files to the local backend but not as a superuser, then this will manifest itself as a bug by setting incorrect permissions.

If you are using --metadata and -links and copying files to the local backend but as a superuser then this could affect you.

Details

When copying directories containing symlinks with rclone using the --links and --metadata options, rclone mistakenly applies chown and chmod operations to the target of the symlink instead of the symlink itself. As a result, ownership and permissions on sensitive system files (e.g., /etc/shadow) may be altered if they are the target of any symlink within the copied directory structure. This allows users to affect the permissions and ownership of files they should not have access to, resulting in privilege escalation and potential system compromise.

PoC

# Create a directory to simulate a user home directory
root@workstation:~# mkdir -p /tmp/home/user1
root@workstation:~# sudo chown user1:user1 /tmp/home/user1
# As user1, create a symlink to /etc/shadow within their home directory
root@workstation:~# sudo -u user1 ln -s /etc/shadow /tmp/home/user1/shadow_link
# List permissions on the original files
root@workstation:~# ls -l /tmp/home/user1/shadow_link /etc/shadow
----------. 1 root  root  1283 Nov  5 13:30 /etc/shadow
lrwxrwxrwx. 1 user1 user1   11 Nov  5 13:56 /tmp/home/user1/shadow_link -> /etc/shadow
# Copy the directory structure with rclone
root@workstation:~# rclone copy /tmp/home /tmp/home_new --links --metadata --log-level=DEBUG
2024/11/05 13:56:53 DEBUG : rclone: Version "v1.68.1" starting with parameters ["rclone" "copy" "/tmp/home" "/tmp/home_new" "--links" "--metadata" "--log-level=DEBUG"]
2024/11/05 13:56:53 DEBUG : Creating backend with remote "/tmp/home"
2024/11/05 13:56:53 NOTICE: Config file "/root/.config/rclone/rclone.conf" not found - using defaults
2024/11/05 13:56:53 DEBUG : local: detected overridden config - adding "{b6816}" suffix to name
2024/11/05 13:56:53 DEBUG : fs cache: renaming cache item "/tmp/home" to be canonical "local{b6816}:/tmp/home"
2024/11/05 13:56:53 DEBUG : Creating backend with remote "/tmp/home_new"
2024/11/05 13:56:53 DEBUG : local: detected overridden config - adding "{b6816}" suffix to name
2024/11/05 13:56:53 DEBUG : fs cache: renaming cache item "/tmp/home_new" to be canonical "local{b6816}:/tmp/home_new"
2024/11/05 13:56:53 DEBUG : Added delayed dir = "user1", newDst=<nil>
2024/11/05 13:56:53 DEBUG : user1/shadow_link.rclonelink: Need to transfer - File not found at Destination
2024/11/05 13:56:53 DEBUG : user1/shadow_link.rclonelink: md5 = 2fe8599cb25a0c790213d39b3be97c27 OK
2024/11/05 13:56:53 INFO  : user1/shadow_link.rclonelink: Copied (new)
2024/11/05 13:56:53 DEBUG : Local file system at /tmp/home_new: Waiting for checks to finish
2024/11/05 13:56:53 DEBUG : Local file system at /tmp/home_new: Waiting for transfers to finish
2024/11/05 13:56:53 INFO  : user1: Updated directory metadata
2024/11/05 13:56:53 INFO  :
Transferred:             11 B / 11 B, 100%, 0 B/s, ETA -
Transferred:            1 / 1, 100%
Elapsed time:         0.0s

2024/11/05 13:56:53 DEBUG : 6 go routines active
# List permissions again
root@workstation:~# ls -l /tmp/home/user1/shadow_link /etc/shadow /tmp/home_new/user1/shadow_link
-rwxrwxrwx. 1 user1 user1 1283 Nov  5 13:30 /etc/shadow                                                 # Wrong, very wrong. Should be root:root and 0000.
lrwxrwxrwx. 1 root  root    11 Nov  5 13:56 /tmp/home_new/user1/shadow_link -> /etc/shadow              # Wrong too, should be user1:user1
lrwxrwxrwx. 1 user1 user1   11 Nov  5 13:56 /tmp/home/user1/shadow_link -> /etc/shadow
# Fix /etc/shadow and clean up
root@workstation:~# chown root:root /etc/shadow
root@workstation:~# chmod 000 /etc/shadow
root@workstation:~# rm -rf /tmp/home /tmp/home_new

