CWE-266
AllowedIncorrect Privilege Assignment
Abstraction: Base · Status: Draft
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
1913 vulnerabilities reference this CWE, most recent first.
GHSA-RJ3P-XJ8V-G5W3
Vulnerability from github – Published: 2025-04-16 09:32 – Updated: 2025-04-16 09:32A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been rated as critical. Affected by this issue is the function setL2tpServerCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-3675"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T07:15:43Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. It has been rated as critical. Affected by this issue is the function setL2tpServerCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-rj3p-xj8v-g5w3",
"modified": "2025-04-16T09:32:12Z",
"published": "2025-04-16T09:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3675"
},
{
"type": "WEB",
"url": "https://lavender-bicycle-a5a.notion.site/TOTOLINK-A3700R-setL2tpServerCfg-1cb53a41781f80319d38dc5a8e9174ae?pvs=4"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.304964"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.304964"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.551304"
},
{
"type": "WEB",
"url": "https://www.totolink.net"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RJ93-2986-GMF9
Vulnerability from github – Published: 2026-06-01 18:31 – Updated: 2026-06-01 18:31A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended.
{
"affected": [],
"aliases": [
"CVE-2026-10269"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-01T17:16:43Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended.",
"id": "GHSA-rj93-2986-gmf9",
"modified": "2026-06-01T18:31:50Z",
"published": "2026-06-01T18:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10269"
},
{
"type": "WEB",
"url": "https://github.com/decolua/9router/issues/742"
},
{
"type": "WEB",
"url": "https://github.com/decolua/9router/commit/428e2c045cb9c0eb8080e8b580471a9c2eaa95ca"
},
{
"type": "WEB",
"url": "https://github.com/decolua/9router"
},
{
"type": "WEB",
"url": "https://github.com/decolua/9router/releases/tag/v0.4.1"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-10269"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/825188"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367548"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367548/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RJHH-4M39-V2CG
Vulnerability from github – Published: 2025-01-16 09:30 – Updated: 2025-01-16 09:30A incorrect privilege assignment in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiAnalyzer Cloud versions 7.4.1 through 7.4.2, 7.2.1 through 7.2.6, 7.0.1 through 7.0.13, 6.4.1 through 6.4.7 allows attacker to escalate privilege via specific shell commands
{
"affected": [],
"aliases": [
"CVE-2024-45331"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-16T09:15:06Z",
"severity": "HIGH"
},
"details": "A incorrect privilege assignment in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiManager versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15, FortiAnalyzer Cloud versions 7.4.1 through 7.4.2, 7.2.1 through 7.2.6, 7.0.1 through 7.0.13, 6.4.1 through 6.4.7 allows attacker to escalate privilege via specific shell commands",
"id": "GHSA-rjhh-4m39-v2cg",
"modified": "2025-01-16T09:30:36Z",
"published": "2025-01-16T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45331"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-127"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RJJR-7VQ7-W4MX
Vulnerability from github – Published: 2022-12-19 15:30 – Updated: 2022-12-23 21:30A vulnerability was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome and classified as critical. This issue affects some unknown processing of the component Browser Extension Provisioning. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216275.
