Common Weakness Enumeration

CWE-272

Allowed

Least Privilege Violation

Abstraction: Base · Status: Incomplete

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

54 vulnerabilities reference this CWE, most recent first.

GHSA-H64C-RQQH-Q3FP

Vulnerability from github – Published: 2024-08-20 12:30 – Updated: 2024-12-03 18:31
VLAI
Details

Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0p12, 2.2.0p32, 2.1.0p47 and 2.0.0 (EOL) allows local users to escalate privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-272"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-20T10:15:05Z",
    "severity": "MODERATE"
  },
  "details": "Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0p12, 2.2.0p32, 2.1.0p47 and 2.0.0 (EOL) allows local users to escalate privileges.",
  "id": "GHSA-h64c-rqqh-q3fp",
  "modified": "2024-12-03T18:31:02Z",
  "published": "2024-08-20T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28829"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/16249"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J8PH-9C6M-2F5W

Vulnerability from github – Published: 2026-02-03 06:31 – Updated: 2026-02-06 21:30
VLAI
Details

A vulnerability in Brocade Fabric OS before 9.2.1c3 could allow elevating the privileges of the local authenticated user to “root” using the export option of seccertmgmt and seccryptocfg commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-272"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-03T06:15:53Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in Brocade Fabric OS before 9.2.1c3 could allow elevating the privileges of the local authenticated user to \u201croot\u201d using the export option of seccertmgmt and seccryptocfg commands.",
  "id": "GHSA-j8ph-9c6m-2f5w",
  "modified": "2026-02-06T21:30:48Z",
  "published": "2026-02-03T06:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9711"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36852"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MXR3-8WHJ-J74R

Vulnerability from github – Published: 2025-04-22 01:07 – Updated: 2025-04-22 01:07
VLAI
Summary
Harden-Runner allows evasion of 'disable-sudo' policy
Details

Summary

Harden-Runner includes a policy option disable-sudo to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction.

For an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version v2.12.0.

Impact

An attacker with the ability to run their malicious code on a runner configured with disable-sudo: true can escalate privileges to root using Docker, defeating the intended security control.

Affected Configuration

• Harden-Runner configurations that use disable-sudo: true on GitHub-hosted runners or on ephemeral self-hosted VM-based runners. • This issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.

Mitigation / Fix

This vulnerability has been fixed in Harden-Runner version v2.12.0. Users should migrate to the stronger disable-sudo-and-containers policy. This setting: • Disables sudo access, • Removes access to dockerd and containerd sockets, • Uninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.

Additional Improvements

• The disable-sudo option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own. • Harden-Runner now includes detections to alert on attempts to evade the disable-sudo policy.

Credits

Reported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "step-security/harden-runner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "2.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250",
      "CWE-268",
      "CWE-272"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-22T01:07:03Z",
    "nvd_published_at": "2025-04-21T21:15:20Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nHarden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. \n\nFor an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version `v2.12.0`.\n\n### Impact\nAn attacker with the ability to run their malicious code on a runner configured with `disable-sudo: true` can escalate privileges to root using Docker, defeating the intended security control.\n\n### Affected Configuration\n\u2022\tHarden-Runner configurations that use `disable-sudo: true` on GitHub-hosted runners or on ephemeral self-hosted VM-based runners.\n\u2022\tThis issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.\n\n### Mitigation / Fix\nThis vulnerability has been fixed in Harden-Runner version `v2.12.0`. Users should migrate to the stronger `disable-sudo-and-containers` policy. This setting:\n\u2022\tDisables sudo access,\n\u2022\tRemoves access to dockerd and containerd sockets,\n\u2022\tUninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.\n\n\n### Additional Improvements\n\u2022\tThe `disable-sudo` option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own. \n\u2022\tHarden-Runner now includes detections to alert on attempts to evade the `disable-sudo` policy.\n\n\n### Credits\nReported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.",
  "id": "GHSA-mxr3-8whj-j74r",
  "modified": "2025-04-22T01:07:03Z",
  "published": "2025-04-22T01:07:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-mxr3-8whj-j74r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32955"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/commit/0634a2670c59f64b4a01f0f96f84700a4088b9f0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/step-security/harden-runner"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/releases/tag/v2.12.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Harden-Runner allows evasion of \u0027disable-sudo\u0027 policy"
}

GHSA-PMPQ-66CP-597X

Vulnerability from github – Published: 2026-01-26 12:30 – Updated: 2026-01-27 21:31
VLAI
Details

The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-272"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-26T10:16:08Z",
    "severity": "HIGH"
  },
  "details": "The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.",
  "id": "GHSA-pmpq-66cp-597x",
  "modified": "2026-01-27T21:31:46Z",
  "published": "2026-01-26T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59106"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/dkaccess"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/dormakaba"
    },
    {
      "type": "WEB",
      "url": "https://www.dormakabagroup.com/en/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVJH-6P44-VCV3

