CWE-280
AllowedImproper Handling of Insufficient Permissions or Privileges
Abstraction: Base · Status: Draft
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
256 vulnerabilities reference this CWE, most recent first.
CVE-2023-41972 (GCVE-0-2023-41972)
Vulnerability from cvelistv5 – Published: 2024-03-26 14:16 – Updated: 2024-10-17 15:17| Vendor | Product | Version | |
|---|---|---|---|
| Zscaler | Client Connector |
Affected:
0 , < 4.3.0.121
(custom)
|
|
| zscaler | client_connector |
Affected:
0 , < 4.3.0.121
(custom)
cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:windows:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.373Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Windows\u0026applicable_version=4.3.0.121\u0026deployment_date=2023-09-01\u0026id=1463196"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zscaler:client_connector:*:*:*:*:*:windows:*:*"
],
"defaultStatus": "unaffected",
"product": "client_connector",
"vendor": "zscaler",
"versions": [
{
"lessThan": "4.3.0.121",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:53:46.212015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:54:13.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Client Connector",
"vendor": "Zscaler",
"versions": [
{
"lessThan": "4.3.0.121",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Singapore GovTech Red Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In some rare cases, there is a password type validation missing in Revert Password check and for some features it could be disabled. Fixed Version: Win ZApp 4.3.0.121 and later."
}
],
"value": "In some rare cases, there is a password type validation missing in Revert Password check and for some features it could be disabled. Fixed Version: Win ZApp 4.3.0.121 and later."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T15:17:06.136Z",
"orgId": "73c6f63b-efac-410d-a0a9-569700f85a04",
"shortName": "Zscaler"
},
"references": [
{
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Windows\u0026applicable_version=4.3.0.121\u0026deployment_date=2023-09-01\u0026id=1463196"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Revert password check incorrect type validation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "73c6f63b-efac-410d-a0a9-569700f85a04",
"assignerShortName": "Zscaler",
"cveId": "CVE-2023-41972",
"datePublished": "2024-03-26T14:16:24.500Z",
"dateReserved": "2023-09-06T17:14:12.959Z",
"dateUpdated": "2024-10-17T15:17:06.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39249 (GCVE-0-2023-39249)
Vulnerability from cvelistv5 – Published: 2024-02-14 07:36 – Updated: 2024-08-14 18:11- CWE-280 - Improper Handling of Insufficient Permissions or Privileges
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00021657… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | SupportAssist Client Consumer |
Affected:
3.4.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:02:06.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000216574/security-update-for-dell-supportassist-for-business-pcs-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T18:11:48.763812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T18:11:57.163Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SupportAssist Client Consumer",
"vendor": "Dell",
"versions": [
{
"status": "affected",
"version": "3.4.0"
}
]
}
],
"datePublic": "2023-08-08T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDell SupportAssist for Business PCs version 3.4.0 contains a local Authentication Bypass vulnerability that allows locally authenticated non-admin users to gain temporary privilege within the SupportAssist User Interface on their respective PC. The Run as Admin temporary privilege feature enables IT/System Administrators to perform driver scans and Dell-recommended driver installations without requiring them to log out of the local non-admin user session. However, the granted privilege is limited solely to the SupportAssist User Interface and automatically expires after 15 minutes.\u003c/span\u003e\n\n"
}
],
"value": "\nDell SupportAssist for Business PCs version 3.4.0 contains a local Authentication Bypass vulnerability that allows locally authenticated non-admin users to gain temporary privilege within the SupportAssist User Interface on their respective PC. The Run as Admin temporary privilege feature enables IT/System Administrators to perform driver scans and Dell-recommended driver installations without requiring them to log out of the local non-admin user session. However, the granted privilege is limited solely to the SupportAssist User Interface and automatically expires after 15 minutes.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-14T07:36:06.873Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000216574/security-update-for-dell-supportassist-for-business-pcs-vulnerability"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2023-39249",
"datePublished": "2024-02-14T07:36:06.873Z",
"dateReserved": "2023-07-26T08:13:50.421Z",
"dateUpdated": "2024-08-14T18:11:57.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32489 (GCVE-0-2023-32489)
Vulnerability from cvelistv5 – Published: 2023-08-16 13:36 – Updated: 2024-10-08 19:06- CWE-280 - Improper Handling of Insufficient Permissions or Privileges