{
"affected": [],
"aliases": [
"CVE-2022-4613"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-285",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-19T15:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome and classified as critical. This issue affects some unknown processing of the component Browser Extension Provisioning. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216275.",
"id": "GHSA-rjjr-7vq7-w4mx",
"modified": "2022-12-23T21:30:17Z",
"published": "2022-12-19T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4613"
},
{
"type": "WEB",
"url": "https://modzero.com/modlog/archives/2022/12/19/better_make_sure_your_password_manager_is_secure/index.html"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216275"
},
{
"type": "WEB",
"url": "https://www.modzero.com/static/MZ-22-03_Passwordstate_Security_Disclosure_Report-v1.0.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RMJ4-M9CP-MP9V
Vulnerability from github – Published: 2026-07-06 06:31 – Updated: 2026-07-06 06:31A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2026-14794"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T05:16:34Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component.",
"id": "GHSA-rmj4-m9cp-mp9v",
"modified": "2026-07-06T06:31:19Z",
"published": "2026-07-06T06:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14794"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/9ee53efc1314e6aba32771c66a13e072a246f4ce"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/releases/tag/4.18.1"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-14794"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/850793"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376388"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376388/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RPVR-38XV-XVXQ
Vulnerability from github – Published: 2023-07-20 00:30 – Updated: 2024-09-26 21:43A vulnerability was identified in Nomad, an ACL policy using a block without label may be applied to unexpected resources. This vulnerability, CVE-2023-3072, affects Nomad from 0.7 up to 1.5.6 and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/nomad"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.0"
},
{
"fixed": "1.4.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/nomad"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.5.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-3072"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-01T18:33:25Z",
"nvd_published_at": "2023-07-20T00:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability was identified in Nomad, an ACL policy using a block without label may be applied to unexpected resources. This vulnerability, CVE-2023-3072, affects Nomad from 0.7 up to 1.5.6 and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.",
"id": "GHSA-rpvr-38xv-xvxq",
"modified": "2024-09-26T21:43:05Z",
"published": "2023-07-20T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3072"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2023-20-nomad-acl-policies-without-label-are-applied-to-unexpected-resources/56270"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/nomad"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2670"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Nomad ACL Policies without Label are Applied to Unexpected Resources"
}
GHSA-RQ7X-CFMC-RQ3W
Vulnerability from github – Published: 2025-06-27 00:31 – Updated: 2025-07-11 20:23A vulnerability classified as critical has been found in JuzaWeb CMS 3.4.2. Affected is an unknown function of the file /admin-cp/imports of the component Import Page. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "juzaweb/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6735"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-11T20:23:11Z",
"nvd_published_at": "2025-06-27T00:15:37Z",
"severity": "LOW"
},
"details": "A vulnerability classified as critical has been found in JuzaWeb CMS 3.4.2. Affected is an unknown function of the file /admin-cp/imports of the component Import Page. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-rq7x-cfmc-rq3w",
"modified": "2025-07-11T20:23:11Z",
"published": "2025-06-27T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6735"
},
{
"type": "WEB",
"url": "https://github.com/Cyber-Wo0dy/report/blob/main/juzawebcms/3.4.2/juzawebcms_unprivileged_user_make_import.md"
},
{
"type": "PACKAGE",
"url": "https://github.com/juzaweb/cms"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.314010"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.314010"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.597778"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "JuzaWeb CMS is vulnerable to Incorrect Privilege Assignment when installing Import Page component"
}
GHSA-RQJQ-WW83-WV5C
Vulnerability from github – Published: 2023-06-03 00:30 – Updated: 2023-06-06 02:04Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/consul"
},
"ranges": [
{
"events": [
{
"introduced": "1.15.0"
},
{
"fixed": "1.15.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2816"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-06T02:04:22Z",
"nvd_published_at": "2023-06-02T23:15:09Z",
"severity": "HIGH"
},
"details": "Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.",
"id": "GHSA-rqjq-ww83-wv5c",
"modified": "2023-06-06T02:04:22Z",
"published": "2023-06-03T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2816"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/consul"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hashicorp Consul allows user with service:write permissions to patch remote proxy instances"
}
GHSA-RQVR-W32X-J955
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.
{
"affected": [],
"aliases": [
"CVE-2026-49058"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:20:44Z",
"severity": "CRITICAL"
},
"details": "Unauthenticated Privilege Escalation in LoginPress Pro \u003c= 6.2.2 versions.",
"id": "GHSA-rqvr-w32x-j955",
"modified": "2026-06-17T18:35:51Z",
"published": "2026-06-17T18:35:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49058"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/loginpress-pro/vulnerability/wordpress-loginpress-pro-plugin-6-2-2-privilege-escalation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RR8J-7W34-XP5J
Vulnerability from github – Published: 2024-10-10 21:30 – Updated: 2025-08-04 20:59A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/vault"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-9180"
],
"database_specific": {
"cwe_ids": [
"CWE-266"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-10T22:19:11Z",
"nvd_published_at": "2024-10-10T21:15:05Z",
"severity": "HIGH"
},
"details": "A privileged Vault operator with write permissions to the root namespace\u2019s identity endpoint could escalate their privileges to Vault\u2019s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16",
"id": "GHSA-rr8j-7w34-xp5j",
"modified": "2025-08-04T20:59:26Z",
"published": "2024-10-10T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9180"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/vault"
},
{
"type": "WEB",
"url": "https://openbao.org/docs/release-notes/2-0-0/#203"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Vault Community Edition privilege escalation vulnerability"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
No CAPEC attack patterns related to this CWE.