Impact

Type of Vulnerability: Improper permissions and ownership handling on symlink targets (Insecure Handling of Symlinks)

Impact: This vulnerability allows unprivileged users to modify permissions and ownership of sensitive system files by creating symlinks to those files in directories that are subsequently copied by an administrator with rclone --links --metadata. This can lead to unauthorized access, privilege escalation, and potential system compromise.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rclone/rclone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.59.0"
            },
            {
              "fixed": "1.68.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-19T20:36:02Z",
    "nvd_published_at": "2024-11-15T18:15:30Z",
    "severity": "MODERATE"
  },
  "details": "### **tl;dr:**\n\nunprivileged user creates a symlink to /etc/sudoers, /etc/shadow or similar and waits for a privileged user or process to copy/backup/mirror users data (using `--links` and `--metadata`). unprivileged user now owns /etc/sudoers.\n\n### Summary\n\nInsecure handling of symlinks with `--links` and `--metadata` in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files (e.g., /etc/shadow), compromising system integrity, confidentiality, and availability.\n\nFor instance, an unprivileged user could set a symlink to a sensitive file within their home directory, waiting for an administrator or automated process (e.g., a cron job running with elevated privileges) to copy their files with rclone using the --links and --metadata options. Upon copying, rclone will incorrectly apply chown and chmod to the symlink\u2019s target file rather than just the symlink itself, resulting in ownership and permission changes on the sensitive file.\n\n### Who is affected\n\nIf you are not using `--metadata` **and** `--links` **and** copying files **to** the local backend you are not affected by this issue.\n\nIf you are using `--metadata` and `-links` and copying files to the local backend but not as a superuser, then this will manifest itself as a bug by setting incorrect permissions.\n\nIf you are using `--metadata` and `-links` and copying files to the local backend but as a superuser then this could affect you.\n\n### Details\n\nWhen copying directories containing symlinks with rclone using the --links and --metadata options, rclone mistakenly applies chown and chmod operations to the target of the symlink instead of the symlink itself. As a result, ownership and permissions on sensitive system files (e.g., /etc/shadow) may be altered if they are the target of any symlink within the copied directory structure. This allows users to affect the permissions and ownership of files they should not have access to, resulting in privilege escalation and potential system compromise.\n\n### PoC\n\n```\n# Create a directory to simulate a user home directory\nroot@workstation:~# mkdir -p /tmp/home/user1\nroot@workstation:~# sudo chown user1:user1 /tmp/home/user1\n```\n```\n# As user1, create a symlink to /etc/shadow within their home directory\nroot@workstation:~# sudo -u user1 ln -s /etc/shadow /tmp/home/user1/shadow_link\n```\n```\n# List permissions on the original files\nroot@workstation:~# ls -l /tmp/home/user1/shadow_link /etc/shadow\n----------. 1 root  root  1283 Nov  5 13:30 /etc/shadow\nlrwxrwxrwx. 