CWE-271 12 個 CVE MITRE 定義 ↗

CWE-271:Privilege Dropping / Lowering Errors

概覽

CWE-271(Privilege Dropping / Lowering Errors)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-44477 2026-05-28 CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as th…
CVE-2026-35535 2026-04-02 In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.…
CVE-2026-25704 2026-03-30 A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in  cosmic-greeter can allow an attacker to regain privileges that should have been dropped and a…
CVE-2025-53819 2025-07-14 Nix is a package manager for Linux and other Unix systems. Builds with Nix 2.30.0 on macOS were executed with elevated privileges (root), instead of the build users. The fix was applied to Nix 2.30.1.…
CVE-2025-23395 2025-05-26 Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with `root…
CVE-2024-35179 2024-05-15 Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, when using `RUN_AS_USER`, the specified user (and therefore, web interface admins) can read arbitrary files as root. This is…
CVE-2024-0985 2024-02-08 Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions …
CVE-2023-38496 2023-07-25 Apptainer is an open source container platform. Version 1.2.0-rc.2 introduced an ineffective privilege drop when requesting container network setup, therefore subsequent functions are called with root…
CVE-2023-22648 2023-06-01 A Improper Privilege Management vulnerability in SUSE Rancher causes permission changes in Azure AD not to be reflected to users while they are logged in the Rancher UI. This would cause the users to…
CVE-2022-3569 2022-10-17 Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively c…
CVE-2020-35513 2021-01-26 A flaw incorrect umask during file or directory modification in the Linux kernel NFS (network file system) functionality was found in the way user create and delete object using NFSv4.2 or newer if bo…
CVE-2019-11243 2019-04-22 In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certific…

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
2008-10-14 CWE Content Team 1.0.1 updated Description, Maintenance_Notes
2009-12-28 CWE Content Team 1.7 updated Potential_Mitigations
2010-06-21 CWE Content Team 1.9 updated Potential_Mitigations
2011-03-29 CWE Content Team 1.12 updated Relationships
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Potential_Mitigations
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
cvelogic Threat Intelligence