Execution with Unnecessary Privileges (CWE-250)

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

New weaknesses can be exposed because running with extra privileges gives the product access to resources that are not necessary. In addition, if an attacker can trigger the operation with the higher privileges, the attacker might gain root or administrator privileges.

Prevalencia

Alta

Frecuentemente explotada

Impacto

Crítico

3 reglas de severidad crítica

Prevención

Documentada

10 ejemplos de corrección

2 Prevención

Cómo corregir esta vulnerabilidad

🐳 Docker Ver todo Docker detalles →

Container runs as root HIGH

Add a USER instruction before CMD/ENTRYPOINT to run as non-root

+2 -0 dockerfile

  FROM node:24-alpine
  WORKDIR /app
  COPY . .
  RUN npm ci
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ USER appuser
  CMD ["node", "server.js"]

Docker User and File Permissions HIGH

Use a non-root user and restrictive file permissions instead of USER root or chmod 777

+5 -3 dockerfile

  FROM node:24-alpine
- USER root
- RUN chmod 777 /app
- COPY . /app
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ WORKDIR /app
+ COPY --chown=appuser:appuser . .
+ RUN chmod 755 /app
+ USER appuser
  CMD ["node", "server.js"]

☸️ Kubernetes Ver todo Kubernetes detalles →

Privilege Escalation Allowed HIGH

Set allowPrivilegeEscalation: false to prevent containers from gaining additional privileges

+1 -1 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
-       allowPrivilegeEscalation: true
+       allowPrivilegeEscalation: false

Dangerous Linux Capabilities Added CRITICAL

Remove dangerous capabilities like SYS_ADMIN, NET_ADMIN, SYS_PTRACE and drop ALL instead

+4 -3 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
        capabilities:
-         add:
-           - SYS_ADMIN
-           - NET_ADMIN
+         drop:
+           - ALL
+         add:
+           - NET_BIND_SERVICE

Host Namespace Access Enabled CRITICAL

Disable host namespace access (hostNetwork, hostPID, hostIPC) to isolate pods from the host

+3 -2 yaml

  apiVersion: v1
  kind: Pod
  spec:
-   hostNetwork: true
-   hostPID: true
+   hostNetwork: false
+   hostPID: false
+   hostIPC: false
    containers:
    - name: app
      image: nginx:1.25

3 Detección

Encuentra vulnerabilidades en tu código

Usa Shoulder para escanear tu código en busca de patrones Execution with Unnecessary Privileges. 10 reglas.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=250

# Or scan entire project
npx @shoulderdev/cli trust .

Reglas de Detección (10)

📄 Yaml 8 rules

Privilege Escalation Allowed HIGH

Detects containers with privilege escalation explicitly enabled.

Dangerous Linux Capabilities Added CRITICAL

Detects containers adding dangerous Linux capabilities like SYS_ADMIN, NET_ADMIN, or SYS_PTRACE.

Host Namespace Access Enabled CRITICAL

Detects pods configured to access host namespaces (network, PID, or IPC).

Missing Capability Restrictions MEDIUM

Detects containers that do not drop unnecessary Linux capabilities.

Missing allowPrivilegeEscalation Setting MEDIUM

Detects containers with securityContext that do not explicitly set allowPrivilegeEscalation.

Missing Container Security Context HIGH

Detects containers without securityContext configuration.

Privileged Container Detected CRITICAL

Detects containers running with privileged security context.

Container Running as Root User HIGH

Detects containers configured to run as root user (UID 0).

🐳 Dockerfile 2 rules

Container runs as root HIGH

Detects CMD or ENTRYPOINT without a preceding USER instruction. The container will run as root, which is a security risk.

Docker User and File Permissions HIGH

Detects explicit root user and overly permissive chmod 777 permissions.

4 Señales de Alerta

Qué buscar en las revisiones de código

Estos patrones indican vulnerabilidades potenciales de Execution with Unnecessary Privileges. Búscalos durante las revisiones de código y auditorías de seguridad.

🟠

No USER instruction before CMD/ENTRYPOINT - container runs as root docker-missing-user

🟠

CMD or ENTRYPOINT without a preceding USER instruction docker-missing-user

🟠

Dockerfile contains ...: ... docker-user-permissions

🟠

explicit root user and overly permissive chmod 777 permissions docker-user-permissions

🟠

Container allows privilege escalation, which can enable attackers to gain additional privileges through exploits. kubernetes-allow-privilege-escalation

🟠

containers with privilege escalation explicitly enabled kubernetes-allow-privilege-escalation

🟠

Containers should run with security constraints defined in securityContext. kubernetes-missing-security-context

🟠

containers without securityContext configuration kubernetes-missing-security-context

🔍

Escanea tu base de código para Execution with Unnecessary Privileges

Shoulder CLI encuentra patrones vulnerables en toda tu base de código.

npx shoulder trust Ver todas las reglas