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00021671… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerScale OneFS |
Affected:
Version 9.2.1.0 through 9.2.1.22, Version 9.4.0.0 through 9.4.0.13, Version 9.5.0.0 through 9.5.0.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:18:37.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000216717/dsa-2023-269-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T19:06:40.169474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T19:06:53.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerScale OneFS",
"vendor": "Dell",
"versions": [
{
"status": "affected",
"version": "Version 9.2.1.0 through 9.2.1.22, Version 9.4.0.0 through 9.4.0.13, Version 9.5.0.0 through 9.5.0.3"
}
]
}
],
"datePublic": "2023-08-14T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDell PowerScale OneFS 8.2x -9.5x contains a privilege escalation vulnerability. A local attacker with high privileges could potentially exploit this vulnerability, to bypass mode protections and gain elevated privileges. \u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nDell PowerScale OneFS 8.2x -9.5x contains a privilege escalation vulnerability. A local attacker with high privileges could potentially exploit this vulnerability, to bypass mode protections and gain elevated privileges. \u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-16T13:36:27.990Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000216717/dsa-2023-269-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2023-32489",
"datePublished": "2023-08-16T13:36:27.990Z",
"dateReserved": "2023-05-09T06:11:48.748Z",
"dateUpdated": "2024-10-08T19:06:53.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28114 (GCVE-0-2023-28114)
Vulnerability from cvelistv5 – Published: 2023-03-22 18:30 – Updated: 2025-02-25 14:51| URL | Tags |
|---|---|
| https://github.com/cilium/cilium-cli/security/adv… | x_refsource_CONFIRM |
| https://github.com/cilium/cilium-cli/commit/fb142… | x_refsource_MISC |
| https://artifacthub.io/packages/helm/cilium/cilium | x_refsource_MISC |
| https://github.com/cilium/cilium-cli/releases/tag… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| cilium | cilium-cli |
Affected:
< 0.13.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:30:24.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc"
},
{
"name": "https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610"
},
{
"name": "https://artifacthub.io/packages/helm/cilium/cilium",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://artifacthub.io/packages/helm/cilium/cilium"
},
{
"name": "https://github.com/cilium/cilium-cli/releases/tag/v0.13.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cilium/cilium-cli/releases/tag/v0.13.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:28:23.436155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:51:44.533Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium-cli",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003c 0.13.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`cilium-cli` is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,`cilium-cli`, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the `etcd` store used to mirror local cluster information to remote clusters. Users who have set up cluster meshes using the Cilium Helm chart are not affected by this issue.\n\nDue to an incorrect mount point specification, the settings specified by the `initContainer` that configures `etcd` users and their permissions are overwritten when using `cilium-cli` to configure a cluster mesh. An attacker who has already gained access to a valid key and certificate for an `etcd` cluster compromised in this manner could then modify state in that `etcd` cluster.\n\nThis issue is patched in `cilium-cli` 0.13.2. As a workaround, one may use Cilium\u0027s Helm charts to create their cluster."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges ",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-22T18:30:16.774Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium-cli/security/advisories/GHSA-6f27-3p6c-p5jc"
},
{
"name": "https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium-cli/commit/fb1427025764e1eebc4a7710d902c4f22cae2610"
},
{
"name": "https://artifacthub.io/packages/helm/cilium/cilium",
"tags": [
"x_refsource_MISC"
],
"url": "https://artifacthub.io/packages/helm/cilium/cilium"
},
{
"name": "https://github.com/cilium/cilium-cli/releases/tag/v0.13.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium-cli/releases/tag/v0.13.2"
}
],
"source": {
"advisory": "GHSA-6f27-3p6c-p5jc",
"discovery": "UNKNOWN"
},
"title": "`cilium-cli` disables etcd authorization for clustermesh clusters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28114",
"datePublished": "2023-03-22T18:30:16.774Z",
"dateReserved": "2023-03-10T18:34:29.227Z",
"dateUpdated": "2025-02-25T14:51:44.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25543 (GCVE-0-2023-25543)
Vulnerability from cvelistv5 – Published: 2024-02-06 06:31 – Updated: 2024-08-02 11:25- CWE-280 - Improper Handling of Insufficient Permissions or Privileges
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00020946… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | Dell Power Manager (DPM) |
Affected:
0 , < 3.14
