Common Weakness Enumeration

CWE-1220

Allowed

Insufficient Granularity of Access Control

Abstraction: Base · Status: Incomplete

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

176 vulnerabilities reference this CWE, most recent first.

GHSA-7PGP-CXQ5-CMCJ

Vulnerability from github – Published: 2025-10-20 21:30 – Updated: 2025-10-28 18:30
VLAI
Details

Insufficient Granularity of Access Control vulnerability in opentext Flipper allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow a low privilege user to interact with the backend API without sufficient privileges.

This issue affects Flipper: 3.1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-20T20:15:38Z",
    "severity": "LOW"
  },
  "details": "Insufficient Granularity of Access Control vulnerability in opentext Flipper allows Exploiting Incorrectly Configured Access Control Security Levels.\u00a0The vulnerability could allow a low privilege user to interact with the backend API without sufficient privileges.\n\nThis issue affects Flipper: 3.1.2.",
  "id": "GHSA-7pgp-cxq5-cmcj",
  "modified": "2025-10-28T18:30:26Z",
  "published": "2025-10-20T21:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8053"
    },
    {
      "type": "WEB",
      "url": "https://support.opentext.com/csm?id=ot_kb_unauthenticated\u0026sysparm_article=KB0850532"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:D/RE:M/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7QHV-FQV8-J7X8

Vulnerability from github – Published: 2025-08-15 06:30 – Updated: 2025-08-15 06:30
VLAI
Details

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-15T05:15:30Z",
    "severity": "LOW"
  },
  "details": "HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.",
  "id": "GHSA-7qhv-fqv8-j7x8",
  "modified": "2025-08-15T06:30:21Z",
  "published": "2025-08-15T06:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31961"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0123268"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7QPW-2J9M-RW8C

Vulnerability from github – Published: 2022-12-28 15:30 – Updated: 2023-01-10 15:44
VLAI
Summary
usememos/memos has Insufficient Granularity of Access Control
Details

An Insufficient Granularity of Access Control in usememos/memos prior to 0.9.0 can allow an attacker to delete a memo from the archives.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/usememos/memos"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T22:12:40Z",
    "nvd_published_at": "2022-12-28T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Insufficient Granularity of Access Control in usememos/memos prior to 0.9.0 can allow an attacker to delete a memo from the archives.",
  "id": "GHSA-7qpw-2j9m-rw8c",
  "modified": "2023-01-10T15:44:56Z",
  "published": "2022-12-28T15:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usememos/memos"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a24b45d8-554b-4131-8ce1-f33bf8cdbacc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "usememos/memos has Insufficient Granularity of Access Control"
}

GHSA-88WH-9R47-7G44

Vulnerability from github – Published: 2026-01-08 15:31 – Updated: 2026-01-08 15:31
VLAI
Details

Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control.  Chained exploitation of this vulnerability and CVE-2025-8307 allows an attacker to escalate privileges. This vulnerability has been fixed in versions 4.50.1 and 5.38.0

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-08T14:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control.\u00a0\nChained exploitation of this vulnerability and\u00a0CVE-2025-8307 allows an attacker to escalate privileges.\u00a0This vulnerability has been fixed in versions 4.50.1 and 5.38.0",
  "id": "GHSA-88wh-9r47-7g44",
  "modified": "2026-01-08T15:31:25Z",
  "published": "2026-01-08T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8306"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2026/01/CVE-2025-8306"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8C7Q-86FQ-VVMH

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-06-30 16:48
VLAI
Summary
MLflow allows unauthorized access to multipart upload endpoints when the `--serve-artifacts` mode is enabled
Details

A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the --serve-artifacts mode is enabled. The authorization logic does not enforce resource-level permission checks for /mlflow-artifacts/mpu/* endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.11.0rc0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.0rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T16:48:21Z",
    "nvd_published_at": "2026-05-25T07:16:15Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in MLflow versions \u003c=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0.",
  "id": "GHSA-8c7q-86fq-vvmh",
  "modified": "2026-06-30T16:48:21Z",
  "published": "2026-05-26T13:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2651"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-2651"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481117"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2651.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MLflow allows unauthorized access to multipart upload endpoints when the `--serve-artifacts` mode is enabled"
}

GHSA-8VP7-4RMV-4868

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-23 00:31
VLAI
Details

Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33825"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T18:17:35Z",
    "severity": "HIGH"
  },
  "details": "Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-8vp7-4rmv-4868",
  "modified": "2026-04-23T00:31:17Z",
  "published": "2026-04-14T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33825"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33825"
    },
    {
      "type": "WEB",
      "url": "https://www.huntress.com/blog/nightmare-eclipse-intrusion"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-933F-RG6J-F46P

Vulnerability from github – Published: 2026-05-19 12:31 – Updated: 2026-06-30 19:15
VLAI
Summary
Keycloak Account Resources user lookup contains broken access control
Details