1 user1 user1   11 Nov  5 13:56 /tmp/home/user1/shadow_link -\u003e /etc/shadow\n```\n```\n# Copy the directory structure with rclone\nroot@workstation:~# rclone copy /tmp/home /tmp/home_new --links --metadata --log-level=DEBUG\n2024/11/05 13:56:53 DEBUG : rclone: Version \"v1.68.1\" starting with parameters [\"rclone\" \"copy\" \"/tmp/home\" \"/tmp/home_new\" \"--links\" \"--metadata\" \"--log-level=DEBUG\"]\n2024/11/05 13:56:53 DEBUG : Creating backend with remote \"/tmp/home\"\n2024/11/05 13:56:53 NOTICE: Config file \"/root/.config/rclone/rclone.conf\" not found - using defaults\n2024/11/05 13:56:53 DEBUG : local: detected overridden config - adding \"{b6816}\" suffix to name\n2024/11/05 13:56:53 DEBUG : fs cache: renaming cache item \"/tmp/home\" to be canonical \"local{b6816}:/tmp/home\"\n2024/11/05 13:56:53 DEBUG : Creating backend with remote \"/tmp/home_new\"\n2024/11/05 13:56:53 DEBUG : local: detected overridden config - adding \"{b6816}\" suffix to name\n2024/11/05 13:56:53 DEBUG : fs cache: renaming cache item \"/tmp/home_new\" to be canonical \"local{b6816}:/tmp/home_new\"\n2024/11/05 13:56:53 DEBUG : Added delayed dir = \"user1\", newDst=\u003cnil\u003e\n2024/11/05 13:56:53 DEBUG : user1/shadow_link.rclonelink: Need to transfer - File not found at Destination\n2024/11/05 13:56:53 DEBUG : user1/shadow_link.rclonelink: md5 = 2fe8599cb25a0c790213d39b3be97c27 OK\n2024/11/05 13:56:53 INFO  : user1/shadow_link.rclonelink: Copied (new)\n2024/11/05 13:56:53 DEBUG : Local file system at /tmp/home_new: Waiting for checks to finish\n2024/11/05 13:56:53 DEBUG : Local file system at /tmp/home_new: Waiting for transfers to finish\n2024/11/05 13:56:53 INFO  : user1: Updated directory metadata\n2024/11/05 13:56:53 INFO  :\nTransferred:             11 B / 11 B, 100%, 0 B/s, ETA -\nTransferred:            1 / 1, 100%\nElapsed time:         0.0s\n\n2024/11/05 13:56:53 DEBUG : 6 go routines active\n```\n```\n# List permissions again\nroot@workstation:~# ls -l /tmp/home/user1/shadow_link /etc/shadow /tmp/home_new/user1/shadow_link\n-rwxrwxrwx. 1 user1 user1 1283 Nov  5 13:30 /etc/shadow                                                 # Wrong, very wrong. Should be root:root and 0000.\nlrwxrwxrwx. 1 root  root    11 Nov  5 13:56 /tmp/home_new/user1/shadow_link -\u003e /etc/shadow              # Wrong too, should be user1:user1\nlrwxrwxrwx. 1 user1 user1   11 Nov  5 13:56 /tmp/home/user1/shadow_link -\u003e /etc/shadow\n```\n```\n# Fix /etc/shadow and clean up\nroot@workstation:~# chown root:root /etc/shadow\nroot@workstation:~# chmod 000 /etc/shadow\nroot@workstation:~# rm -rf /tmp/home /tmp/home_new\n```\n### Impact\nType of Vulnerability: Improper permissions and ownership handling on symlink targets (Insecure Handling of Symlinks)\n\nImpact: This vulnerability allows unprivileged users to modify permissions and ownership of sensitive system files by creating symlinks to those files in directories that are subsequently copied by an administrator with rclone --links --metadata. This can lead to unauthorized access, privilege escalation, and potential system compromise.",
  "id": "GHSA-hrxh-9w67-g4cv",
  "modified": "2024-11-19T20:36:02Z",
  "published": "2024-11-19T20:36:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rclone/rclone"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Rclone has Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata"
}

GHSA-HXQ4-V53V-RH4H

Vulnerability from github – Published: 2024-03-04 09:30 – Updated: 2024-03-04 09:30
VLAI
Details

in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through improper preservation of permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-04T07:15:09Z",
    "severity": "MODERATE"
  },
  "details": "in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through improper preservation of permissions.",
  "id": "GHSA-hxq4-v53v-rh4h",
  "modified": "2024-03-04T09:30:29Z",
  "published": "2024-03-04T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21816"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-03.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J2M8-8R6C-36X2

