VYPR

CWE-269

Improper Privilege Management

ClassDraftLikelihood: Medium

Description

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-122 · CAPEC-233 · CAPEC-58

CVEs mapped to this weakness (1,039)

page 46 of 52
  • CVE-2022-43759Feb 7, 2023
    risk 0.00cvss epss 0.01

    A Improper Privilege Management vulnerability in SUSE Rancher, allows users with access to the escalate verb on PRTBs to escalate permissions for any -promoted resource in any cluster. This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to…

  • CVE-2023-23612Jan 24, 2023
    risk 0.00cvss epss 0.01

    OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs…

  • CVE-2023-0242Jan 18, 2023
    risk 0.00cvss epss 0.01

    Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files…

  • CVE-2022-4808Dec 28, 2022
    risk 0.00cvss epss 0.00

    Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2022-4687Dec 23, 2022
    risk 0.00cvss epss 0.01

    Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0.

  • CVE-2022-38060Dec 21, 2022
    risk 0.00cvss epss 0.00

    A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

  • CVE-2022-23485Dec 10, 2022
    risk 0.00cvss epss 0.00

    Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an…

  • CVE-2022-4314Dec 6, 2022
    risk 0.00cvss epss 0.01

    Improper Privilege Management in GitHub repository ikus060/rdiffweb prior to 2.5.2.

  • CVE-2022-43138Nov 17, 2022
    risk 0.00cvss epss 0.01

    Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.

  • CVE-2022-39395Nov 10, 2022
    risk 0.00cvss epss 0.01

    Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts.…

  • CVE-2022-31690Oct 31, 2022
    risk 0.00cvss epss 0.01

    Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the…

  • CVE-2022-39286Oct 26, 2022
    risk 0.00cvss epss 0.01

    Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows…

  • CVE-2022-41032Oct 11, 2022
    risk 0.00cvss epss 0.01

    NuGet Client Elevation of Privilege Vulnerability

  • CVE-2022-38512Sep 22, 2022
    risk 0.00cvss epss 0.01

    The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via…

  • CVE-2022-3068Sep 21, 2022
    risk 0.00cvss epss 0.00

    Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.

  • CVE-2022-39203Sep 13, 2022
    risk 0.00cvss epss 0.01

    matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. Attackers can specify a specific string of characters, which would confuse the bridge into combining an attacker-owned channel and an existing channel, allowing them to grant themselves permissions in the…

  • CVE-2022-39202Sep 13, 2022
    risk 0.00cvss epss 0.01

    matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. The Internet Relay Chat (IRC) protocol allows you to specify multiple modes in a single mode command. Due to a bug in the underlying matrix-org/node-irc library, affected versions of matrix-appservice-irc…

  • CVE-2022-31166Sep 7, 2022
    risk 0.00cvss epss 0.01

    XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with…

  • CVE-2022-36157Aug 19, 2022
    risk 0.00cvss epss 0.01

    XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account.

  • CVE-2022-35921Aug 1, 2022
    risk 0.00cvss epss 0.00

    fof/byobu is a private discussions extension for Flarum forum. Affected versions were found to not respect private discussion disablement by users. Users of Byobu should update the extension to version 1.1.7, where this has been patched. Users of Byobu with Flarum 1.0 or 1.1…