CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-HR65-QQ6P-87R4
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-06-22 18:23In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.11.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.elasticsearch:elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "7.11.0"
},
{
"fixed": "7.11.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.8.14"
},
"package": {
"ecosystem": "Maven",
"name": "org.elasticsearch:elasticsearch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.8.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-22137"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-22T18:23:44Z",
"nvd_published_at": "2021-05-13T18:15:00Z",
"severity": "MODERATE"
},
"details": "In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.",
"id": "GHSA-hr65-qq6p-87r4",
"modified": "2022-06-22T18:23:44Z",
"published": "2022-05-24T19:02:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22137"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"
},
{
"type": "PACKAGE",
"url": "https://github.com/elastic/elasticsearch"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210625-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch"
}
GHSA-HRXH-9W67-G4CV
Vulnerability from github – Published: 2024-11-19 20:36 – Updated: 2024-11-19 20:36tl;dr:
unprivileged user creates a symlink to /etc/sudoers, /etc/shadow or similar and waits for a privileged user or process to copy/backup/mirror users data (using --links and --metadata). unprivileged user now owns /etc/sudoers.
Summary
Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files (e.g., /etc/shadow), compromising system integrity, confidentiality, and availability.
For instance, an unprivileged user could set a symlink to a sensitive file within their home directory, waiting for an administrator or automated process (e.g., a cron job running with elevated privileges) to copy their files with rclone using the --links and --metadata options. Upon copying, rclone will incorrectly apply chown and chmod to the symlink’s target file rather than just the symlink itself, resulting in ownership and permission changes on the sensitive file.
Who is affected
If you are not using --metadata and --links and copying files to the local backend you are not affected by this issue.
If you are using --metadata and -links and copying files to the local backend but not as a superuser, then this will manifest itself as a bug by setting incorrect permissions.
If you are using --metadata and -links and copying files to the local backend but as a superuser then this could affect you.
Details
When copying directories containing symlinks with rclone using the --links and --metadata options, rclone mistakenly applies chown and chmod operations to the target of the symlink instead of the symlink itself. As a result, ownership and permissions on sensitive system files (e.g., /etc/shadow) may be altered if they are the target of any symlink within the copied directory structure. This allows users to affect the permissions and ownership of files they should not have access to, resulting in privilege escalation and potential system compromise.
PoC
# Create a directory to simulate a user home directory
root@workstation:~# mkdir -p /tmp/home/user1
root@workstation:~# sudo chown user1:user1 /tmp/home/user1
# As user1, create a symlink to /etc/shadow within their home directory
root@workstation:~# sudo -u user1 ln -s /etc/shadow /tmp/home/user1/shadow_link
# List permissions on the original files
root@workstation:~# ls -l /tmp/home/user1/shadow_link /etc/shadow
----------. 1 root root 1283 Nov 5 13:30 /etc/shadow
lrwxrwxrwx. 1 user1 user1 11 Nov 5 13:56 /tmp/home/user1/shadow_link -> /etc/shadow
# Copy the directory structure with rclone
root@workstation:~# rclone copy /tmp/home /tmp/home_new --links --metadata --log-level=DEBUG
2024/11/05 13:56:53 DEBUG : rclone: Version "v1.68.1" starting with parameters ["rclone" "copy" "/tmp/home" "/tmp/home_new" "--links" "--metadata" "--log-level=DEBUG"]
2024/11/05 13:56:53 DEBUG : Creating backend with remote "/tmp/home"
2024/11/05 13:56:53 NOTICE: Config file "/root/.config/rclone/rclone.conf" not found - using defaults
2024/11/05 13:56:53 DEBUG : local: detected overridden config - adding "{b6816}" suffix to name
2024/11/05 13:56:53 DEBUG : fs cache: renaming cache item "/tmp/home" to be canonical "local{b6816}:/tmp/home"
2024/11/05 13:56:53 DEBUG : Creating backend with remote "/tmp/home_new"
2024/11/05 13:56:53 DEBUG : local: detected overridden config - adding "{b6816}" suffix to name
2024/11/05 13:56:53 DEBUG : fs cache: renaming cache item "/tmp/home_new" to be canonical "local{b6816}:/tmp/home_new"
2024/11/05 13:56:53 DEBUG : Added delayed dir = "user1", newDst=<nil>
2024/11/05 13:56:53 DEBUG : user1/shadow_link.rclonelink: Need to transfer - File not found at Destination
2024/11/05 13:56:53 DEBUG : user1/shadow_link.rclonelink: md5 = 2fe8599cb25a0c790213d39b3be97c27 OK
2024/11/05 13:56:53 INFO : user1/shadow_link.rclonelink: Copied (new)
2024/11/05 13:56:53 DEBUG : Local file system at /tmp/home_new: Waiting for checks to finish
2024/11/05 13:56:53 DEBUG : Local file system at /tmp/home_new: Waiting for transfers to finish
2024/11/05 13:56:53 INFO : user1: Updated directory metadata
2024/11/05 13:56:53 INFO :
Transferred: 11 B / 11 B, 100%, 0 B/s, ETA -
Transferred: 1 / 1, 100%
Elapsed time: 0.0s
2024/11/05 13:56:53 DEBUG : 6 go routines active
# List permissions again
root@workstation:~# ls -l /tmp/home/user1/shadow_link /etc/shadow /tmp/home_new/user1/shadow_link
-rwxrwxrwx. 1 user1 user1 1283 Nov 5 13:30 /etc/shadow # Wrong, very wrong. Should be root:root and 0000.
