CVEbaza.plSłownik CWECWE-272
Common Weakness Enumeration

CWE-272

Least Privilege Violation

Kategoria: BaseCVE: 33
Opis

Podwyższony poziom uprawnień wymagany do wykonania operacji takich jak chroot() powinien być natychmiast usunięty po wykonaniu operacji. Naruszenie tej zasady może prowadzić do nieautoryzowanego dostępu do zasobów systemu.

Description (EN)

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

Podatności CVE z CWE-272 (33)
9.9
CVSS
CRITICAL
CVE-2024-24830

Podatność w platformie OpenObserve pozwala każdemu uwierzytelnionemu użytkownikowi o roli 'member' na dodanie nowych kont z uprawnieniami administratora (rola 'root') do organizacji. Stanowi to poważne obejście systemu kontroli dostępu opartego na rolach (RBAC).

pub. 2024-02-08
9.1
CVSS
CRITICAL
CVE-2024-25106

Krytyczna podatność w platformie OpenObserve umożliwia każdemu uwierzytelnionemu użytkownikowi organizacji usunięcie dowolnego innego użytkownika — w tym administratorów i użytkowników z rolą Root — bez posiadania odpowiednich uprawnień. Stanowi to poważne zagrożenie dla integralności zarządzania użytkownikami i ciągłości operacyjnej.

pub. 2024-02-08
8.8
CVSS
HIGH
CVE-2025-59106

The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.

pub. 2026-01-26
8.8
CVSS
HIGH
CVE-2025-7722

The Social Streams plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their user meta information in the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their user type to that of an administrator.

pub. 2025-07-23
8.8
CVSS
HIGH
CVE-2024-28824

Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.

pub. 2024-03-22
8.8
CVSS
HIGH
CVE-2021-26726

A remote code execution vulnerability affecting a Valmet DNA service listening on TCP port 1517, allows an attacker to execute commands with SYSTEM privileges This issue affects: Valmet DNA versions from Collection 2012 until Collection 2021.

pub. 2022-02-16
8.7
CVSS
HIGH
CVE-2024-55954

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.

pub. 2025-01-16
8.6
CVSS
HIGH
CVE-2026-39459

A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

pub. 2026-05-13
8.6
CVSS
HIGH
CVE-2025-8181

A vulnerability, which was classified as critical, was found in TOTOLINK N600R and X2000R 1.0.0.1. This affects an unknown part of the file vsftpd.conf of the component FTP Service. The manipulation leads to least privilege violation. It is possible to initiate the attack remotely.

pub. 2025-07-26
8.5
CVSS
HIGH
CVE-2025-9711

A vulnerability in Brocade Fabric OS before 9.2.1c3 could allow elevating the privileges of the local authenticated user to “root” using the export option of seccertmgmt and seccryptocfg commands.

pub. 2026-02-03
8.4
CVSS
HIGH
CVE-2024-35204

Veritas System Recovery before 23.3_Hotfix has incorrect permissions for the Veritas System Recovery folder, and thus low-privileged users can conduct attacks.

pub. 2024-05-14
8.2
CVSS
HIGH
CVE-2025-47809

Wibu CodeMeter before 8.30a sometimes allows privilege escalation immediately after installation (before a logoff or reboot). For exploitation, there must have been an unprivileged installation with UAC, and the CodeMeter Control Center component must be installed, and the CodeMeter Control Center component must not have been restarted. In this scenario, the local user can navigate from Import License to a privileged instance of Windows Explorer.

pub. 2025-05-16
8.2
CVSS
HIGH
CVE-2024-0638

Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.

pub. 2024-03-22
7.8
CVSS
HIGH
CVE-2024-27165

Toshiba printers contain a suidperl binary and it has a Local Privilege Escalation vulnerability. A local attacker can get root privileges. As for the affected products/models/versions, see the reference URL.

pub. 2024-06-14
7.4
CVSS
HIGH
CVE-2026-35535

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.

pub. 2026-04-03
7.3
CVSS
HIGH
CVE-2025-49144

Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.

pub. 2025-06-23
7.3
CVSS
HIGH
CVE-2023-32451

Dell Display Manager application, version 2.1.1.17, contains a vulnerability that low privilege user can execute malicious code during installation and uninstallation

pub. 2024-02-06
7.3
CVSS
HIGH
CVE-2023-28047

Dell Display Manager, versions 2.1.0 and prior, contains an arbitrary file or folder creation vulnerability during installation. A local low privilege attacker could potentially exploit this vulnerability, leading to the execution of arbitrary code on the operating system with high privileges.

pub. 2023-04-20
7.0
CVSS
HIGH
CVE-2025-1384

Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products.

pub. 2025-07-14
6.6
CVSS
MEDIUM
CVE-2023-28046

Dell Display Manager, versions 2.1.0 and prior, contains an arbitrary file or folder deletion vulnerability during uninstallation A local low privilege attacker could potentially exploit this vulnerability, leading to the deletion of arbitrary files on the operating system with high privileges.

pub. 2023-04-06
Pokazano 20 z 33 podatności
Informacje
ID: CWE-272
Typ: Base
Podatności: 33
MITRE CWE ↗
← Słownik CWE