CWE-273
AllowedImproper Check for Dropped Privileges
Abstraction: Base · Status: Incomplete
The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.
54 vulnerabilities reference this CWE, most recent first.
GHSA-JCXC-5F87-VQ5M
Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2025-06-09 18:32An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.
{
"affected": [],
"aliases": [
"CVE-2019-18276"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-28T01:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
"id": "GHSA-jcxc-5f87-vq5m",
"modified": "2025-06-09T18:32:00Z",
"published": "2022-05-24T17:02:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18276"
},
{
"type": "WEB",
"url": "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202105-34"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200430-0003"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=-wGtxJ8opa8"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMWV-XWW6-6HCV
Vulnerability from github – Published: 2023-07-13 00:30 – Updated: 2024-04-04 06:05In ShortcutInfo of ShortcutInfo.java, there is a possible way for an app to retain notification listening access due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21246"
],
"database_specific": {
"cwe_ids": [
"CWE-273",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T00:15:23Z",
"severity": "LOW"
},
"details": "In ShortcutInfo of ShortcutInfo.java, there is a possible way for an app to retain notification listening access due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n",
"id": "GHSA-jmwv-xww6-6hcv",
"modified": "2024-04-04T06:05:20Z",
"published": "2023-07-13T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21246"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/fc1b9998ca8a9fceba47d67fd9ea9b45705b53e0"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-07-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JP65-2H7Q-QFG7
Vulnerability from github – Published: 2025-07-23 12:30 – Updated: 2025-07-31 12:30A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSEs mailman3 package allows potential escalation from mailman to rootThis issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1.
{
"affected": [],
"aliases": [
"CVE-2025-53882"
],
"database_specific": {
"cwe_ids": [
"CWE-273",
"CWE-807"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-23T10:15:24Z",
"severity": "CRITICAL"
},
"details": "A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSEs mailman3 package allows\u00a0potential escalation from mailman to rootThis issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1.",
"id": "GHSA-jp65-2h7q-qfg7",
"modified": "2025-07-31T12:30:26Z",
"published": "2025-07-23T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53882"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53882"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JR98-79Q5-WWFM
Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2023-01-27 21:31SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, PREXEC, or unknown_trap_exec.
{
"affected": [],
"aliases": [
"CVE-2020-24361"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-16T04:15:00Z",
"severity": "CRITICAL"
},
"details": "SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, PREXEC, or unknown_trap_exec.",
"id": "GHSA-jr98-79q5-wwfm",
"modified": "2023-01-27T21:31:12Z",
"published": "2022-05-24T17:25:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24361"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00006.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-63"
},
{
"type": "WEB",
"url": "http://www.snmptt.org/changelog.shtml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MV2V-9Q68-4C8H
Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-02 00:01A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.
{
"affected": [],
"aliases": [
"CVE-2022-0358"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-29T15:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system.",
"id": "GHSA-mv2v-9q68-4c8h",
"modified": "2022-09-02T00:01:03Z",
"published": "2022-08-29T20:06:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0358"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0358"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044863"
},
{
"type": "WEB",
"url": "https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221007-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PC7P-8FGV-4X9C
Vulnerability from github – Published: 2026-05-21 09:32 – Updated: 2026-05-21 09:32Authentication modules in Netatalk 1.5.0 through 4.4.2 fail to check the return value of seteuid(), which may allow a remote authenticated attacker to retain elevated privileges under error conditions.
{
"affected": [],
"aliases": [
"CVE-2026-44073"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-21T08:16:22Z",
"severity": "MODERATE"
},
"details": "Authentication modules in Netatalk 1.5.0 through 4.4.2 fail to check the return value of seteuid(), which may allow a remote authenticated attacker to retain elevated privileges under error conditions.",
"id": "GHSA-pc7p-8fgv-4x9c",
"modified": "2026-05-21T09:32:10Z",
"published": "2026-05-21T09:32:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44073"
},
{
"type": "WEB",
"url": "https://netatalk.io/security/CVE-2026-44073"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PH32-HGPC-R5J4
Vulnerability from github – Published: 2024-09-03 15:30 – Updated: 2025-11-04 18:31Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Firefox ESR < 115.15.
{
"affected": [],
"aliases": [
"CVE-2024-8382"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-03T13:15:05Z",
"severity": "HIGH"
},
"details": "Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence would indicate certain browser features had been used, such as when a user opened the Dev Tools console. This vulnerability affects Firefox \u003c 130, Firefox ESR \u003c 128.2, and Firefox ESR \u003c 115.15.",
"id": "GHSA-ph32-hgpc-r5j4",
"modified": "2025-11-04T18:31:18Z",
"published": "2024-09-03T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8382"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1906744"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00025.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-39"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-40"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-41"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-43"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-44"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V453-RPPJ-85F4
Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations, aka "Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability." This affects Microsoft Visual Studio, Windows Server 2019, Windows Server 2016, Windows 10, Windows 10 Servers.
{
"affected": [],
"aliases": [
"CVE-2018-8599"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-12T00:29:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector Service improperly impersonates certain file operations, aka \"Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability.\" This affects Microsoft Visual Studio, Windows Server 2019, Windows Server 2016, Windows 10, Windows 10 Servers.",
"id": "GHSA-v453-rppj-85f4",
"modified": "2022-05-13T01:16:17Z",
"published": "2022-05-13T01:16:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8599"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8599"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106094"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQJQ-9HCQ-43HF
Vulnerability from github – Published: 2025-03-11 12:30 – Updated: 2025-03-11 12:30A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). Affected devices do not properly limit the elevation of privileges required to perform certain valid functionality. This could allow an authenticated lowly-privileged remote attacker to escalate their privileges.
{
"affected": [],
"aliases": [
"CVE-2025-27396"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T10:15:18Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions \u003c V4.0). Affected devices do not properly limit the elevation of privileges required to perform certain valid functionality.\nThis could allow an authenticated lowly-privileged remote attacker to escalate their privileges.",
"id": "GHSA-vqjq-9hcq-43hf",
"modified": "2025-03-11T12:30:59Z",
"published": "2025-03-11T12:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27396"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-075201.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VQJV-866H-QV94
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2023-02-02 21:33The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the container host and other containers running on the same host. This issue only affects docker version 1.13.1-108.git4ef4b30.el7, shipped in Red Hat Enterprise Linux 7 Extras. Both earlier and later versions are not affected.
{
"affected": [],
"aliases": [
"CVE-2020-14298"
],
"database_specific": {
"cwe_ids": [
"CWE-273"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-13T21:15:00Z",
"severity": "MODERATE"
},
"details": "The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the container host and other containers running on the same host. This issue only affects docker version 1.13.1-108.git4ef4b30.el7, shipped in Red Hat Enterprise Linux 7 Extras. Both earlier and later versions are not affected.",
"id": "GHSA-vqjv-866h-qv94",
"modified": "2023-02-02T21:33:41Z",
"published": "2022-05-24T17:22:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14298"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2020:0427"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:2653"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2020-14298"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/vulnerabilities/runc-regression-docker-1.13.1-108"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/vulnerabilities/runcescape"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848239"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-5736"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-53
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
In Windows, make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003). Code that relies on impersonation for security must ensure that the impersonation succeeded, i.e., that a proper privilege demotion happened.
No CAPEC attack patterns related to this CWE.