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25543",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-06T15:42:34.001281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:32.630Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000209464/dsa-2023-075"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dell Power Manager (DPM)",
"vendor": "Dell",
"versions": [
{
"lessThan": "3.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Cedric Van Bockhaven"
}
],
"datePublic": "2023-04-04T06:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDell Power Manager, versions prior to 3.14, contain an Improper Authorization vulnerability in DPM service. A low privileged malicious user could potentially exploit this vulnerability in order to elevate privileges on the system. \u003c/span\u003e\n\n"
}
],
"value": "\nDell Power Manager, versions prior to 3.14, contain an Improper Authorization vulnerability in DPM service. A low privileged malicious user could potentially exploit this vulnerability in order to elevate privileges on the system. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-06T06:31:42.796Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000209464/dsa-2023-075"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2023-25543",
"datePublished": "2024-02-06T06:31:20.673Z",
"dateReserved": "2023-02-07T09:35:27.080Z",
"dateUpdated": "2024-08-02T11:25:19.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22737 (GCVE-0-2023-22737)
Vulnerability from cvelistv5 – Published: 2023-01-27 23:14 – Updated: 2025-03-10 21:18| URL | Tags |
|---|---|
| https://github.com/wireapp/wire-server/security/a… | x_refsource_CONFIRM |
| https://github.com/wireapp/wire-server/pull/2870 | x_refsource_MISC |
| https://github.com/wireapp/wire-server/commit/494… | x_refsource_MISC |
| https://github.com/wireapp/wire-server/releases/t… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| wireapp | wire-server |
Affected:
< 2022-12-09
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.226Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
},
{
"name": "https://github.com/wireapp/wire-server/pull/2870",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"name": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"name": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:59:01.422903Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:18:14.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wire-server",
"vendor": "wireapp",
"versions": [
{
"status": "affected",
"version": "\u003c 2022-12-09"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T23:14:33.913Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4"
},
{
"name": "https://github.com/wireapp/wire-server/pull/2870",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/pull/2870"
},
{
"name": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223"
},
{
"name": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wireapp/wire-server/releases/tag/v2022-12-09"
}
],
"source": {
"advisory": "GHSA-xmjc-c6w3-pcp4",
"discovery": "UNKNOWN"
},
"title": "wire-server vulnerable to unauthorized removal of Bots from Conversations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22737",
"datePublished": "2023-01-27T23:14:33.913Z",
"dateReserved": "2023-01-06T14:21:05.892Z",
"dateUpdated": "2025-03-10T21:18:14.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-21421 (GCVE-0-2023-21421)
Vulnerability from cvelistv5 – Published: 2023-02-09 00:00 – Updated: 2025-03-24 20:31- CWE-280 - Improper Handling of Insufficient Permissions or Privileges
| Vendor | Product | Version | |
|---|---|---|---|
| Samsung Mobile | Samsung Mobile Devices |
Affected:
Q(10), R(11), S(12), T(13) , < SMR Jan-2023 Release 1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:36:34.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-21421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T20:31:09.065692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T20:31:17.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Samsung Mobile Devices",
"vendor": "Samsung Mobile",
"versions": [
{
"lessThan": "SMR Jan-2023 Release 1",
"status": "affected",
"version": "Q(10), R(11), S(12), T(13)",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Handling of Insufficient Permissions or Privileges vulnerability in KnoxCustomManagerService prior to SMR Jan-2023 Release 1 allows attacker to access device SIM PIN."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-09T00:00:00.000Z",
"orgId": "3af57064-a867-422c-b2ad-40307b65c458",
"shortName": "Samsung Mobile"
},
"references": [
{
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=01"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458",
"assignerShortName": "Samsung Mobile",
"cveId": "CVE-2023-21421",
"datePublished": "2023-02-09T00:00:00.000Z",
"dateReserved": "2022-11-14T00:00:00.000Z",
"dateUpdated": "2025-03-24T20:31:17.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6189 (GCVE-0-2023-6189)
Vulnerability from cvelistv5 – Published: 2023-11-22 09:56 – Updated: 2026-02-23 08:56- CWE-280 - Improper Handling of Insufficient Permissions or Privileges
| URL | Tags |
|---|---|
| https://product.m-files.com/security-advisories/c… | vendor-advisory |
| https://empower.m-files.com/security-advisories/C… | vendor-advisory |
| https://https://www.m-files.com/about/trust-cente… | x_transferred |