lrwxrwxrwx. 1 root root 11 Nov 5 13:56 /tmp/home_new/user1/shadow_link -> /etc/shadow # Wrong too, should be user1:user1
lrwxrwxrwx. 1 user1 user1 11 Nov 5 13:56 /tmp/home/user1/shadow_link -> /etc/shadow
# Fix /etc/shadow and clean up
root@workstation:~# chown root:root /etc/shadow
root@workstation:~# chmod 000 /etc/shadow
root@workstation:~# rm -rf /tmp/home /tmp/home_new
Impact
Type of Vulnerability: Improper permissions and ownership handling on symlink targets (Insecure Handling of Symlinks)
Impact: This vulnerability allows unprivileged users to modify permissions and ownership of sensitive system files by creating symlinks to those files in directories that are subsequently copied by an administrator with rclone --links --metadata. This can lead to unauthorized access, privilege escalation, and potential system compromise.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/rclone/rclone"
},
"ranges": [
{
"events": [
{
"introduced": "1.59.0"
},
{
"fixed": "1.68.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52522"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-19T20:36:02Z",
"nvd_published_at": "2024-11-15T18:15:30Z",
"severity": "MODERATE"
},
"details": "### **tl;dr:**\n\nunprivileged user creates a symlink to /etc/sudoers, /etc/shadow or similar and waits for a privileged user or process to copy/backup/mirror users data (using `--links` and `--metadata`). unprivileged user now owns /etc/sudoers.\n\n### Summary\n\nInsecure handling of symlinks with `--links` and `--metadata` in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files (e.g., /etc/shadow), compromising system integrity, confidentiality, and availability.\n\nFor instance, an unprivileged user could set a symlink to a sensitive file within their home directory, waiting for an administrator or automated process (e.g., a cron job running with elevated privileges) to copy their files with rclone using the --links and --metadata options. Upon copying, rclone will incorrectly apply chown and chmod to the symlink\u2019s target file rather than just the symlink itself, resulting in ownership and permission changes on the sensitive file.\n\n### Who is affected\n\nIf you are not using `--metadata` **and** `--links` **and** copying files **to** the local backend you are not affected by this issue.\n\nIf you are using `--metadata` and `-links` and copying files to the local backend but not as a superuser, then this will manifest itself as a bug by setting incorrect permissions.\n\nIf you are using `--metadata` and `-links` and copying files to the local backend but as a superuser then this could affect you.\n\n### Details\n\nWhen copying directories containing symlinks with rclone using the --links and --metadata options, rclone mistakenly applies chown and chmod operations to the target of the symlink instead of the symlink itself. As a result, ownership and permissions on sensitive system files (e.g., /etc/shadow) may be altered if they are the target of any symlink within the copied directory structure. This allows users to affect the permissions and ownership of files they should not have access to, resulting in privilege escalation and potential system compromise.\n\n### PoC\n\n```\n# Create a directory to simulate a user home directory\nroot@workstation:~# mkdir -p /tmp/home/user1\nroot@workstation:~# sudo chown user1:user1 /tmp/home/user1\n```\n```\n# As user1, create a symlink to /etc/shadow within their home directory\nroot@workstation:~# sudo -u user1 ln -s /etc/shadow /tmp/home/user1/shadow_link\n```\n```\n# List permissions on the original files\nroot@workstation:~# ls -l /tmp/home/user1/shadow_link /etc/shadow\n----------. 