CWE-250
AllowedExecution with Unnecessary Privileges
Abstraction: Base · Status: Draft
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
573 vulnerabilities reference this CWE, most recent first.
GHSA-8Q2G-9F98-XXWF
Vulnerability from github – Published: 2024-03-14 03:31 – Updated: 2024-03-14 03:31This allows attackers to use a maliciously formed API request to gain access to an API authorization level with elevated privileges. This applies to a small subset of PaperCut NG/MF API calls.
{
"affected": [],
"aliases": [
"CVE-2024-1222"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-14T03:15:07Z",
"severity": "HIGH"
},
"details": "This allows attackers to use a maliciously formed API request to gain access to an API authorization level with elevated privileges. This applies to a small subset of PaperCut NG/MF API calls.\n\n",
"id": "GHSA-8q2g-9f98-xxwf",
"modified": "2024-03-14T03:31:14Z",
"published": "2024-03-14T03:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1222"
},
{
"type": "WEB",
"url": "https://www.papercut.com/kb/Main/Security-Bulletin-March-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8RHX-8C6R-V9Q6
Vulnerability from github – Published: 2025-08-26 15:31 – Updated: 2025-08-27 15:33Mitrastar GPT-2741GNAC-N2 devices are provided with access through ssh into a restricted default shell.The command "deviceinfo show file" is supposed to be used from restricted shell to show files and directories. By providing " /bin/sh" (quotes included) to the argument of this command will drop a root shell.
{
"affected": [],
"aliases": [
"CVE-2025-50753"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-26T14:15:38Z",
"severity": "HIGH"
},
"details": "Mitrastar GPT-2741GNAC-N2 devices are provided with access through ssh into a restricted default shell.The command \"deviceinfo show file\" is supposed to be used from restricted shell to show files and directories. By providing \" /bin/sh\" (quotes included) to the argument of this command will drop a root shell.",
"id": "GHSA-8rhx-8c6r-v9q6",
"modified": "2025-08-27T15:33:13Z",
"published": "2025-08-26T15:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50753"
},
{
"type": "WEB",
"url": "https://gist.github.com/geraldog/2d07fdedbbb79d822e9df4b75f882a63"
},
{
"type": "WEB",
"url": "http://gpt-2741gnac-n2.com"
},
{
"type": "WEB",
"url": "http://mitrastar.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8RXX-F9PW-CHH2
Vulnerability from github – Published: 2025-11-06 18:32 – Updated: 2025-11-06 18:32A maliciously crafted file, when executed on the victim's machine, can lead to privilege escalation to NT AUTHORITY/SYSTEM due to an insufficient validation of loaded binaries. An attacker with local and low-privilege access could exploit this to execute code as SYSTEM.
{
"affected": [],
"aliases": [
"CVE-2025-10885"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-06T17:15:42Z",
"severity": "HIGH"
},
"details": "A maliciously crafted file, when executed on the victim\u0027s machine, can lead to privilege escalation to NT AUTHORITY/SYSTEM due to an insufficient validation of loaded binaries. An attacker with local and low-privilege access could exploit this to execute code as SYSTEM.",
"id": "GHSA-8rxx-f9pw-chh2",
"modified": "2025-11-06T18:32:57Z",
"published": "2025-11-06T18:32:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10885"
},
{
"type": "WEB",
"url": "https://emsfs.autodesk.com/utility/odis/1/installer/latest/AdODIS-installer.exe"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8W99-HMP7-97XW
Vulnerability from github – Published: 2026-06-04 12:30 – Updated: 2026-06-30 21:31A local privilege escalation vulnerability exists in Forcepoint VPN Client that allows a local non-administrative user to escalate privileges to SYSTEM. This issue affects VPN Client for Windows: versions 6.11.3 and prior.
{
"affected": [],
"aliases": [
"CVE-2025-12694"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T12:16:23Z",
"severity": "HIGH"
},
"details": "A local privilege escalation vulnerability exists in Forcepoint VPN Client that allows a local non-administrative user to escalate privileges to SYSTEM. This issue affects VPN Client for Windows: versions 6.11.3 and prior.",
"id": "GHSA-8w99-hmp7-97xw",
"modified": "2026-06-30T21:31:36Z",
"published": "2026-06-04T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12694"
},
{
"type": "WEB",
"url": "https://support.forcepoint.com/s/article/Security-Advisory-Local-Privilege-Escalation-in-VPN-Client-for-Windows"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8WCJ-MFRC-JX5Q
Vulnerability from github – Published: 2026-06-30 18:20 – Updated: 2026-06-30 18:20Summary
Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod — including the
user-supplied builder image.