Vulnerability from github – Published: 2024-05-17 18:30 – Updated: 2024-05-17 18:30
VLAI
Details

When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T17:15:07Z",
    "severity": "HIGH"
  },
  "details": "When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.",
  "id": "GHSA-j2m8-8r6c-36x2",
  "modified": "2024-05-17T18:30:43Z",
  "published": "2024-05-17T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3291"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2024-09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J3RV-RH4F-4RF6

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user information through the wizard page without authentication. This affects ZXHN H168N all versions up to V3.5.0_EG1T4_TE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-10T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user information through the wizard page without authentication. This affects ZXHN H168N all versions up to V3.5.0_EG1T4_TE.",
  "id": "GHSA-j3rv-rh4f-4rf6",
  "modified": "2022-05-24T19:04:55Z",
  "published": "2022-05-24T19:04:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21735"
    },
    {
      "type": "WEB",
      "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1015924"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J4VR-PCMW-HX59

Vulnerability from github – Published: 2025-10-24 15:06 – Updated: 2025-10-29 15:42
VLAI
Summary
Rancher user retains access to clusters despite Global Role removal
Details

Impact

A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters. This only affects custom Global Roles that: - Have a * on * in * rule for resources - Have a * on * rule for non-resource URLs

For example

apiVersion: management.cattle.io/v3
kind: GlobalRole
metadata:
  name: custom-admin
rules:
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - '*'
  - nonResourceURLs:
      - '*'
    verbs:
      - '*'

Specifically: - When a user is bound to a custom admin GlobalRole, a corresponding ClusterRoleBinding is created on all clusters that binds them to the cluster-admin ClusterRole. - When such a GlobalRole or the GlobalRoleBinding (e.g., when the user is unassigned from this role in UI) is deleted, the ClusterRoleBinding that binds them to the cluster-admin ClusterRole stays behind.

This issue allows a user to continue having access to clusters after they have been unassigned from the custom admin global role or the role has been deleted.

Please consult the associated MITRE ATT&CK - Technique - Account Access Removal for further information about this category of attack.

Patches

This vulnerability is addressed by removing the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings are marked with the annotation authz.cluster.cattle.io/admin-globalrole-missing=true and should be deleted manually.

Orphaned ClusterRoleBindings can be listed with:

kubectl get clusterrolebinding -o jsonpath='{range .items[?(@.metadata.annotations.authz\.cluster\.cattle\.io/admin-globalrole-missing=="true")]}{.metadata.name}{"\n"}{end}'

Patched versions of Rancher include releases v2.12.3, v2.11.7.

Complications with the restricted admin functionality prevented the patches from being included in v2.10 and v2.9.

Workarounds

If the deployment can't be upgraded to a fixed version, users are advised to manually identify the orphaned ClusterRoleBindings and remove them.