1 root root 1283 Nov 5 13:30 /etc/shadow\nlrwxrwxrwx. 1 user1 user1 11 Nov 5 13:56 /tmp/home/user1/shadow_link -\u003e /etc/shadow\n```\n```\n# Copy the directory structure with rclone\nroot@workstation:~# rclone copy /tmp/home /tmp/home_new --links --metadata --log-level=DEBUG\n2024/11/05 13:56:53 DEBUG : rclone: Version \"v1.68.1\" starting with parameters [\"rclone\" \"copy\" \"/tmp/home\" \"/tmp/home_new\" \"--links\" \"--metadata\" \"--log-level=DEBUG\"]\n2024/11/05 13:56:53 DEBUG : Creating backend with remote \"/tmp/home\"\n2024/11/05 13:56:53 NOTICE: Config file \"/root/.config/rclone/rclone.conf\" not found - using defaults\n2024/11/05 13:56:53 DEBUG : local: detected overridden config - adding \"{b6816}\" suffix to name\n2024/11/05 13:56:53 DEBUG : fs cache: renaming cache item \"/tmp/home\" to be canonical \"local{b6816}:/tmp/home\"\n2024/11/05 13:56:53 DEBUG : Creating backend with remote \"/tmp/home_new\"\n2024/11/05 13:56:53 DEBUG : local: detected overridden config - adding \"{b6816}\" suffix to name\n2024/11/05 13:56:53 DEBUG : fs cache: renaming cache item \"/tmp/home_new\" to be canonical \"local{b6816}:/tmp/home_new\"\n2024/11/05 13:56:53 DEBUG : Added delayed dir = \"user1\", newDst=\u003cnil\u003e\n2024/11/05 13:56:53 DEBUG : user1/shadow_link.rclonelink: Need to transfer - File not found at Destination\n2024/11/05 13:56:53 DEBUG : user1/shadow_link.rclonelink: md5 = 2fe8599cb25a0c790213d39b3be97c27 OK\n2024/11/05 13:56:53 INFO : user1/shadow_link.rclonelink: Copied (new)\n2024/11/05 13:56:53 DEBUG : Local file system at /tmp/home_new: Waiting for checks to finish\n2024/11/05 13:56:53 DEBUG : Local file system at /tmp/home_new: Waiting for transfers to finish\n2024/11/05 13:56:53 INFO : user1: Updated directory metadata\n2024/11/05 13:56:53 INFO :\nTransferred: 11 B / 11 B, 100%, 0 B/s, ETA -\nTransferred: 1 / 1, 100%\nElapsed time: 0.0s\n\n2024/11/05 13:56:53 DEBUG : 6 go routines active\n```\n```\n# List permissions again\nroot@workstation:~# ls -l /tmp/home/user1/shadow_link /etc/shadow /tmp/home_new/user1/shadow_link\n-rwxrwxrwx. 1 user1 user1 1283 Nov 5 13:30 /etc/shadow # Wrong, very wrong. Should be root:root and 0000.\nlrwxrwxrwx. 1 root root 11 Nov 5 13:56 /tmp/home_new/user1/shadow_link -\u003e /etc/shadow # Wrong too, should be user1:user1\nlrwxrwxrwx. 1 user1 user1 11 Nov 5 13:56 /tmp/home/user1/shadow_link -\u003e /etc/shadow\n```\n```\n# Fix /etc/shadow and clean up\nroot@workstation:~# chown root:root /etc/shadow\nroot@workstation:~# chmod 000 /etc/shadow\nroot@workstation:~# rm -rf /tmp/home /tmp/home_new\n```\n### Impact\nType of Vulnerability: Improper permissions and ownership handling on symlink targets (Insecure Handling of Symlinks)\n\nImpact: This vulnerability allows unprivileged users to modify permissions and ownership of sensitive system files by creating symlinks to those files in directories that are subsequently copied by an administrator with rclone --links --metadata. This can lead to unauthorized access, privilege escalation, and potential system compromise.",
"id": "GHSA-hrxh-9w67-g4cv",
"modified": "2024-11-19T20:36:02Z",
"published": "2024-11-19T20:36:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52522"
},
{
"type": "WEB",
"url": "https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0"
},
{
"type": "PACKAGE",
"url": "https://github.com/rclone/rclone"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Rclone has Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata"
}
GHSA-HXQ4-V53V-RH4H
Vulnerability from github – Published: 2024-03-04 09:30 – Updated: 2024-03-04 09:30in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through improper preservation of permissions.
