Common Weakness Enumeration

CWE-269

Discouraged

Improper Privilege Management

Abstraction: Class · Status: Draft

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

5455 vulnerabilities reference this CWE, most recent first.

GHSA-3FPM-8W39-5P69

Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26
VLAI
Details

The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-6391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-12-14T17:21:00Z",
    "severity": "MODERATE"
  },
  "details": "The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.",
  "id": "GHSA-3fpm-8w39-5p69",
  "modified": "2022-05-13T01:26:09Z",
  "published": "2022-05-13T01:26:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6391"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1242597"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89657"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0089.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56079"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56154"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/12/11/7"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/64253"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2061-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3FX9-G477-R6F6

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21
VLAI
Details

NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the Inter Process Communication APIs, in which improper access control may lead to code execution, denial of service, or information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5963"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-25T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the Inter Process Communication APIs, in which improper access control may lead to code execution, denial of service, or information disclosure.",
  "id": "GHSA-3fx9-g477-r6f6",
  "modified": "2022-05-24T17:21:41Z",
  "published": "2022-05-24T17:21:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5963"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5031"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4404-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4404-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3G2J-VM47-X4MJ

Vulnerability from github – Published: 2025-11-13 23:01 – Updated: 2025-11-18 18:40
VLAI
Summary
LXD vulnerable to a local privilege escalation through custom storage volumes
Details

Impact

This affects any LXD user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the security.shifted property set to true as well as access to the host as an unprivileged user.

The most common case for this would be systems using lxd-user with the less privileged lxd group to provide unprivileged users with an isolated restricted access to LXD. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges.

Patches

Patches for this issue are available:

  • LXD 6 series: https://github.com/canonical/lxd/pull/16904
  • LXD 5.21 LTS series: https://github.com/canonical/lxd/pull/16922
  • LXD 5.0 LTS series: https://github.com/canonical/lxd/pull/16923
  • LXD 4.0 LTS series: https://github.com/canonical/lxd/pull/16924

The first commit changes the permissions for any new storage pool, the later commit adds a patch that applies it on startup to all existing storage pools.

These fixes are also available in the associated candidate snap channels for each LTS series:

  • 5.21/candidate (5.21.4-8a3cf61)
  • 5.0/candidate (5.0.5-5c60378)
  • 4.0/candidate (4.0.10-35a8127)

We will be preparing intermediate releases to the associated stable snap channels shortly.

Workarounds

Permissions can be manually restricted until a patched version of LXD is deployed.

This is done with:

sudo nsenter --mount=/run/snapd/ns/lxd.mnt -- chmod 0700 /var/snap/lxd/common/lxd/storage-pools/*/{custom*,virtual-machines*,images}
sudo nsenter --mount=/run/snapd/ns/lxd.mnt -- chmod 0711 /var/snap/lxd/common/lxd/storage-pools/*/{containers*,buckets*}

Those are the same permissions which will be applied by the patched LXD for both new and existing storage pools.

References

This was reported to Incus publicly on Github here:

  • https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf
  • https://github.com/lxc/incus/issues/2641
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/canonical/lxd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20251110144034-698854d0164f"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T23:01:44Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "**Impact**\n\nThis affects any LXD user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the `security.shifted` property set to `true` as well as access to the host as an unprivileged user.\n\nThe most common case for this would be systems using `lxd-user` with the less privileged lxd group to provide unprivileged users with an isolated restricted access to LXD. Such users may be able to create a custom storage volume with the necessary property (depending on kernel and filesystem support) and can then write a setuid binary from within the container which can be executed as an unprivileged user on the host to gain root privileges.\n\n**Patches**\n\nPatches for this issue are available: \n\n- LXD 6 series: https://github.com/canonical/lxd/pull/16904\n- LXD 5.21 LTS series: https://github.com/canonical/lxd/pull/16922\n- LXD 5.0 LTS series: https://github.com/canonical/lxd/pull/16923\n- LXD 4.0 LTS series: https://github.com/canonical/lxd/pull/16924 \n\nThe first commit changes the permissions for any new storage pool, the later commit adds a patch that applies it on startup to all existing storage pools.\n\nThese fixes are also available in the associated candidate snap channels for each LTS series:\n\n- 5.21/candidate (5.21.4-8a3cf61)\n- 5.0/candidate (5.0.5-5c60378)\n- 4.0/candidate (4.0.10-35a8127)\n\nWe will be preparing intermediate releases to the associated stable snap channels shortly.\n\n**Workarounds**\n\nPermissions can be manually restricted until a patched version of LXD is deployed.\n\nThis is done with:\n\n```\nsudo nsenter --mount=/run/snapd/ns/lxd.mnt -- chmod 0700 /var/snap/lxd/common/lxd/storage-pools/*/{custom*,virtual-machines*,images}\nsudo nsenter --mount=/run/snapd/ns/lxd.mnt -- chmod 0711 /var/snap/lxd/common/lxd/storage-pools/*/{containers*,buckets*}\n```\n\nThose are the same permissions which will be applied by the patched LXD for both new and existing storage pools.\n\n**References**\n\nThis was reported to Incus publicly on Github here: \n\n- https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf\n- https://github.com/lxc/incus/issues/2641",
  "id": "GHSA-3g2j-vm47-x4mj",
  "modified": "2025-11-18T18:40:12Z",
  "published": "2025-11-13T23:01:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/canonical/lxd/security/advisories/GHSA-3g2j-vm47-x4mj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/security/advisories/GHSA-56mx-8g9f-5crf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lxc/incus/issues/2641"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/lxd/pull/16904"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/lxd/pull/16922"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/lxd/pull/16923"
    },
    {
      "type": "WEB",
      "url": "https://github.com/canonical/lxd/pull/16924"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/canonical/lxd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LXD vulnerable to a local privilege escalation through custom storage volumes"
}