References

If you have any questions or comments about this advisory: - Contact the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20251014212116-7faa74a968c2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-24T15:06:51Z",
    "nvd_published_at": "2025-10-29T15:15:40Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters.\nThis only affects custom Global Roles that:\n- Have a `*` on `*` in `*` rule for resources\n- Have a `*` on `*` rule for non-resource URLs\n\nFor example\n```yaml\napiVersion: management.cattle.io/v3\nkind: GlobalRole\nmetadata:\n  name: custom-admin\nrules:\n  - apiGroups:\n      - \u0027*\u0027\n    resources:\n      - \u0027*\u0027\n    verbs:\n      - \u0027*\u0027\n  - nonResourceURLs:\n      - \u0027*\u0027\n    verbs:\n      - \u0027*\u0027\n```\n\nSpecifically:\n- When a user is bound to a custom admin `GlobalRole`, a corresponding `ClusterRoleBinding` is created on all clusters that binds them to the cluster-admin `ClusterRole`.\n- When such a `GlobalRole` or the `GlobalRoleBinding` (e.g., when the user is unassigned from this role in UI) is deleted, the `ClusterRoleBinding` that binds them to the cluster-admin ClusterRole stays behind.\n\nThis issue allows a user to continue having access to clusters after they have been unassigned from the custom admin global role or the role has been deleted.\n\nPlease consult the associated  [MITRE ATT\u0026CK - Technique - Account Access Removal](https://attack.mitre.org/techniques/T1531/) for further information about this category of attack.\n\n### Patches\nThis vulnerability is addressed by removing the corresponding `ClusterRoleBindings` whenever the admin `GlobalRole` or its `GlobalRoleBindings` are deleted. Previously orphaned `ClusterRoleBindings` are marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true` and should be deleted manually.\n\nOrphaned ClusterRoleBindings can be listed with:\n```\nkubectl get clusterrolebinding -o jsonpath=\u0027{range .items[?(@.metadata.annotations.authz\\.cluster\\.cattle\\.io/admin-globalrole-missing==\"true\")]}{.metadata.name}{\"\\n\"}{end}\u0027\n```\n\nPatched versions of Rancher include releases `v2.12.3`, `v2.11.7`.\n\nComplications with the restricted admin functionality prevented the patches from being included in `v2.10` and `v2.9`.\n\n### Workarounds\nIf the deployment can\u0027t be upgraded to a fixed version, users are advised to manually identify the orphaned `ClusterRoleBindings` and remove them.\n\n### References\nIf you have any questions or comments about this advisory:\n- Contact the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
  "id": "GHSA-j4vr-pcmw-hx59",
  "modified": "2025-10-29T15:42:32Z",
  "published": "2025-10-24T15:06:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32199"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/pull/52303"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32199"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rancher"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rancher user retains access to clusters despite Global Role removal"
}

GHSA-J52R-PMQV-WM38

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2023-12-14 18:19
VLAI
Summary
Missing permission check in Jenkins Support Core Plugin
Details

A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.63"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:support-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.64"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-14T18:19:58Z",
    "nvd_published_at": "2019-11-21T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles.",
  "id": "GHSA-j52r-pmqv-wm38",
  "modified": "2023-12-14T18:19:58Z",
  "published": "2022-05-24T17:01:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/support-core-plugin/commit/6b177ea7cc7347e13fa87174472400bbbe78d422"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/support-core-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1634"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/11/21/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing permission check in Jenkins Support Core Plugin"
}

GHSA-J5H3-G7CH-42QF

Vulnerability from github – Published: 2025-11-06 15:31 – Updated: 2025-11-06 15:31
VLAI
Details

Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-06T15:15:46Z",
    "severity": "HIGH"
  },
  "details": "Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation.",
  "id": "GHSA-j5h3-g7ch-42qf",
  "modified": "2025-11-06T15:31:02Z",
  "published": "2025-11-06T15:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37735"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elastic-defend-8-19-6-9-1-6-and-9-2-0-security-update-esa-2025-23/383272"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J66C-Q55P-63P7

Vulnerability from github – Published: 2025-06-08 12:30 – Updated: 2025-06-08 12:30
VLAI
Details

in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-08T12:15:22Z",
    "severity": "MODERATE"
  },
  "details": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.",
  "id": "GHSA-j66c-q55p-63p7",
  "modified": "2025-06-08T12:30:33Z",
  "published": "2025-06-08T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27247"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-06.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J6CH-QP42-33GR

Vulnerability from github – Published: 2023-07-13 00:30 – Updated: 2024-04-04 06:05
VLAI
Details

In multiple functions of OneTimePermissionUserManager.java, there is a possible one-time permission retention due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T00:15:23Z",
    "severity": "MODERATE"
  },
  "details": "In multiple functions of OneTimePermissionUserManager.java, there is a possible one-time permission retention due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.\n\n",
  "id": "GHSA-j6ch-qp42-33gr",
  "modified": "2024-04-04T06:05:24Z",
  "published": "2023-07-13T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21249"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/base/+/c00b7e7dbc1fa30339adef693d02a51254755d7f"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-07-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.