Vulnerability from github – Published: 2025-07-23 03:32 – Updated: 2025-07-23 03:32
VLAI
Details

The Social Streams plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their user meta information in the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their user type to that of an administrator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-272"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-23T03:15:25Z",
    "severity": "HIGH"
  },
  "details": "The Social Streams plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user\u0027s identity prior to updating their user meta information in the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their user type to that of an administrator.",
  "id": "GHSA-pvjh-6p44-vcv3",
  "modified": "2025-07-23T03:32:05Z",
  "published": "2025-07-23T03:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7722"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/social-streams/trunk/src/php/JsonAPI.php#275"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3f01b88-6f93-4ee8-8d59-9165ebcd4dd1?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWJH-HFQC-XGC7

Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30
VLAI
Details

A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-39459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-272"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-13T16:16:41Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-pwjh-hfqc-xgc7",
  "modified": "2026-05-13T18:30:55Z",
  "published": "2026-05-13T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39459"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000160863"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QRJ2-26JQ-RQ86

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:41
VLAI
Details

Veritas System Recovery before 23.2_Hotfix has incorrect permissions for the Veritas System Recovery folder, and thus low-privileged users can conduct attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-272"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:39:42Z",
    "severity": "HIGH"
  },
  "details": "Veritas System Recovery before 23.2_Hotfix has incorrect permissions for the Veritas System Recovery folder, and thus low-privileged users can conduct attacks.",
  "id": "GHSA-qrj2-26jq-rq86",
  "modified": "2024-07-03T18:41:21Z",
  "published": "2024-05-14T18:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35204"
    },
    {
      "type": "WEB",
      "url": "https://www.veritas.com/content/support/en_US/article.100065391"
    },
    {
      "type": "WEB",
      "url": "https://www.veritas.com/support/en_US/security/VTS24-005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R427-J2H7-WV3M

Vulnerability from github – Published: 2026-06-18 13:04 – Updated: 2026-06-18 13:04
VLAI
Summary
Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator
Details

Impact

When only the Topic or only the User operators are deployed as part of the Entity Operator in the Kafka custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That might allow the ServiceAccount to access KafkaUser custom resources and Secrets when the User operator is not deployed and access KafkaTopic custom resources when the Topic operator is not deployed.

Patches

The issue is fixed in Strimzi 1.0.1 and 1.1.0.

Workarounds

There is no workaround for this issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.strimzi:strimzi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-272"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:04:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen only the Topic or only the User operators are deployed as part of the Entity Operator in the `Kafka` custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That might allow the ServiceAccount to access `KafkaUser` custom resources and Secrets when the User operator is not deployed and access `KafkaTopic` custom resources when the Topic operator is not deployed.\n\n### Patches\n\nThe issue is fixed in Strimzi 1.0.1 and 1.1.0.\n\n### Workarounds\n\nThere is no workaround for this issue.",
  "id": "GHSA-r427-j2h7-wv3m",
  "modified": "2026-06-18T13:04:49Z",
  "published": "2026-06-18T13:04:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-r427-j2h7-wv3m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strimzi/strimzi-kafka-operator"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator"
}

GHSA-RG89-92M2-5HJ6

Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-02-26 18:30
VLAI
Details

A user with a default role given to them by the admin can sent DELETE HTTP requests to remove-folder and remove-document to delete folders and source files from the instance even when their role should explicitly not allow this action on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-272"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-26T16:27:51Z",
    "severity": "HIGH"
  },
  "details": "A user with a `default` role given to them by the admin can sent `DELETE` HTTP requests to `remove-folder` and `remove-document` to delete folders and source files from the instance even when their role should explicitly not allow this action on the system.",
  "id": "GHSA-rg89-92m2-5hj6",
  "modified": "2024-02-26T18:30:29Z",
  "published": "2024-02-26T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0798"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mintplex-labs/anything-llm/commit/d5cde8b7c27a47ab45b05b441db16751537f1733"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/607f03a0-ab4d-4905-b253-3d28bbbd363c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3GW-R3Q8-W5VR

Vulnerability from github – Published: 2026-04-27 21:31 – Updated: 2026-04-27 21:31
VLAI
Details

Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain a Least Privilege Violation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32655"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-272"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-27T19:16:47Z",
    "severity": "MODERATE"
  },
  "details": "Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain a Least Privilege Violation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.",
  "id": "GHSA-v3gw-r3q8-w5vr",
  "modified": "2026-04-27T21:31:02Z",
  "published": "2026-04-27T21:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32655"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-48
Architecture and Design

Strategy: Separation of Privilege

Follow the principle of least privilege when assigning access rights to entities in a software system.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.