Keycloak's Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "26.5.0"
            },
            {
              "fixed": "26.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-37981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T19:15:26Z",
    "nvd_published_at": "2026-05-19T12:16:18Z",
    "severity": "MODERATE"
  },
  "details": "Keycloak\u0027s Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.",
  "id": "GHSA-933f-rg6j-f46p",
  "modified": "2026-06-30T19:15:26Z",
  "published": "2026-05-19T12:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37981"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/49116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/pull/49122"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/33f6f873fda2c9546e52d34b4f865eafc42df0c0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/b68070bcf96a6fe7d0f01cee5d3cbde71f2abbe7"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19596"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19597"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-37981"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455326"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak Account Resources user lookup contains broken access control"
}

GHSA-96JV-VJ39-X4J6

Vulnerability from github – Published: 2022-07-13 00:00 – Updated: 2023-06-27 20:58
VLAI
Summary
Argo CD improper access control bug can allow malicious user to escalate privileges to admin level
Details

Impact

Impacts for versions starting with v1.0.0

All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.

To perform the following exploits, an authorized Argo CD user must have push access to an Application's source git or Helm repository or sync and override access to an Application. Once a user has that access, different exploitation levels are possible depending on their other RBAC privileges:

  1. If that user has update access to the Application, they can modify any resource on the Application's destination cluster. If the destination cluster is or can be made to be the same as the cluster hosting Argo CD, the user can escalate their Argo CD permissions to admin-level.
  2. If the user has delete access to the Application, they can delete any resource on the Application's destination cluster. (This exploit is possible starting with v0.8.0.)
  3. If the user has get access to the Application, they can view any resource on the Application's destination cluster (except for the contents of Secrets) and list actions available for that resource.
  4. If the user has get access to the Application, they can view the logs of any Pods on the Application's destination cluster.
  5. If the user has action/{some action or *} access on the Application, they can run an action for any resource (which supports the allowed action(s)) on the Application's destination cluster. (Some actions are available in Argo CD by default, and others may be configured by an Argo CD admin.)

See the Argo CD RBAC documentation for an explanation of the privileges available in Argo CD.

Events exploit

A related exploit is possible for a user with get access to an Application even if they do not have access to the Application's source git or Helm repository or sync and override access to the Application. The user can access any Event in the Application's destination cluster if they know the involved object's name, UID, and namespace.

Impacts for versions starting with v0.8.0

The same bug exists starting with v0.8.0, but only the following exploits were possible before v1.0.0:

  • The delete exploit (#⁠2 above).
  • The logs exploit (#⁠4 above).
  • The Events exploit described above.

Impacts for versions starting with v0.5.0

The same bug exists starting with v0.5.0 (when RBAC was implemented), but only the Events exploit described above was possible before v0.8.0.

Patches A patch for this vulnerability has been released in the following Argo CD versions:

  • v2.3.2
  • v2.2.8
  • v2.1.14

Versions 2.0.x and earlier users: See the changelog for links to upgrade instructions for your version. It is imperative to upgrade quickly, but some limited mitigations are described in the next section.

argo-helm chart users: Argo CD users deploying v2.3.x with argo-helm can upgrade the chart to version 4.2.2. Argo CD 2.2 and 2.1 users can set the global.image.tag value to the latest in your current release series (v2.2.8, or v2.1.14). Since charts for the 2.2 and 2.1 series are no longer maintained, you will need to either leave the value override in place or upgrade to the 4.x chart series (and therefore to Argo CD 2.3).

Workarounds

The only certain way to avoid the vulnerability is to upgrade.

Mitigations

  • To avoid privilege escalation:
    • Limit who has push access to Application source repositories or sync + override access to Applications.
  • Limit which repositories are available in projects where users have update access to Applications.
    • To avoid unauthorized resource inspection/tampering:
    • Limit who has delete, get, or action access to Applications.

