Trident
CVE-2018-1000133
HIGH
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Pitchfork version 1.4.6 RC1 contains an Improper Privilege Management vulnerability in Trident Pitchfork components that can result in A standard unprivileged user could gain system administrator permissions within the web portal.. This attack appear to be exploitable via The user must be able to login, and could edit their profile and set the "System Administrator" permission to "yes" on themselves.. This vulnerability appears to have been fixed in 1.4.6 RC2.
AnalysisAI
Pitchfork version 1.4.6 RC1 contains an Improper Privilege Management vulnerability in Trident Pitchfork components that can result in A standard unprivileged user could gain system administrator. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.
Technical ContextAI
This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. Pitchfork version 1.4.6 RC1 contains an Improper Privilege Management vulnerability in Trident Pitchfork components that can result in A standard unprivileged user could gain system administrator permissions within the web portal.. This attack appear to be exploitable via The user must be able to login, and could edit their profile and set the "System Administrator" permission to "yes" on themselves.. This vulnerability appears to have been fixed in 1.4.6 RC2. Affected products include: Secluded Trident. Version information: version 1.4.6.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply principle of least privilege, validate privilege transitions, implement proper role separation.
In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upg
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the cust
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. Rated high severity (CVSS 7.5), this vulnerability
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Rated high seve
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes du
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today