CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5455 vulnerabilities reference this CWE, most recent first.
GHSA-3FPM-8W39-5P69
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.
{
"affected": [],
"aliases": [
"CVE-2013-6391"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-12-14T17:21:00Z",
"severity": "MODERATE"
},
"details": "The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.",
"id": "GHSA-3fpm-8w39-5p69",
"modified": "2022-05-13T01:26:09Z",
"published": "2022-05-13T01:26:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6391"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/1242597"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89657"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0089.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/56079"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/56154"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/12/11/7"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/64253"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2061-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3FX9-G477-R6F6
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the Inter Process Communication APIs, in which improper access control may lead to code execution, denial of service, or information disclosure.
{
"affected": [],
"aliases": [
"CVE-2020-5963"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-25T00:15:00Z",
"severity": "MODERATE"
},
"details": "NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the Inter Process Communication APIs, in which improper access control may lead to code execution, denial of service, or information disclosure.",
"id": "GHSA-3fx9-g477-r6f6",
"modified": "2022-05-24T17:21:41Z",
"published": "2022-05-24T17:21:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5963"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5031"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4404-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4404-2"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3G2J-VM47-X4MJ
Vulnerability from github – Published: 2025-11-13 23:01 – Updated: 2025-11-18 18:40Impact
This affects any LXD user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the security.shifted property set to true as well as access to the host as an unprivileged user.
The most common case for this would be systems using lxd-user with the less privileged lxd group to provide unprivileged users with an isolated restricted access to LXD. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges.
Patches
Patches for this issue are available:
- LXD 6 series: https://github.com/canonical/lxd/pull/16904
- LXD 5.21 LTS series: https://github.com/canonical/lxd/pull/16922
- LXD 5.0 LTS series: https://github.com/canonical/lxd/pull/16923
- LXD 4.0 LTS series: https://github.com/canonical/lxd/pull/16924
The first commit changes the permissions for any new storage pool, the later commit adds a patch that applies it on startup to all existing storage pools.
These fixes are also available in the associated candidate snap channels for each LTS series:
- 5.21/candidate (5.21.4-8a3cf61)
- 5.0/candidate (5.0.5-5c60378)
- 4.0/candidate (4.0.10-35a8127)
We will be preparing intermediate releases to the associated stable snap channels shortly.
Workarounds
Permissions can be manually restricted until a patched version of LXD is deployed.
This is done with:
sudo nsenter --mount=/run/snapd/ns/lxd.mnt -- chmod 0700 /var/snap/lxd/common/lxd/storage-pools/*/{custom*,virtual-machines*,images}
sudo nsenter --mount=/run/snapd/ns/lxd.mnt -- chmod 0711 /var/snap/lxd/common/lxd/storage-pools/*/{containers*,buckets*}
Those are the same permissions which will be applied by the patched LXD for both new and existing storage pools.
References
This was reported to Incus publicly on Github here:
- https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf
- https://github.com/lxc/incus/issues/2641
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/canonical/lxd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20251110144034-698854d0164f"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-13T23:01:44Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "**Impact**\n\nThis affects any LXD user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` property set to `true` as well as access to the host as an unprivileged user.\n\nThe most common case for this would be systems using `lxd-user` with the less privileged lxd group to provide unprivileged users with an isolated restricted access to LXD. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges.\n\n**Patches**\n\nPatches for this issue are available: \n\n- LXD 6 series: https://github.com/canonical/lxd/pull/16904\n- LXD 5.21 LTS series: https://github.com/canonical/lxd/pull/16922\n- LXD 5.0 LTS series: https://github.com/canonical/lxd/pull/16923\n- LXD 4.0 LTS series: https://github.com/canonical/lxd/pull/16924 \n\nThe first commit changes the permissions for any new storage pool, the later commit adds a patch that applies it on startup to all existing storage pools.\n\nThese fixes are also available in the associated candidate snap channels for each LTS series:\n\n- 5.21/candidate (5.21.4-8a3cf61)\n- 5.0/candidate (5.0.5-5c60378)\n- 4.0/candidate (4.0.10-35a8127)\n\nWe will be preparing intermediate releases to the associated stable snap channels shortly.\n\n**Workarounds**\n\nPermissions can be manually restricted until a patched version of LXD is deployed.\n\nThis is done with:\n\n```\nsudo nsenter --mount=/run/snapd/ns/lxd.mnt -- chmod 0700 /var/snap/lxd/common/lxd/storage-pools/*/{custom*,virtual-machines*,images}\nsudo nsenter --mount=/run/snapd/ns/lxd.mnt -- chmod 0711 /var/snap/lxd/common/lxd/storage-pools/*/{containers*,buckets*}\n```\n\nThose are the same permissions which will be applied by the patched LXD for both new and existing storage pools.\n\n**References**\n\nThis was reported to Incus publicly on Github here: \n\n- https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf\n- https://github.com/lxc/incus/issues/2641",
"id": "GHSA-3g2j-vm47-x4mj",
"modified": "2025-11-18T18:40:12Z",
"published": "2025-11-13T23:01:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-3g2j-vm47-x4mj"
},
{
"type": "WEB",
"url": "https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf"
},
{
"type": "WEB",
"url": "https://github.com/lxc/incus/issues/2641"
},
{
"type": "WEB",
"url": "https://github.com/canonical/lxd/pull/16904"
},
{
"type": "WEB",
"url": "https://github.com/canonical/lxd/pull/16922"
},
{
"type": "WEB",
"url": "https://github.com/canonical/lxd/pull/16923"
},
{
"type": "WEB",
"url": "https://github.com/canonical/lxd/pull/16924"
},
{
"type": "PACKAGE",
"url": "https://github.com/canonical/lxd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LXD vulnerable to a local privilege escalation through custom storage volumes"
}
GHSA-3G7G-5M3G-G57P
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0877, CVE-2020-0887.
