CVEbaza.plSłownik CWECWE-1220
Common Weakness Enumeration

CWE-1220

Insufficient Granularity of Access Control

Kategoria: BaseCVE: 94
Opis

Produkt implementuje kontrolę dostępu za pośrednictwem polityki lub innej funkcji w celu wyłączenia lub ograniczenia dostępu (odczytu i/lub zapisu) do zasobów w systemie przed niezaufanymi agentami. Jednak wdrożone kontrole dostępu nie mają wymaganej granularności, co powoduje, że polityka kontroli jest zbyt szeroka.

Description (EN)

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

Podatności CVE z CWE-1220 (94)
9.8
CVSS
CRITICAL
CVE-2025-31201

Podatność w wielu platformach Apple umożliwia atakującemu z możliwością dowolnego odczytu i zapisu pamięci obejście mechanizmu Pointer Authentication (PAC). Apple potwierdziło, że podatność była aktywnie wykorzystywana w wysoce zaawansowanych, ukierunkowanych atakach na użytkowników iOS.

pub. 2025-04-16🚩 CISA KEV⚡ EXPLOIT
9.8
CVSS
CRITICAL
CVE-2022-2475

Haas Controller version 100.20.000.1110 has insufficient granularity of access control when using the "Ethernet Q Commands" service. Any user is able to write macros into registers outside of the authorized accessible range. This could allow a user to access privileged resources or resources out of context.

pub. 2022-10-28
9.6
CVSS
CRITICAL
CVE-2026-6356

Podatność w aplikacji webowej umożliwia zwykłemu użytkownikowi eskalację uprawnień do poziomu super administratora poprzez manipulację parametrami żądania. Zagrożenie jest krytyczne, ponieważ atakujący z podstawowym kontem może uzyskać pełną kontrolę nad wrażliwymi danymi aplikacji.

pub. 2026-04-22
9.1
CVSS
CRITICAL
CVE-2026-6388

Podatność w ArgoCD Image Updater umożliwia atakującemu posiadającemu uprawnienia do tworzenia lub modyfikowania zasobów ImageUpdater obejście granic przestrzeni nazw (namespace) w środowisku wielodostępnym. Skutkiem jest nieautoryzowane aktualizowanie obrazów aplikacji należących do innych najemców (tenantów), co zagraża integralności tych aplikacji.

pub. 2026-04-15
9.1
CVSS
CRITICAL
CVE-2025-7493

W FreeIPA odkryto podatność umożliwiającą privilege escalation z poziomu hosta do administratora domeny (REALM). Błąd wynika z braku walidacji unikalności nazwy kanonicznej root@REALM, co pozwala atakującemu przejąć kontrolę administracyjną nad środowiskiem katalogowym.

pub. 2025-09-30
9.1
CVSS
CRITICAL
CVE-2025-4404

W projekcie FreeIPA wykryto podatność umożliwiającą privilege escalation z poziomu hosta do poziomu administratora domeny (REALM). Błąd pozwala atakującemu na przejęcie uprawnień administracyjnych nad całą domeną Kerberos.

pub. 2025-06-17
9.0
CVSS
CRITICAL
CVE-2026-2651

Podatność w MLflow umożliwia nieautoryzowanym użytkownikom nadpisywanie artefaktów innych użytkowników poprzez endpointy multipart upload. W konsekwencji może prowadzić do zatrucia łańcucha dostaw modeli ML oraz wykonania dowolnego kodu (RCE).

pub. 2026-05-25
8.8
CVSS
HIGH
CVE-2026-35436

Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.

pub. 2026-05-12
8.8
CVSS
HIGH
CVE-2026-40365

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

pub. 2026-05-12
8.8
CVSS
HIGH
CVE-2025-29987

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficient Granularity of Access Control vulnerability. An authenticated user from a trusted remote client could exploit this vulnerability to execute arbitrary commands with root privileges.

pub. 2025-04-03
8.8
CVSS
HIGH
CVE-2023-40070

Improper access control in some Intel(R) Power Gadget software for macOS all versions may allow an authenticated user to potentially enable escalation of privilege via local access.

pub. 2024-05-16
8.8
CVSS
HIGH
CVE-2023-45217

Improper access control in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access.

pub. 2024-05-16
8.8
CVSS
HIGH
CVE-2022-36110

Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1.

pub. 2022-09-09
8.6
CVSS
HIGH
CVE-2024-21962

Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution.

pub. 2026-05-15
8.2
CVSS
HIGH
CVE-2026-41326

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs. This vulnerability is fixed in v3.29.0.

pub. 2026-04-24
8.2
CVSS
HIGH
CVE-2026-39363

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

pub. 2026-04-07
8.2
CVSS
HIGH
CVE-2025-3648

A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs. Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations. Customers, please review the KB Articles in the References section.

pub. 2025-07-08
8.2
CVSS
HIGH
CVE-2024-52799

Argo Workflows Chart is used to set up argo and its needed dependencies through one command. Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. If a user can be made to run a malicious template, their whole namespace can be compromised. This affects versions of the argo-workflows Chart that use appVersion: 3.4 and above, which no longer need these permissions for the only available Executor, Emissary. It could also affect users below 3.4 depending on their choice of Executor in those versions. This only affects the Helm Chart and not the upstream manifests. This vulnerability is fixed in 0.44.0.

pub. 2024-11-21
8.1
CVSS
HIGH
CVE-2024-5389

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This vulnerability impacts the integrity and consistency of dataset information, potentially affecting the results of experiments.

pub. 2024-06-09
8.1
CVSS
HIGH
CVE-2023-33127

.NET and Visual Studio Elevation of Privilege Vulnerability

pub. 2023-07-11
Pokazano 20 z 94 podatności
Informacje
ID: CWE-1220
Typ: Base
Podatności: 94
MITRE CWE ↗
← Słownik CWE
CWE-1220 — Niewystarczająca granularność kontroli dostępu | Słownik CWE | CVEbaza.pl