CWE-250
AllowedExecution with Unnecessary Privileges
Abstraction: Base · Status: Draft
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
573 vulnerabilities reference this CWE, most recent first.
GHSA-W235-X559-36MG
Vulnerability from github – Published: 2026-02-18 22:42 – Updated: 2026-02-20 16:47Summary
A configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.14 - Fixed version:
>= 2026.2.15(next release)
Impact
If an attacker can influence sandbox Docker configuration (or an operator pastes untrusted config), they may be able to:
- mount sensitive host paths (e.g. /etc, /proc, /sys, /dev, Docker socket)
- use network=host to bypass container network isolation
- use seccompProfile=unconfined / apparmorProfile=unconfined to weaken isolation
This can lead to host secret exfiltration or full host control (via Docker socket exposure).
Fix
OpenClaw now blocks dangerous sandbox Docker settings:
- runtime enforcement when building docker create args
- config-schema validation for network=host, seccompProfile=unconfined, apparmorProfile=unconfined
- security audit findings to surface dangerous sandbox docker config
Workarounds
- Do not configure
agents.*.sandbox.docker.bindsto mount system directories or Docker socket paths. - Keep
agents.*.sandbox.docker.networkatnone(default) orbridge. - Do not use
unconfinedfor seccomp/AppArmor profiles.
Fix Commit(s)
- 887b209db47f1f9322fead241a1c0b043fd38339
- 1b6704ef5800152c777ea52b77aa2c8a46c13705 (docs)
Release Process Note
This advisory is pre-populated with the planned fixed version (>= 2026.2.15). Once openclaw@2026.2.15 is published to npm, publishing this advisory should be a single-click action.
Thanks @aether-ai-agent for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27002"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T22:42:42Z",
"nvd_published_at": "2026-02-20T00:16:16Z",
"severity": "HIGH"
},
"details": "## Summary\nA configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.14`\n- Fixed version: `\u003e= 2026.2.15` (next release)\n\n## Impact\nIf an attacker can influence sandbox Docker configuration (or an operator pastes untrusted config), they may be able to:\n- mount sensitive host paths (e.g. `/etc`, `/proc`, `/sys`, `/dev`, Docker socket)\n- use `network=host` to bypass container network isolation\n- use `seccompProfile=unconfined` / `apparmorProfile=unconfined` to weaken isolation\n\nThis can lead to host secret exfiltration or full host control (via Docker socket exposure).\n\n## Fix\nOpenClaw now blocks dangerous sandbox Docker settings:\n- runtime enforcement when building `docker create` args\n- config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`\n- security audit findings to surface dangerous sandbox docker config\n\n## Workarounds\n- Do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths.\n- Keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`.\n- Do not use `unconfined` for seccomp/AppArmor profiles.\n\n## Fix Commit(s)\n- 887b209db47f1f9322fead241a1c0b043fd38339\n- 1b6704ef5800152c777ea52b77aa2c8a46c13705 (docs)\n\n## Release Process Note\nThis advisory is pre-populated with the planned fixed version (`\u003e= 2026.2.15`). Once `openclaw@2026.2.15` is published to npm, publishing this advisory should be a single-click action.\n\nThanks @aether-ai-agent for reporting.",
"id": "GHSA-w235-x559-36mg",
"modified": "2026-02-20T16:47:03Z",
"published": "2026-02-18T22:42:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w235-x559-36mg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27002"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/887b209db47f1f9322fead241a1c0b043fd38339"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Docker container escape via unvalidated bind mount config injection"
}
GHSA-W47R-WHP2-PXW8
Vulnerability from github – Published: 2024-10-09 18:31 – Updated: 2024-10-17 06:30A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect.
{
"affected": [],
"aliases": [
"CVE-2024-9473"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-09T17:15:21Z",
"severity": "MODERATE"
},
"details": "A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect.",
"id": "GHSA-w47r-whp2-pxw8",
"modified": "2024-10-17T06:30:32Z",
"published": "2024-10-09T18:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9473"
},
{
"type": "WEB",
"url": "https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-via-msi-installer-in-palo-alto-networks-globalprotect"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2024-9473"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-W5CM-M7C3-4JJ4
Vulnerability from github – Published: 2024-10-16 18:31 – Updated: 2024-10-16 18:31A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, remote attacker with low privileges to run commands as an Admin user.
This vulnerability is due to incorrect authorization verification by the HTTP server. An attacker could exploit this vulnerability by sending a malicious request to the web-based management interface. A successful exploit could allow the attacker to run commands as the Admin user.
