Common Weakness Enumeration

CWE-268

Allowed

Privilege Chaining

Abstraction: Base · Status: Draft

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

45 vulnerabilities reference this CWE, most recent first.

GHSA-MXR3-8WHJ-J74R

Vulnerability from github – Published: 2025-04-22 01:07 – Updated: 2025-04-22 01:07
VLAI
Summary
Harden-Runner allows evasion of 'disable-sudo' policy
Details

Summary

Harden-Runner includes a policy option disable-sudo to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction.

For an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version v2.12.0.

Impact

An attacker with the ability to run their malicious code on a runner configured with disable-sudo: true can escalate privileges to root using Docker, defeating the intended security control.

Affected Configuration

• Harden-Runner configurations that use disable-sudo: true on GitHub-hosted runners or on ephemeral self-hosted VM-based runners. • This issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.

Mitigation / Fix

This vulnerability has been fixed in Harden-Runner version v2.12.0. Users should migrate to the stronger disable-sudo-and-containers policy. This setting: • Disables sudo access, • Removes access to dockerd and containerd sockets, • Uninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.

Additional Improvements

• The disable-sudo option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own. • Harden-Runner now includes detections to alert on attempts to evade the disable-sudo policy.

Credits

Reported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "step-security/harden-runner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "2.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-250",
      "CWE-268",
      "CWE-272"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-22T01:07:03Z",
    "nvd_published_at": "2025-04-21T21:15:20Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nHarden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. \n\nFor an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version `v2.12.0`.\n\n### Impact\nAn attacker with the ability to run their malicious code on a runner configured with `disable-sudo: true` can escalate privileges to root using Docker, defeating the intended security control.\n\n### Affected Configuration\n\u2022\tHarden-Runner configurations that use `disable-sudo: true` on GitHub-hosted runners or on ephemeral self-hosted VM-based runners.\n\u2022\tThis issue does not apply to Kubernetes-based Actions Runner Controller (ARC) Harden-Runner.\n\n### Mitigation / Fix\nThis vulnerability has been fixed in Harden-Runner version `v2.12.0`. Users should migrate to the stronger `disable-sudo-and-containers` policy. This setting:\n\u2022\tDisables sudo access,\n\u2022\tRemoves access to dockerd and containerd sockets,\n\u2022\tUninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.\n\n\n### Additional Improvements\n\u2022\tThe `disable-sudo` option will be deprecated in the future, as it does not sufficiently restrict privilege escalation on its own. \n\u2022\tHarden-Runner now includes detections to alert on attempts to evade the `disable-sudo` policy.\n\n\n### Credits\nReported by @loresuso and @darryk10. We would like to thank them for collaborating with us to mitigate the vulnerability.",
  "id": "GHSA-mxr3-8whj-j74r",
  "modified": "2025-04-22T01:07:03Z",
  "published": "2025-04-22T01:07:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-mxr3-8whj-j74r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32955"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/commit/0634a2670c59f64b4a01f0f96f84700a4088b9f0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/step-security/harden-runner"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/releases/tag/v2.12.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Harden-Runner allows evasion of \u0027disable-sudo\u0027 policy"
}

GHSA-R35R-4X8R-V472

Vulnerability from github – Published: 2025-08-14 15:30 – Updated: 2025-08-14 15:30
VLAI
Details

A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-14T14:15:35Z",
    "severity": "HIGH"
  },
  "details": "A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation.",
  "id": "GHSA-r35r-4x8r-v472",
  "modified": "2025-08-14T15:30:45Z",
  "published": "2025-08-14T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7973"
    },
    {
      "type": "WEB",
      "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1738.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WVF7-CF8R-8FW5

Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-06-01 09:31
VLAI
Details

Privilege chaining issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-01T09:16:16Z",
    "severity": "HIGH"
  },
  "details": "Privilege chaining issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege.",
  "id": "GHSA-wvf7-cf8r-8fw5",
  "modified": "2026-06-01T09:31:13Z",
  "published": "2026-06-01T09:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32325"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN67883085"
    },
    {
      "type": "WEB",
      "url": "https://www.fsastech.com/ja-jp/resources/security/2026/0529.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XPFF-C35G-J3CR

Vulnerability from github – Published: 2024-05-27 22:28 – Updated: 2024-05-27 22:28
VLAI
Summary
silverstripe/framework Privilege Escalation Risk in Member Edit form
Details

A member with the permission EDIT_PERMISSIONS and access to the "Security" section is able to re-assign themselves (or another member) to ADMIN level.

CMS Fields for the member are constructed using DirectGroups instead of Groups relation which results in bypassing security logic preventing privilege escalation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5.7-rc1"
            },
            {
              "fixed": "3.5.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.6.0-rc1"
            },
            {
              "fixed": "3.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-rc1"
            },
            {
              "fixed": "4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0-rc1"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-268"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-27T22:28:13Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A member with the permission `EDIT_PERMISSIONS` and access to the \"Security\" section is able to re-assign themselves (or another member) to `ADMIN` level.\n\nCMS Fields for the member are constructed using DirectGroups instead of Groups relation which results in bypassing security logic preventing privilege escalation.",
  "id": "GHSA-xpff-c35g-j3cr",
  "modified": "2024-05-27T22:28:13Z",
  "published": "2024-05-27T22:28:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/silverstripe/silverstripe-framework/commit/577138882163e4b8782ea043487944d30d88e753"
    },
    {
      "type": "WEB",
      "url": "https://github.com/silverstripe/silverstripe-framework/commit/e409d6f673c49846086b23677aecdc3fde5fc4d5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-001-1.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/silverstripe/silverstripe-framework"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases/ss-2018-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "silverstripe/framework Privilege Escalation Risk in Member Edit form"
}

GHSA-XQ83-M7PG-GG42

Vulnerability from github – Published: 2025-05-21 18:33 – Updated: 2025-05-21 18:33
VLAI
Details

A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an authenticated, local attacker to elevate privileges to root on an affected device.

This vulnerability is due to excessive permissions that have been assigned to system commands. An attacker could exploit this vulnerability by executing crafted commands on the underlying operating system. A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of an affected device. To successfully exploit this vulnerability, an attacker would need administrative access to the ESXi hypervisor.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-268"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-21T17:15:55Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an authenticated, local attacker to elevate privileges to root on an affected device.\n\nThis vulnerability is due to excessive permissions that have been assigned to system commands.\u0026nbsp;An attacker could exploit this vulnerability by executing crafted commands on the underlying operating system. A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of an affected device. To successfully exploit this vulnerability, an attacker would need administrative access to the ESXi hypervisor.",
  "id": "GHSA-xq83-m7pg-gg42",
  "modified": "2025-05-21T18:33:30Z",
  "published": "2025-05-21T18:33:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20112"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-kkhZbHR5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-49
Architecture and Design

Strategy: Separation of Privilege

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.