GHSA-3G7G-5M3G-G57P

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10
VLAI
Details

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0877, CVE-2020-0887.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0788"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-12T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka \u0027Win32k Elevation of Privilege Vulnerability\u0027. This CVE ID is unique from CVE-2020-0877, CVE-2020-0887.",
  "id": "GHSA-3g7g-5m3g-g57p",
  "modified": "2022-05-24T17:10:56Z",
  "published": "2022-05-24T17:10:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0788"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0788"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3G7W-2HM5-MFRJ

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2024-10-08 18:33
VLAI
Details

Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686, CVE-2021-1687, CVE-2021-1690.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-12T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows WalletService Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1686, CVE-2021-1687, CVE-2021-1690.",
  "id": "GHSA-3g7w-2hm5-mfrj",
  "modified": "2024-10-08T18:33:00Z",
  "published": "2022-05-24T17:38:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1681"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1681"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1681"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3GCV-CWCR-W49H

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19
VLAI
Details

An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings, aka 'OpenSSH for Windows Elevation of Privilege Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An elevation of privilege vulnerability exists in OpenSSH for Windows when it does not properly restrict access to configuration settings, aka \u0027OpenSSH for Windows Elevation of Privilege Vulnerability\u0027.",
  "id": "GHSA-3gcv-cwcr-w49h",
  "modified": "2022-05-24T17:19:57Z",
  "published": "2022-05-24T17:19:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1292"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1292"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3GCX-7VW9-42M9

Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2025-05-29 18:31
VLAI
Details

A vulnerability in Suprema Bio Star 2 v2.8.16 allows attackers to escalate privileges to System Administrator via a crafted PUT request to the update profile page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-19T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in Suprema Bio Star 2 v2.8.16 allows attackers to escalate privileges to System Administrator via a crafted PUT request to the update profile page.",
  "id": "GHSA-3gcx-7vw9-42m9",
  "modified": "2025-05-29T18:31:08Z",
  "published": "2022-09-20T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38351"
    },
    {
      "type": "WEB",
      "url": "https://nobugescapes.com/blog/privilege-escalation-from-user-operator-to-system-administrator"
    },
    {
      "type": "WEB",
      "url": "https://nobugescapes.com/wp-content/uploads/2022/08/Part1.docx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3GG5-933F-4WGH

Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20
VLAI
Details

An elevation of privilege vulnerability exists when Group Policy improperly checks access, aka 'Group Policy Elevation of Privilege Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-09T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An elevation of privilege vulnerability exists when Group Policy improperly checks access, aka \u0027Group Policy Elevation of Privilege Vulnerability\u0027.",
  "id": "GHSA-3gg5-933f-4wgh",
  "modified": "2022-05-24T17:20:00Z",
  "published": "2022-05-24T17:20:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1317"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1317"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3GPH-8868-XM4R

Vulnerability from github – Published: 2023-09-06 21:32 – Updated: 2024-04-04 07:32
VLAI
Details

SearchBlox before Version 9.2.1 is vulnerable to Privileged Escalation-Lower user is able to access Admin functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-06T19:15:43Z",
    "severity": "HIGH"
  },
  "details": "SearchBlox before Version 9.2.1 is vulnerable to Privileged Escalation-Lower user is able to access Admin functionality.",
  "id": "GHSA-3gph-8868-xm4r",
  "modified": "2024-04-04T07:32:16Z",
  "published": "2023-09-06T21:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10129"
    },
    {
      "type": "WEB",
      "url": "https://developer.searchblox.com/v9.2/changelog/version-91"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3GW6-8WWV-RHR2

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-06-29 00:00
VLAI
Details

Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-06T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.",
  "id": "GHSA-3gw6-8wwv-rhr2",
  "modified": "2022-06-29T00:00:48Z",
  "published": "2022-05-24T19:01:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27216"
    },
    {
      "type": "WEB",
      "url": "https://www.exim.org/static/doc/security/CVE-2020-qualys/CVE-2020-28007-LFDIR.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CAPEC-122: Privilege Abuse

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

CAPEC-233: Privilege Escalation

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

CAPEC-58: Restful Privilege Elevation

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.