{
"affected": [],
"aliases": [
"CVE-2024-21816"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-04T07:15:09Z",
"severity": "MODERATE"
},
"details": "in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through improper preservation of permissions.",
"id": "GHSA-hxq4-v53v-rh4h",
"modified": "2024-03-04T09:30:29Z",
"published": "2024-03-04T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21816"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-03.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J2M8-8R6C-36X2
Vulnerability from github – Published: 2024-05-17 18:30 – Updated: 2024-05-17 18:30When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.
{
"affected": [],
"aliases": [
"CVE-2024-3291"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T17:15:07Z",
"severity": "HIGH"
},
"details": "When installing Nessus Agent to a directory outside of the default location on a Windows host, Nessus Agent versions prior to 10.6.4 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.",
"id": "GHSA-j2m8-8r6c-36x2",
"modified": "2024-05-17T18:30:43Z",
"published": "2024-05-17T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3291"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2024-09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J3RV-RH4F-4RF6
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user information through the wizard page without authentication. This affects ZXHN H168N all versions up to V3.5.0_EG1T4_TE.
{
"affected": [],
"aliases": [
"CVE-2021-21735"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-10T12:15:00Z",
"severity": "MODERATE"
},
"details": "A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user information through the wizard page without authentication. This affects ZXHN H168N all versions up to V3.5.0_EG1T4_TE.",
"id": "GHSA-j3rv-rh4f-4rf6",
"modified": "2022-05-24T19:04:55Z",
"published": "2022-05-24T19:04:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21735"
},
{
"type": "WEB",
"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1015924"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J4VR-PCMW-HX59
Vulnerability from github – Published: 2025-10-24 15:06 – Updated: 2025-10-29 15:42Impact
A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters.
This only affects custom Global Roles that:
- Have a * on * in * rule for resources
- Have a * on * rule for non-resource URLs
For example
apiVersion: management.cattle.io/v3
kind: GlobalRole
metadata:
name: custom-admin
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
Specifically:
- When a user is bound to a custom admin GlobalRole, a corresponding ClusterRoleBinding is created on all clusters that binds them to the cluster-admin ClusterRole.
- When such a GlobalRole or the GlobalRoleBinding (e.g., when the user is unassigned from this role in UI) is deleted, the ClusterRoleBinding that binds them to the cluster-admin ClusterRole stays behind.
This issue allows a user to continue having access to clusters after they have been unassigned from the custom admin global role or the role has been deleted.
Please consult the associated MITRE ATT&CK - Technique - Account Access Removal for further information about this category of attack.
Patches
This vulnerability is addressed by removing the corresponding ClusterRoleBindings whenever the admin GlobalRole or its GlobalRoleBindings are deleted. Previously orphaned ClusterRoleBindings are marked with the annotation authz.cluster.cattle.io/admin-globalrole-missing=true and should be deleted manually.
Orphaned ClusterRoleBindings can be listed with:
kubectl get clusterrolebinding -o jsonpath='{range .items[?(@.metadata.annotations.authz\.cluster\.cattle\.io/admin-globalrole-missing=="true")]}{.metadata.name}{"\n"}{end}'
Patched versions of Rancher include releases v2.12.3, v2.11.7.
Complications with the restricted admin functionality prevented the patches from being included in v2.10 and v2.9.
Workarounds
If the deployment can't be upgraded to a fixed version, users are advised to manually identify the orphaned ClusterRoleBindings and remove them.