Details
The user controls the builder container image, command, and podspec through Environment.spec.builder.image / .container / .podspec. With the SA token auto-mounted at /var/run/secrets/kubernetes.io/serviceaccount/token inside that
container, any code running there inherited the fission-builder identity. The fission-builder SA holds namespace-wide get on secrets and configmaps (pkg/utils/serviceaccount.go), so the user-controlled builder container
could read every Secret in the builder namespace by name.
This is the buildermgr sibling of GHSA-85g2-pmrx-r49q (CVE-2026-46617), whose fix suppressed the SA-token automount on function runtime pods but did not cover the structurally identical primitive in pkg/buildermgr/envwatcher.go.
Impact
A subject with create/update on Environment CRDs in a namespace observed by the buildermgr could read every Secret and ConfigMap in the builder namespace via the auto-mounted fission-builder token.
Fix
Fixed in #3390 and released in v1.24.0. In createBuilderDeployment:
- Set pod-level
AutomountServiceAccountToken=falseon the initial PodSpec and add the projected fetcher SA-token volume. - Re-clamp
AutomountServiceAccountToken=falseafter everyMergePodSpeccall so a user-supplied podspec cannot restore the kubelet automount. - Mount the token via a projected volume on the fetcher sidecar only, so the legitimate build → archive-upload flow keeps its cluster API access.
Reuses the projected-volume helpers from pkg/executor/util/satoken.go introduced by the GHSA-85g2-pmrx-r49q fix.
Behavioural change
The user-supplied builder container no longer receives an auto-mounted SA token. The fetcher sidecar still gets its token via a projected volume.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.23.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/fission/fission"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50565"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-269",
"CWE-538"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:20:03Z",
"nvd_published_at": "2026-06-10T18:17:12Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nFission builder pods were created with `ServiceAccountName: fission-builder` and no `AutomountServiceAccountToken: false`, so the kubelet auto-mounted the service-account token into every container in the pod \u2014 including the\nuser-supplied builder image.\n\n### Details\n\nThe user controls the builder container image, command, and podspec through `Environment.spec.builder.image` / `.container` / `.podspec`. With the SA token auto-mounted at `/var/run/secrets/kubernetes.io/serviceaccount/token` inside that\n container, any code running there inherited the `fission-builder` identity. The `fission-builder` SA holds namespace-wide `get` on `secrets` and `configmaps` (`pkg/utils/serviceaccount.go`), so the user-controlled builder container\ncould read every Secret in the builder namespace by name.\n\nThis is the buildermgr sibling of GHSA-85g2-pmrx-r49q (CVE-2026-46617), whose fix suppressed the SA-token automount on function runtime pods but did not cover the structurally identical primitive in `pkg/buildermgr/envwatcher.go`.\n\n### Impact\n\nA subject with `create`/`update` on `Environment` CRDs in a namespace observed by the buildermgr could read every Secret and ConfigMap in the builder namespace via the auto-mounted `fission-builder` token.\n\n### Fix\n\nFixed in [#3390](https://github.com/fission/fission/pull/3390) and released in [v1.24.0](https://github.com/fission/fission/releases/tag/v1.24.0). In `createBuilderDeployment`:\n\n- Set pod-level `AutomountServiceAccountToken=false` on the initial PodSpec and add the projected fetcher SA-token volume.\n- Re-clamp `AutomountServiceAccountToken=false` after every `MergePodSpec` call so a user-supplied podspec cannot restore the kubelet automount.\n- Mount the token via a projected volume on the fetcher sidecar only, so the legitimate build \u2192 archive-upload flow keeps its cluster API access.\n\nReuses the projected-volume helpers from `pkg/executor/util/satoken.go` introduced by the GHSA-85g2-pmrx-r49q fix.\n\n### Behavioural change\n\nThe user-supplied builder container no longer receives an auto-mounted SA token. The fetcher sidecar still gets its token via a projected volume.",
"id": "GHSA-8wcj-mfrc-jx5q",
"modified": "2026-06-30T18:20:03Z",
"published": "2026-06-30T18:20:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fission/fission/security/advisories/GHSA-8wcj-mfrc-jx5q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50565"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/pull/3390"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/commit/8fa799417c77ce8a0189d9858bfe11ece29b84a6"
},
{
"type": "PACKAGE",
"url": "https://github.com/fission/fission"
},
{
"type": "WEB",
"url": "https://github.com/fission/fission/releases/tag/v1.24.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container"
}
GHSA-8XJ7-C2MM-V3R5
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2025-02-25 21:31Winlogon Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43583"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:26Z",
"severity": "HIGH"
},
"details": "Winlogon Elevation of Privilege Vulnerability",
"id": "GHSA-8xj7-c2mm-v3r5",
"modified": "2025-02-25T21:31:27Z",
"published": "2024-10-08T18:33:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43583"
},
{
"type": "WEB",
"url": "https://github.com/Kvngtheta/CVE-2024-43583-PoC/blob/main/poc-43583.py"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43583"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-92XG-GMRQ-5C3W
