VYPR

CWE-269

Improper Privilege Management

ClassDraftLikelihood: Medium

Description

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-122 · CAPEC-233 · CAPEC-58

CVEs mapped to this weakness (1,039)

page 45 of 52
  • CVE-2023-31469Jun 23, 2023
    risk 0.00cvss epss 0.01

    A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles. The issue is resolved by upgrading to…

  • CVE-2023-22647Jun 1, 2023
    risk 0.00cvss epss 0.01

    An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being…

  • CVE-2023-22648Jun 1, 2023
    risk 0.00cvss epss 0.00

    A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on…

  • CVE-2023-33966May 31, 2023
    risk 0.00cvss epss 0.01

    Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies…

  • CVE-2023-30601May 30, 2023
    risk 0.00cvss epss 0.00

    Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1. WORKAROUND The vulnerability requires…

  • CVE-2023-31062May 22, 2023
    risk 0.00cvss epss 0.01

    Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0.  When the attacker has access to a valid (but unprivileged) account, the exploit can be executed using Burp Suite by sending a…

  • CVE-2023-22651May 4, 2023
    risk 0.00cvss epss 0.01

    Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources…

  • CVE-2023-30622Apr 24, 2023
    risk 0.00cvss epss 0.00

    Clusternet is a general-purpose system for controlling Kubernetes clusters across different environments. An issue in clusternet prior to version 0.15.2 can be leveraged to lead to a cluster-level privilege escalation. The clusternet has a deployment called `cluster-hub` inside…

  • CVE-2023-2240Apr 22, 2023
    risk 0.00cvss epss 0.01

    Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.

  • CVE-2023-22946Apr 17, 2023
    risk 0.00cvss epss 0.01

    In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the…

  • CVE-2023-29018Apr 14, 2023
    risk 0.00cvss epss 0.01

    The OpenFeature Operator allows users to expose feature flags to applications. Assuming the pre-existence of a vulnerability that allows for arbitrary code execution, an attacker could leverage the lax permissions configured on `open-feature-operator-controller-manager` to…

  • CVE-2023-1762Mar 31, 2023
    risk 0.00cvss epss 0.01

    Improper Privilege Management in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

  • CVE-2023-28640Mar 27, 2023
    risk 0.00cvss epss 0.00

    Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes…

  • CVE-2023-28436Mar 23, 2023
    risk 0.00cvss epss 0.00

    Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than…

  • CVE-2023-27094Mar 23, 2023
    risk 0.00cvss epss 0.01

    An issue found in OpenGoofy Hippo4j v.1.4.3 allows attackers to escalate privileges via the ThreadPoolController of the tenant Management module.

  • CVE-2022-48365Mar 12, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.

  • CVE-2023-26475Mar 2, 2023
    risk 0.00cvss epss 0.65

    XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been…

  • CVE-2023-25621Feb 23, 2023
    risk 0.00cvss epss 0.01

    Privilege Escalation vulnerability in Apache Software Foundation Apache Sling. Any content author is able to create i18n dictionaries in the repository in a location the author has write access to. As these translations are used across the whole product, it allows an author to…

  • CVE-2023-25173Feb 16, 2023
    risk 0.00cvss epss 0.01

    containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group…

  • CVE-2022-42735Feb 15, 2023
    risk 0.00cvss epss 0.01

    Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or…