CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
GHSA-3269-JQP5-V8C9
Vulnerability from github – Published: 2022-05-17 03:53 – Updated: 2025-03-13 19:12The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.597"
},
{
"fixed": "1.606"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.596.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-1814"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-13T19:12:48Z",
"nvd_published_at": "2015-10-16T20:59:00Z",
"severity": "MODERATE"
},
"details": "The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a \"forced API token change\" involving anonymous users.",
"id": "GHSA-3269-jqp5-v8c9",
"modified": "2025-03-13T19:12:48Z",
"published": "2022-05-17T03:53:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1814"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/57e78880cc035874bda916ef4d8d7fd7642af9db"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:0070"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205616"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1844.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jenkins allows for Privilege Escalation by Remote Authenticated Users"
}
GHSA-32F8-XFVP-9M45
Vulnerability from github – Published: 2026-05-27 00:31 – Updated: 2026-05-27 00:31A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improper access controls. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 3.9.2 is able to resolve this issue. The affected component should be upgraded.
{
"affected": [],
"aliases": [
"CVE-2026-9604"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T23:16:21Z",
"severity": "LOW"
},
"details": "A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improper access controls. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 3.9.2 is able to resolve this issue. The affected component should be upgraded.",
"id": "GHSA-32f8-xfvp-9m45",
"modified": "2026-05-27T00:31:28Z",
"published": "2026-05-27T00:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9604"
},
{
"type": "WEB",
"url": "https://github.com/jeecgboot/JeecgBoot/issues/9599"
},
{
"type": "WEB",
"url": "https://github.com/jeecgboot/JeecgBoot/issues/9599#issuecomment-4385767005"
},
{
"type": "WEB",
"url": "https://github.com/jeecgboot/JeecgBoot"
},
{
"type": "WEB",
"url": "https://github.com/jeecgboot/JeecgBoot/releases/tag/v3.9.2"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/818123"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/365677"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/365677/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-32H4-44JJ-C5VX
Vulnerability from github – Published: 2026-07-01 21:20 – Updated: 2026-07-01 21:20Description
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.6.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-9795"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T21:20:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Description\nA flaw was found in Keycloak\u0027s Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client\u0027s scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user\u0027s authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.",
"id": "GHSA-32h4-44jj-c5vx",
"modified": "2026-07-01T21:20:38Z",
"published": "2026-07-01T21:20:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-32h4-44jj-c5vx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/issues/50350"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/50451"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/8894c027e788904c740ff9a1a60fcfaa34a10d13"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-9795"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482462"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9795.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak has privilege escalation via improper scope mapping enforcement"
}
GHSA-32XC-55CC-XP6Q
Vulnerability from github – Published: 2025-09-19 12:30 – Updated: 2025-09-19 12:30A weakness has been identified in JeecgBoot up to 3.8.2. Affected is an unknown function of the file /message/sysMessageTemplate/sendMsg. Executing manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10707"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T12:15:34Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in JeecgBoot up to 3.8.2. Affected is an unknown function of the file /message/sysMessageTemplate/sendMsg. Executing manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-32xc-55cc-xp6q",
"modified": "2025-09-19T12:30:20Z",
"published": "2025-09-19T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10707"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.324995"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.324995"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.644659"
},
{
"type": "WEB",
"url": "https://www.cnblogs.com/aibot/p/19063346"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-32XH-7V7R-X3VH
Vulnerability from github – Published: 2025-03-15 03:30 – Updated: 2026-04-08 18:33The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.7. This is due to the stm_listing_profile_edit AJAX action not having enough restriction on the user meta that can be updated. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
{
"affected": [],
"aliases": [
"CVE-2025-1653"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-15T03:15:34Z",
"severity": "HIGH"
},
"details": "The Directory Listings WordPress plugin \u2013 uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.7. This is due to the stm_listing_profile_edit AJAX action not having enough restriction on the user meta that can be updated. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.",
"id": "GHSA-32xh-7v7r-x3vh",
"modified": "2026-04-08T18:33:51Z",
"published": "2025-03-15T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1653"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/ulisting"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4181b26e-89c7-4020-a3d4-29bdc88d7438?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-33F4-XJ2W-X86Q
Vulnerability from github – Published: 2025-03-17 21:30 – Updated: 2025-03-17 21:30A vulnerability was found in China Mobile P22g-CIac, ZXWT-MIG-P4G4V, ZXWT-MIG-P8G8V, GT3200-4G4P and GT3200-8G8P up to 20250305. It has been declared as problematic. This vulnerability affects unknown code of the component Telnet Service. The manipulation leads to improper authorization. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-2397"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-17T21:15:14Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in China Mobile P22g-CIac, ZXWT-MIG-P4G4V, ZXWT-MIG-P8G8V, GT3200-4G4P and GT3200-8G8P up to 20250305. It has been declared as problematic. This vulnerability affects unknown code of the component Telnet Service. The manipulation leads to improper authorization. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-33f4-xj2w-x86q",
"modified": "2025-03-17T21:30:35Z",
"published": "2025-03-17T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2397"
},
{
"type": "WEB",
"url": "https://github.com/Fizz-L/Vulnerability-report/blob/main/Unauthorized%20access%20to%20execute%20the%20telnet%20command.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.299896"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.299896"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.514957"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-34MQ-X3P9-RVRM
Vulnerability from github – Published: 2024-02-16 00:30 – Updated: 2024-08-16 18:30In createFromParcel of UsbConfiguration.java, there is a possible background activity launch (BAL) due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-40109"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-15T23:15:08Z",
"severity": "HIGH"
},
"details": "In createFromParcel of UsbConfiguration.java, there is a possible background activity launch (BAL) due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.",
"id": "GHSA-34mq-x3p9-rvrm",
"modified": "2024-08-16T18:30:55Z",
"published": "2024-02-16T00:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40109"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/387d258cf10a30537fc48dc0e48d28071efa92e7"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-11-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-34MV-WR5Q-834H
Vulnerability from github – Published: 2026-02-07 21:30 – Updated: 2026-02-07 21:30A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-2109"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-07T20:15:55Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-34mv-wr5q-834h",
"modified": "2026-02-07T21:30:18Z",
"published": "2026-02-07T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2109"
},
{
"type": "WEB",
"url": "https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.344685"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.344685"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.745579"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-34V4-R8C4-VXXC
Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-06-01 09:31A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2026-10236"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-01T09:16:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-34v4-r8c4-vxxc",
"modified": "2026-06-01T09:31:12Z",
"published": "2026-06-01T09:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10236"
},
{
"type": "WEB",
"url": "https://github.com/renzortega1337/Security-Research-/blob/main/Unauthenticated%20Admin%20Creation%20in%20PHP%20System.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-10236"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/823134"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367515"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367515/cti"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-358W-6W72-3P29
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2023-02-02 21:33An insecure modification vulnerability in the /etc/passwd file was found in the operator-framework/hadoop as shipped in Red Hat Openshift 4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.
{
"affected": [],
"aliases": [
"CVE-2019-19354"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-24T17:15:00Z",
"severity": "HIGH"
},
"details": "An insecure modification vulnerability in the /etc/passwd file was found in the operator-framework/hadoop as shipped in Red Hat Openshift 4. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges.",
"id": "GHSA-358w-6w72-3p29",
"modified": "2023-02-02T21:33:44Z",
"published": "2022-05-24T17:45:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19354"
},
{
"type": "WEB",
"url": "https://access.redhat.com/articles/4859371"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:1938"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2019-19354"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1791534"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793278"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.