References
If you have any questions or comments about this advisory: - Contact the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/rancher"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20251014212116-7faa74a968c2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32199"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-24T15:06:51Z",
"nvd_published_at": "2025-10-29T15:15:40Z",
"severity": "MODERATE"
},
"details": "### Impact\nA vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters.\nThis only affects custom Global Roles that:\n- Have a `*` on `*` in `*` rule for resources\n- Have a `*` on `*` rule for non-resource URLs\n\nFor example\n```yaml\napiVersion: management.cattle.io/v3\nkind: GlobalRole\nmetadata:\n name: custom-admin\nrules:\n - apiGroups:\n - \u0027*\u0027\n resources:\n - \u0027*\u0027\n verbs:\n - \u0027*\u0027\n - nonResourceURLs:\n - \u0027*\u0027\n verbs:\n - \u0027*\u0027\n```\n\nSpecifically:\n- When a user is bound to a custom admin `GlobalRole`, a corresponding `ClusterRoleBinding` is created on all clusters that binds them to the cluster-admin `ClusterRole`.\n- When such a `GlobalRole` or the `GlobalRoleBinding` (e.g., when the user is unassigned from this role in UI) is deleted, the `ClusterRoleBinding` that binds them to the cluster-admin ClusterRole stays behind.\n\nThis issue allows a user to continue having access to clusters after they have been unassigned from the custom admin global role or the role has been deleted.\n\nPlease consult the associated [MITRE ATT\u0026CK - Technique - Account Access Removal](https://attack.mitre.org/techniques/T1531/) for further information about this category of attack.\n\n### Patches\nThis vulnerability is addressed by removing the corresponding `ClusterRoleBindings` whenever the admin `GlobalRole` or its `GlobalRoleBindings` are deleted. Previously orphaned `ClusterRoleBindings` are marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true` and should be deleted manually.\n\nOrphaned ClusterRoleBindings can be listed with:\n```\nkubectl get clusterrolebinding -o jsonpath=\u0027{range .items[?(@.metadata.annotations.authz\\.cluster\\.cattle\\.io/admin-globalrole-missing==\"true\")]}{.metadata.name}{\"\\n\"}{end}\u0027\n```\n\nPatched versions of Rancher include releases `v2.12.3`, `v2.11.7`.\n\nComplications with the restricted admin functionality prevented the patches from being included in `v2.10` and `v2.9`.\n\n### Workarounds\nIf the deployment can\u0027t be upgraded to a fixed version, users are advised to manually identify the orphaned `ClusterRoleBindings` and remove them.\n\n### References\nIf you have any questions or comments about this advisory:\n- Contact the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
"id": "GHSA-j4vr-pcmw-hx59",
"modified": "2025-10-29T15:42:32Z",
"published": "2025-10-24T15:06:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rancher/rancher/security/advisories/GHSA-j4vr-pcmw-hx59"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32199"
},
{
"type": "WEB",
"url": "https://github.com/rancher/rancher/pull/52303"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32199"
},
{
"type": "PACKAGE",
"url": "https://github.com/rancher/rancher"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Rancher user retains access to clusters despite Global Role removal"
}
GHSA-J52R-PMQV-WM38
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2023-12-14 18:19A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.63"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:support-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.64"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16539"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-14T18:19:58Z",
"nvd_published_at": "2019-11-21T15:15:00Z",
"severity": "MODERATE"
},
"details": "A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles.",
"id": "GHSA-j52r-pmqv-wm38",
"modified": "2023-12-14T18:19:58Z",
"published": "2022-05-24T17:01:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16539"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/support-core-plugin/commit/6b177ea7cc7347e13fa87174472400bbbe78d422"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/support-core-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1634"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/11/21/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Missing permission check in Jenkins Support Core Plugin"
}
GHSA-J5H3-G7CH-42QF
Vulnerability from github – Published: 2025-11-06 15:31 – Updated: 2025-11-06 15:31Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-37735"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-06T15:15:46Z",
"severity": "HIGH"
},
"details": "Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation.",
"id": "GHSA-j5h3-g7ch-42qf",
"modified": "2025-11-06T15:31:02Z",
"published": "2025-11-06T15:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37735"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elastic-defend-8-19-6-9-1-6-and-9-2-0-security-update-esa-2025-23/383272"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J66C-Q55P-63P7
Vulnerability from github – Published: 2025-06-08 12:30 – Updated: 2025-06-08 12:30in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.
{
"affected": [],
"aliases": [
"CVE-2025-27247"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-08T12:15:22Z",
"severity": "MODERATE"
},
"details": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.",
"id": "GHSA-j66c-q55p-63p7",
"modified": "2025-06-08T12:30:33Z",
"published": "2025-06-08T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27247"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-06.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J6CH-QP42-33GR
Vulnerability from github – Published: 2023-07-13 00:30 – Updated: 2024-04-04 06:05In multiple functions of OneTimePermissionUserManager.java, there is a possible one-time permission retention due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2023-21249"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T00:15:23Z",
"severity": "MODERATE"
},
"details": "In multiple functions of OneTimePermissionUserManager.java, there is a possible one-time permission retention due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.\n\n",
"id": "GHSA-j6ch-qp42-33gr",
"modified": "2024-04-04T06:05:24Z",
"published": "2023-07-13T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21249"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/c00b7e7dbc1fa30339adef693d02a51254755d7f"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-07-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.