| Vendor | Product | Version | |
|---|---|---|---|
| M-Files | M-Files Server |
Affected:
0 , < 23.11.13156.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6189/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.11.13156.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-22T08:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eMissing access permissions checks\u003c/span\u003e\n\n in\u0026nbsp;the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eM-Files server\u003c/span\u003e\u0026nbsp;before 23.11.13156.0 allow attackers to perform data write and export\n\njobs using the\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;M-Files \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAPI methods.\u003c/span\u003e"
}
],
"value": "Missing access permissions checks\n\n in\u00a0the M-Files server\u00a0before 23.11.13156.0 allow attackers to perform data write and export\n\njobs using the\u00a0M-Files API methods."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper Handling of Insufficient Permissions or Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T08:56:33.921Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2023-6189/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://empower.m-files.com/security-advisories/CVE-2023-6189"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to the patched version.\n\n\u003cbr\u003e"
}
],
"value": "Update to the patched version."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper Permission Handling in M-Files Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-6189",
"datePublished": "2023-11-22T09:56:44.563Z",
"dateReserved": "2023-11-17T13:00:28.506Z",
"dateUpdated": "2026-02-23T08:56:33.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-2480 (GCVE-0-2023-2480)
Vulnerability from cvelistv5 – Published: 2023-05-25 13:28 – Updated: 2026-02-23 08:42- CWE-280 - Improper Handling of Insufficient Permissions or Privileges
| URL | Tags |
|---|---|
| https://product.m-files.com/security-advisories/c… | vendor-advisory |
| https://empower.m-files.com/security-advisories/C… | vendor-advisory |
| https://https://www.m-files.com/about/trust-cente… | vendor-advisoryx_transferred |
| Vendor | Product | Version | |
|---|---|---|---|
| M-Files | M-Files Client |
Affected:
0 , < 23.5.12598.0
(custom)
Unaffected: 23.2.12340.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2480/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2480",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T18:20:38.235019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T18:21:05.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Client",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.5.12598.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.2.12340.11"
}
]
}
],
"datePublic": "2023-05-26T13:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications"
}
],
"value": "Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Not exploited"
}
],
"value": "Not exploited"
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper Handling of Insufficient Permissions or Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T08:42:43.815Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2023-2480/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://empower.m-files.com/security-advisories/CVE-2023-2480"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to patched versions."
}
],
"value": "Upgrade to patched versions."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Elevation of Privilege in M-Files Desktop Client",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-2480",
"datePublished": "2023-05-25T13:28:29.204Z",
"dateReserved": "2023-05-02T13:56:42.382Z",
"dateUpdated": "2026-02-23T08:42:43.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-2020 (GCVE-0-2023-2020)
Vulnerability from cvelistv5 – Published: 2023-04-18 11:09 – Updated: 2025-02-05 15:48- CWE-280 - Improper Handling of Insufficient Permissions or Privileges
| URL | Tags |
|---|---|
| https://checkmk.com/werk/13981 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:19.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://checkmk.com/werk/13981"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T15:48:04.310630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T15:48:19.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Checkmk",
"vendor": "Tribe29",
"versions": [
{
"lessThanOrEqual": "2.2.0b4",
"status": "affected",
"version": "2.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.1.0p27",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient permission checks in the REST API in Tribe29 Checkmk \u003c= 2.1.0p27 and \u003c= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122: Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-18T11:09:09.107Z",
"orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
"shortName": "Tribe29"
},
"references": [
{
"url": "https://checkmk.com/werk/13981"
}
],
"title": "Unauthorized scheduling of downtimes via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
"assignerShortName": "Tribe29",
"cveId": "CVE-2023-2020",
"datePublished": "2023-04-18T11:09:09.107Z",
"dateReserved": "2023-04-13T08:38:39.338Z",
"dateUpdated": "2025-02-05T15:48:19.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures.
No CAPEC attack patterns related to this CWE.