Vulnerability from github – Published: 2024-09-07 09:30 – Updated: 2025-01-21 17:53Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45034"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-09T18:16:43Z",
"nvd_published_at": "2024-09-07T08:15:11Z",
"severity": "HIGH"
},
"details": "Apache Airflow versions before 2.10.1 have a vulnerability that allows\u00a0DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. \nUsers are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.",
"id": "GHSA-92xg-gmrq-5c3w",
"modified": "2025-01-21T17:53:29Z",
"published": "2024-09-07T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45034"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/41672"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/03e01e76d2203d37aa645096df195b4328665f6d"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-212.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/06/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Airflow vulnerable to Execution with Unnecessary Privileges"
}
GHSA-93FP-JHR5-HVM4
Vulnerability from github – Published: 2024-05-16 18:30 – Updated: 2024-05-16 18:30IBM AIX could 7.2, 7.3, VIOS 3.1, and VIOS 4.1 allow a non-privileged local user to exploit a vulnerability in the invscout command to execute arbitrary commands. IBM X-Force ID: 283985.
{
"affected": [],
"aliases": [
"CVE-2024-27260"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T17:16:01Z",
"severity": "HIGH"
},
"details": "IBM AIX could 7.2, 7.3, VIOS 3.1, and VIOS 4.1 allow a non-privileged local user to exploit a vulnerability in the invscout command to execute arbitrary commands. IBM X-Force ID: 283985.",
"id": "GHSA-93fp-jhr5-hvm4",
"modified": "2024-05-16T18:30:32Z",
"published": "2024-05-16T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27260"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/283985"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7152543"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-97J3-FVQP-6GPF
Vulnerability from github – Published: 2026-04-28 15:30 – Updated: 2026-04-28 15:30mpGabinet is vulnerable to Privilege Escalation due to excessive database privileges assigned to the user used by the application. An attacker with access to any running application instance connected to the backend server can extract database credentials from the application’s memory by inspecting the running process. While ability to retrieve credentials from memory is expected behavior, the exposed credentials grant administrative access to the database, exceeding the privileges required for normal application functionality. This allows an attacker to perform actions beyond those permitted through the application interface.
This issue affects mpGabinet version 23.12.19 and below.
{
"affected": [],
"aliases": [
"CVE-2026-40550"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-28T14:16:13Z",
"severity": "MODERATE"
},
"details": "mpGabinet is vulnerable to Privilege Escalation due to excessive database privileges assigned to the user used by the application. An attacker with access to any running application instance connected to the backend server can extract database credentials from the application\u2019s memory by inspecting the running process. While ability to retrieve credentials from memory is expected behavior, the exposed credentials grant administrative access to the database, exceeding the privileges required for normal application functionality. This allows an attacker to perform actions beyond those permitted through the application interface.\n\n\nThis issue affects mpGabinet version 23.12.19 and below.",
"id": "GHSA-97j3-fvqp-6gpf",
"modified": "2026-04-28T15:30:50Z",
"published": "2026-04-28T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40550"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/04/CVE-2026-40550"
},
{
"type": "WEB",
"url": "https://www.mpgabinet.pl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-97PG-WR4R-53WR
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properly enforce access controls on the endpoint /console/api/apps/{chatbot-id}/model-config, allowing unauthorized users to alter chatbot configurations.
{
"affected": [],
"aliases": [
"CVE-2024-11821"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:25Z",
"severity": "MODERATE"
},
"details": "A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properly enforce access controls on the endpoint /console/api/apps/{chatbot-id}/model-config, allowing unauthorized users to alter chatbot configurations.",
"id": "GHSA-97pg-wr4r-53wr",
"modified": "2025-03-20T12:32:42Z",
"published": "2025-03-20T12:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11821"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/76d5986d-3882-4ea7-81cb-f00400e5c6b6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-18
Strategy: Separation of Privilege
Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation MIT-18
Strategy: Attack Surface Reduction
Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation
Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.
Mitigation MIT-19
When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.
Mitigation
If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.
Mitigation MIT-37
Strategy: Environment Hardening
Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-470: Expanding Control over the Operating System from the Database
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.