{
"affected": [],
"aliases": [
"CVE-2024-20420"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-16T17:15:13Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, remote attacker with low privileges to run commands as an Admin user. \n\nThis vulnerability is due to incorrect authorization verification by the HTTP server. An attacker could exploit this vulnerability by sending a malicious request to the web-based management interface. A successful exploit could allow the attacker to run commands as the Admin user.",
"id": "GHSA-w5cm-m7c3-4jj4",
"modified": "2024-10-16T18:31:46Z",
"published": "2024-10-16T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20420"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W6FG-M995-MG4J
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-05-14 18:30Dell PowerScale OneFS versions 8.2.x through 9.7.0.1 contains an execution with unnecessary privileges vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2024-25967"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T16:16:17Z",
"severity": "MODERATE"
},
"details": "Dell PowerScale OneFS versions 8.2.x through 9.7.0.1 contains an execution with unnecessary privileges vulnerability. A local high privileged attacker could potentially exploit this vulnerability, leading to escalation of privileges.",
"id": "GHSA-w6fg-m995-mg4j",
"modified": "2024-05-14T18:30:59Z",
"published": "2024-05-14T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25967"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000224860/dsa-2024-163-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W793-V64W-R643
Vulnerability from github – Published: 2025-09-10 21:30 – Updated: 2025-09-10 21:30IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a privileged user to escalate their privileges and attack surface on the host due to the containers running with unnecessary privileges.
{
"affected": [],
"aliases": [
"CVE-2024-47120"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-10T20:15:32Z",
"severity": "MODERATE"
},
"details": "IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a privileged user to escalate their privileges and attack surface on the host due to the containers running with unnecessary privileges.",
"id": "GHSA-w793-v64w-r643",
"modified": "2025-09-10T21:30:19Z",
"published": "2025-09-10T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47120"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7244514"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W79P-2Q4Q-MWMW
Vulnerability from github – Published: 2023-07-11 18:31 – Updated: 2024-04-04 05:58Improper privilege management in Zoom Rooms before version 5.14.5 may allow an authenticated user to enable an escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2023-34118"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-11T18:15:16Z",
"severity": "HIGH"
},
"details": "Improper privilege management in Zoom Rooms before version 5.14.5 may allow an authenticated user to enable an escalation of privilege via local access.\n",
"id": "GHSA-w79p-2q4q-mwmw",
"modified": "2024-04-04T05:58:23Z",
"published": "2023-07-11T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34118"
},
{
"type": "WEB",
"url": "https://explore.zoom.us/en/trust/security/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W7J5-J98M-W679
Vulnerability from github – Published: 2026-03-03 22:25 – Updated: 2026-03-03 22:25Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier. Partial fix (2026-02-08): Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched.
Affected components: - scripts/e2e/Dockerfile - scripts/e2e/Dockerfile.qr-import - scripts/docker/install-sh-e2e/Dockerfile - scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related advisory)
Technical Reproduction: 1. Open each Dockerfile listed above and search for a USER directive — none found. 2. Run any of these containers: docker run --rm -it id 3. Observe: returns uid=0(root).
Demonstrated Impact: - Root inside the container enables kernel exploit attempts, volume mount abuse, and privileged syscall access. - Test images share the same base (node:22-bookworm) as production, creating risk of accidental deployment of root-running images.
Environment: Base images node:22-bookworm and node:22-bookworm-slim default to root. Dockerfile.sandbox and Dockerfile.sandbox-browser were remediated in commit 28e1a65e; only the E2E/test images listed above remain affected.
