CWE-269
Improper Privilege Management
Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-122 · CAPEC-233 · CAPEC-58
CVEs mapped to this weakness (1,039)
page 43 of 52| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-23208 | 0.00 | — | 0.00 | Jan 17, 2025 | zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships,… | |||
| CVE-2024-31141 | — | 0.00 | — | 0.01 | Nov 19, 2024 | Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations.… | ||
| CVE-2024-23454 | — | 0.00 | — | 0.00 | Sep 25, 2024 | Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is… | ||
| CVE-2024-46999 | 0.00 | — | 0.00 | Sep 19, 2024 | Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management… | |||
| CVE-2024-47000 | 0.00 | — | 0.00 | Sep 19, 2024 | Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and… | |||
| CVE-2024-46989 | 0.00 | — | 0.00 | Sep 18, 2024 | spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is… | |||
| CVE-2024-45041 | 0.00 | — | 0.01 | Sep 9, 2024 | External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of… | |||
| CVE-2024-43401 | 0.00 | — | 0.01 | Aug 19, 2024 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights… | |||
| CVE-2024-44076 | 0.00 | — | 0.01 | Aug 19, 2024 | In Microcks before 1.10.0, the POST /api/import and POST /api/export endpoints allow non-administrator access. | |||
| CVE-2024-27181 | — | 0.00 | — | 0.01 | Aug 2, 2024 | In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue. | ||
| CVE-2024-22278 | 0.00 | — | 0.00 | Aug 2, 2024 | Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations. | |||
| CVE-2024-41949 | 0.00 | — | 0.00 | Aug 1, 2024 | biscuit-rust is the Rust implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent,… | |||
| CVE-2024-41666 | 0.00 | — | 0.01 | Jul 24, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and… | |||
| CVE-2024-34082 | 0.00 | — | 0.03 | May 15, 2024 | Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret,… | |||
| CVE-2024-34517 | — | 0.00 | — | 0.01 | May 7, 2024 | The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access. | ||
| CVE-2024-34146 | 0.00 | — | 0.01 | May 2, 2024 | Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories. | |||
| CVE-2024-28056 | — | 0.00 | — | 0.02 | Apr 15, 2024 | Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but "Effect":"Allow" remains present, and… | ||
| CVE-2023-50726 | 0.00 | — | 0.01 | Mar 13, 2024 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted… | |||
| CVE-2024-28197 | 0.00 | — | 0.00 | Mar 11, 2024 | Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take… | |||
| CVE-2024-1442 | 0.00 | — | 0.01 | Mar 7, 2024 | A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization. |
- CVE-2025-23208Jan 17, 2025risk 0.00cvss —epss 0.00
zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships,…
- CVE-2024-31141Nov 19, 2024risk 0.00cvss —epss 0.01
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations.…
- CVE-2024-23454Sep 25, 2024risk 0.00cvss —epss 0.00
Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is…
- CVE-2024-46999Sep 19, 2024risk 0.00cvss —epss 0.00
Zitadel is an open source identity management platform. ZITADEL's user grants deactivation mechanism did not work correctly. Deactivated user grants were still provided in token, which could lead to unauthorized access to applications and resources. Additionally, the management…
- CVE-2024-47000Sep 19, 2024risk 0.00cvss —epss 0.00
Zitadel is an open source identity management platform. ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and…
- CVE-2024-46989Sep 18, 2024risk 0.00cvss —epss 0.00
spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is…
- CVE-2024-45041Sep 9, 2024risk 0.00cvss —epss 0.01
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of…
- CVE-2024-43401Aug 19, 2024risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights…
- CVE-2024-44076Aug 19, 2024risk 0.00cvss —epss 0.01
In Microcks before 1.10.0, the POST /api/import and POST /api/export endpoints allow non-administrator access.
- CVE-2024-27181Aug 2, 2024risk 0.00cvss —epss 0.01
In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue.
- CVE-2024-22278Aug 2, 2024risk 0.00cvss —epss 0.00
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
- CVE-2024-41949Aug 1, 2024risk 0.00cvss —epss 0.00
biscuit-rust is the Rust implementation of Biscuit, an authentication and authorization token for microservices architectures. Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a ThirdPartyBlock request can be sent,…
- CVE-2024-41666Jul 24, 2024risk 0.00cvss —epss 0.01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and…
- CVE-2024-34082May 15, 2024risk 0.00cvss —epss 0.03
Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret,…
- CVE-2024-34517May 7, 2024risk 0.00cvss —epss 0.01
The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access.
- CVE-2024-34146May 2, 2024risk 0.00cvss —epss 0.01
Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories.
- CVE-2024-28056Apr 15, 2024risk 0.00cvss —epss 0.02
Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but "Effect":"Allow" remains present, and…
- CVE-2023-50726Mar 13, 2024risk 0.00cvss —epss 0.01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted…
- CVE-2024-28197Mar 11, 2024risk 0.00cvss —epss 0.00
Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take…
- CVE-2024-1442Mar 7, 2024risk 0.00cvss —epss 0.01
A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit and delete all data sources within the organization.