These mitigations can help limit potential damage, but they are not a substitute for upgrading. It is necessary to upgrade immediately.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "last_affected": "1.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220",
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-21T22:29:13Z",
    "nvd_published_at": "2022-07-12T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "# Impact\n\n## Impacts for versions starting with v1.0.0\nAll unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level.\n\nTo perform the following exploits, an authorized Argo CD user must have push access to an Application\u0027s source git or Helm repository or `sync` and `override` access to an Application. Once a user has that access, different exploitation levels are possible depending on their other RBAC privileges:\n\n1. If that user has `update` access to the Application, they can modify any resource on the Application\u0027s destination cluster. If the destination cluster is or can be made to be the same as the cluster hosting Argo CD, the user can escalate their Argo CD permissions to admin-level.\n2. If the user has `delete` access to the Application, they can delete any resource on the Application\u0027s destination cluster. (This exploit is possible starting with v0.8.0.)\n3. If the user has `get` access to the Application, they can view any resource on the Application\u0027s destination cluster (except for the contents of Secrets) and list [actions](https://argo-cd.readthedocs.io/en/stable/operator-manual/resource_actions/) available for that resource.\n4. If the user has `get` access to the Application, they can view the logs of any Pods on the Application\u0027s destination cluster.\n5. If the user has `action/{some action or *}` access on the Application, they can run an action for any resource (which supports the allowed action(s)) on the Application\u0027s destination cluster. (Some actions are available in Argo CD by default, and others may be configured by an Argo CD admin.)\n\nSee the [Argo CD RBAC documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions) for an explanation of the privileges available in Argo CD.\n\n## Events exploit\nA related exploit is possible for a user with `get` access to an Application **even if they do not have access to the Application\u0027s source git or Helm repository or `sync` and `override` access to the Application**. The user can access any Event in the Application\u0027s destination cluster if they know the involved object\u0027s name, UID, and namespace.\n\n## Impacts for versions starting with v0.8.0\nThe same bug exists starting with v0.8.0, but only the following exploits were possible before v1.0.0:\n\n- The `delete exploit` (#\u20602 above).\n- The logs exploit (#\u20604 above).\n- The Events exploit described above.\n\n## Impacts for versions starting with v0.5.0\nThe same bug exists starting with v0.5.0 (when RBAC was implemented), but only the Events exploit described above was possible before v0.8.0.\n\nPatches\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n- v2.3.2\n- v2.2.8\n- v2.1.14\n\n**Versions 2.0.x and earlier users**: See the changelog for links to upgrade instructions for your version. It is imperative to upgrade quickly, but some limited mitigations are described in the next section.\n\n**argo-helm chart users**: Argo CD users deploying v2.3.x with argo-helm can upgrade the chart to version 4.2.2. Argo CD 2.2 and 2.1 users can set the global.image.tag value to the latest in your current release series (v2.2.8, or v2.1.14). Since charts for the 2.2 and 2.1 series are no longer maintained, you will need to either leave the value override in place or upgrade to the 4.x chart series (and therefore to Argo CD 2.3).\n\n## Workarounds\nThe only certain way to avoid the vulnerability is to upgrade.\n\n## Mitigations\n\n- To avoid privilege escalation:\n    - Limit who has push access to Application source repositories or sync + override access to Applications.\n- Limit which repositories are available in projects where users have update access to Applications.\n    - To avoid unauthorized resource inspection/tampering:\n    - Limit who has delete, get, or action access to Applications.\n\nThese mitigations can help limit potential damage, but they are not a substitute for upgrading. It is necessary to upgrade immediately.",
  "id": "GHSA-96jv-vj39-x4j6",
  "modified": "2023-06-27T20:58:57Z",
  "published": "2022-07-13T00:00:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2f5v-8r3f-8pww"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1025"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/af03b291d4b7e9d3ce9a6580ae9c8141af0e05cf"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:1039"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:1040"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:1041"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:1042"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-1025"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064682"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argo CD improper access control bug can allow malicious user to escalate privileges to admin level"
}

GHSA-9722-WH8J-2F5P

Vulnerability from github – Published: 2025-02-01 06:31 – Updated: 2025-02-01 06:31
VLAI
Details

Dell PowerProtect DD versions prior to 8.3.0.0, 7.10.1.50, and 7.13.1.20 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-01T05:15:10Z",
    "severity": "HIGH"
  },
  "details": "Dell PowerProtect DD versions prior to 8.3.0.0, 7.10.1.50, and 7.13.1.20 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege.",
  "id": "GHSA-9722-wh8j-2f5p",
  "modified": "2025-02-01T06:31:01Z",
  "published": "2025-02-01T06:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53295"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000279157/dsa-2025-022-security-update-for-dell-powerprotect-dd-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HF4-R86Q-FFR6

Vulnerability from github – Published: 2023-04-22 03:30 – Updated: 2024-04-04 03:38
VLAI
Details

NVIDIA ConnectX-5, ConnectX-6, and ConnectX6-DX contain a vulnerability in the NIC firmware, where an unprivileged user can exploit insufficient granularity of access control, which may lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1220"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-22T03:15:09Z",
    "severity": "HIGH"
  },
  "details": "NVIDIA ConnectX-5, ConnectX-6, and ConnectX6-DX contain a vulnerability in the NIC firmware, where an unprivileged user can exploit insufficient granularity of access control, which may lead to denial of service.",
  "id": "GHSA-9hf4-r86q-ffr6",
  "modified": "2024-04-04T03:38:32Z",
  "published": "2023-04-22T03:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0203"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5459"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation Testing
  • Access-control-policy protections must be reviewed for design inconsistency and common weaknesses.
  • Access-control-policy definition and programming flow must be tested in pre-silicon, post-silicon testing.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.