Remediation: Add a USER directive before CMD/ENTRYPOINT in each remaining Dockerfile: RUN useradd --create-home --shell /bin/bash appuser USER appuser
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T22:25:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier.\n**Partial fix (2026-02-08):** Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched.\n\n**Affected components:**\n- scripts/e2e/Dockerfile\n- scripts/e2e/Dockerfile.qr-import\n- scripts/docker/install-sh-e2e/Dockerfile\n- scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo \u2014 see related advisory)\n\n**Technical Reproduction:**\n1. Open each Dockerfile listed above and search for a USER directive \u2014 none found.\n2. Run any of these containers: docker run --rm -it \u003cimage\u003e id\n3. Observe: returns uid=0(root).\n\n**Demonstrated Impact:**\n- Root inside the container enables kernel exploit attempts, volume mount abuse, and privileged syscall access.\n- Test images share the same base (node:22-bookworm) as production, creating risk of accidental deployment of root-running images.\n\n**Environment:** Base images node:22-bookworm and node:22-bookworm-slim default to root. Dockerfile.sandbox and Dockerfile.sandbox-browser were remediated in commit 28e1a65e; only the E2E/test images listed above remain affected.\n\n**Remediation:** Add a USER directive before CMD/ENTRYPOINT in each remaining Dockerfile:\n RUN useradd --create-home --shell /bin/bash appuser\n USER appuser",
"id": "GHSA-w7j5-j98m-w679",
"modified": "2026-03-03T22:25:13Z",
"published": "2026-03-03T22:25:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/28e1a65ebc580f07533966f5693f4df0a18d7085"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw has multiple E2E/test Dockerfiles that run all processes as root"
}
GHSA-W9FF-QWX7-F9M3
Vulnerability from github – Published: 2023-08-16 15:30 – Updated: 2024-04-04 06:59Dell PowerScale OneFS 9.5.x version contain a privilege escalation vulnerability. A low privilege local attacker could potentially exploit this vulnerability, leading to escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2023-32486"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-16T14:15:10Z",
"severity": "HIGH"
},
"details": "\nDell PowerScale OneFS 9.5.x version contain a privilege escalation vulnerability. A low privilege local attacker could potentially exploit this vulnerability, leading to escalation of privileges.\n\n",
"id": "GHSA-w9ff-qwx7-f9m3",
"modified": "2024-04-04T06:59:32Z",
"published": "2023-08-16T15:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32486"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000216717/dsa-2023-269-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WG7V-W4X5-XVMX
Vulnerability from github – Published: 2024-04-17 00:30 – Updated: 2024-04-26 09:30Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
{
"affected": [],
"aliases": [
"CVE-2024-21003"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-16T22:15:14Z",
"severity": "LOW"
},
"details": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).",
"id": "GHSA-wg7v-w4x5-xvmx",
"modified": "2024-04-26T09:30:33Z",
"published": "2024-04-17T00:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21003"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240426-0004"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WGQW-GRM5-9368
Vulnerability from github – Published: 2026-06-19 21:32 – Updated: 2026-06-19 21:32Execution with unnecessary privileges in Azure Synapse allows an authorized attacker to elevate privileges over a network.
{
"affected": [],
"aliases": [
"CVE-2026-48584"
],
"database_specific": {
"cwe_ids": [
"CWE-250"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-19T21:17:01Z",
"severity": "CRITICAL"
},
"details": "Execution with unnecessary privileges in Azure Synapse allows an authorized attacker to elevate privileges over a network.",
"id": "GHSA-wgqw-grm5-9368",
"modified": "2026-06-19T21:32:48Z",
"published": "2026-06-19T21:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48584"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48584"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-18
Strategy: Separation of Privilege
Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation MIT-18
Strategy: Attack Surface Reduction
Identify the functionality that requires additional privileges, such as access to privileged operating system resources. Wrap and centralize this functionality if possible, and isolate the privileged code as much as possible from other code [REF-76]. Raise privileges as late as possible, and drop them as soon as possible to avoid CWE-271. Avoid weaknesses such as CWE-288 and CWE-420 by protecting all possible communication channels that could interact with the privileged code, such as a secondary socket that is only intended to be accessed by administrators.
Mitigation
Perform extensive input validation for any privileged code that must be exposed to the user and reject anything that does not fit your strict requirements.
Mitigation MIT-19
When dropping privileges, ensure that they have been dropped successfully to avoid CWE-273. As protection mechanisms in the environment get stronger, privilege-dropping calls may fail even if it seems like they would always succeed.
Mitigation
If circumstances force you to run with extra privileges, then determine the minimum access level necessary. First identify the different permissions that the software and its users will need to perform their actions, such as file read and write permissions, network socket permissions, and so forth. Then explicitly allow those actions while denying all else [REF-76]. Perform extensive input validation and canonicalization to minimize the chances of introducing a separate vulnerability. This mitigation is much more prone to error than dropping the privileges in the first place.
Mitigation MIT-37
Strategy: Environment Hardening
Ensure that the software runs properly under the United States Government Configuration Baseline (USGCB) [REF-199] or an equivalent hardening configuration guide, which many organizations use to limit the attack surface and potential risk of deployed software.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-470: Expanding Control over the Operating System from the Database
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.