{
"affected": [],
"aliases": [
"CVE-2020-0788"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-12T16:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka \u0027Win32k Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-0877, CVE-2020-0887.",
"id": "GHSA-3g7g-5m3g-g57p",
"modified": "2022-05-24T17:10:56Z",
"published": "2022-05-24T17:10:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0788"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0788"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3G7W-2HM5-MFRJ
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2024-10-08 18:33Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686, CVE-2021-1687, CVE-2021-1690.
{
"affected": [],
"aliases": [
"CVE-2021-1681"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-12T20:15:00Z",
"severity": "HIGH"
},
"details": "Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686, CVE-2021-1687, CVE-2021-1690.",
"id": "GHSA-3g7w-2hm5-mfrj",
"modified": "2024-10-08T18:33:00Z",
"published": "2022-05-24T17:38:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1681"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1681"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1681"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GCV-CWCR-W49H
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings, aka 'OpenSSH for Windows Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-1292"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings, aka \u0027OpenSSH for Windows Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-3gcv-cwcr-w49h",
"modified": "2022-05-24T17:19:57Z",
"published": "2022-05-24T17:19:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1292"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1292"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3GCX-7VW9-42M9
Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2025-05-29 18:31A vulnerability in Suprema Bio Star 2 v2.8.16 allows attackers to escalate privileges to System Administrator via a crafted PUT request to the update profile page.
{
"affected": [],
"aliases": [
"CVE-2022-38351"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-19T21:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in Suprema Bio Star 2 v2.8.16 allows attackers to escalate privileges to System Administrator via a crafted PUT request to the update profile page.",
"id": "GHSA-3gcx-7vw9-42m9",
"modified": "2025-05-29T18:31:08Z",
"published": "2022-09-20T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38351"
},
{
"type": "WEB",
"url": "https://nobugescapes.com/blog/privilege-escalation-from-user-operator-to-system-administrator"
},
{
"type": "WEB",
"url": "https://nobugescapes.com/wp-content/uploads/2022/08/Part1.docx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GG5-933F-4WGH
Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20An elevation of privilege vulnerability exists when Group Policy improperly checks access, aka 'Group Policy Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-1317"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-09T20:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when Group Policy improperly checks access, aka \u0027Group Policy Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-3gg5-933f-4wgh",
"modified": "2022-05-24T17:20:00Z",
"published": "2022-05-24T17:20:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1317"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1317"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3GPH-8868-XM4R
Vulnerability from github – Published: 2023-09-06 21:32 – Updated: 2024-04-04 07:32SearchBlox before Version 9.2.1 is vulnerable to Privileged Escalation-Lower user is able to access Admin functionality.
{
"affected": [],
"aliases": [
"CVE-2020-10129"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-06T19:15:43Z",
"severity": "HIGH"
},
"details": "SearchBlox before Version 9.2.1 is vulnerable to Privileged Escalation-Lower user is able to access Admin functionality.",
"id": "GHSA-3gph-8868-xm4r",
"modified": "2024-04-04T07:32:16Z",
"published": "2023-09-06T21:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10129"
},
{
"type": "WEB",
"url": "https://developer.searchblox.com/v9.2/changelog/version-91"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GW6-8WWV-RHR2
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-06-29 00:00Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
{
"affected": [],
"aliases": [
"CVE-2021-27216"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-06T13:15:00Z",
"severity": "MODERATE"
},
"details": "Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.",
"id": "GHSA-3gw6-8wwv-rhr2",
"modified": "2022-06-29T00:00:48Z",
"published": "2022-05-24T19:01:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27216"
},
{
"type": "WEB",
"url": "https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28007-LFDIR.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.