Skip to main content

Trident CVE-2018-1000133

HIGH
Improper Privilege Management (CWE-269)
2018-03-16 cve@mitre.org
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 16, 2018 - 14:29 nvd
HIGH 7.5

DescriptionNVD

Pitchfork version 1.4.6 RC1 contains an Improper Privilege Management vulnerability in Trident Pitchfork components that can result in A standard unprivileged user could gain system administrator permissions within the web portal.. This attack appear to be exploitable via The user must be able to login, and could edit their profile and set the "System Administrator" permission to "yes" on themselves.. This vulnerability appears to have been fixed in 1.4.6 RC2.

AnalysisAI

Pitchfork version 1.4.6 RC1 contains an Improper Privilege Management vulnerability in Trident Pitchfork components that can result in A standard unprivileged user could gain system administrator. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

Technical ContextAI

This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. Pitchfork version 1.4.6 RC1 contains an Improper Privilege Management vulnerability in Trident Pitchfork components that can result in A standard unprivileged user could gain system administrator permissions within the web portal.. This attack appear to be exploitable via The user must be able to login, and could edit their profile and set the "System Administrator" permission to "yes" on themselves.. This vulnerability appears to have been fixed in 1.4.6 RC2. Affected products include: Secluded Trident. Version information: version 1.4.6.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply principle of least privilege, validate privilege transitions, implement proper role separation.

CVE-2018-1002105 CRITICAL POC
9.8 Dec 05

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upg

CVE-2021-25742 HIGH POC
7.1 Oct 29

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the cust

CVE-2019-11243 HIGH
8.1 Apr 22

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config

CVE-2020-28366 HIGH
7.5 Nov 18

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time

CVE-2020-28362 HIGH
7.5 Nov 18

Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Rated high severity (CVSS 7.5), this vulnerability

CVE-2019-9514 HIGH
7.5 Aug 13

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Rated high seve

CVE-2021-34558 MEDIUM
6.5 Jul 15

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate

CVE-2020-29511 MEDIUM
5.6 Dec 14

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes du

CVE-2020-29510 MEDIUM
5.6 Dec 14

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during

CVE-2020-29509 MEDIUM
5.6 Dec 14

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes

CVE-2019-11244 MEDIUM
5.0 Apr 22

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $

Share

CVE-2018-1000133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy