Execution with Unnecessary Privileges (CWE-250)

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

New weaknesses can be exposed because running with extra privileges gives the product access to resources that are not necessary. In addition, if an attacker can trigger the operation with the higher privileges, the attacker might gain root or administrator privileges.

Prevalência

Alta

Frequentemente explorada

Impacto

Crítico

3 regras de severidade crítica

Prevenção

Documentada

10 exemplos de correção

2 Prevenção

Como corrigir esta vulnerabilidade

🐳 Docker Ver tudo Docker detalhes →

Container runs as root HIGH

Add a USER instruction before CMD/ENTRYPOINT to run as non-root

+2 -0 dockerfile

  FROM node:24-alpine
  WORKDIR /app
  COPY . .
  RUN npm ci
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ USER appuser
  CMD ["node", "server.js"]

Docker User and File Permissions HIGH

Use a non-root user and restrictive file permissions instead of USER root or chmod 777

+5 -3 dockerfile

  FROM node:24-alpine
- USER root
- RUN chmod 777 /app
- COPY . /app
+ RUN addgroup -S appuser && adduser -S appuser -G appuser
+ WORKDIR /app
+ COPY --chown=appuser:appuser . .
+ RUN chmod 755 /app
+ USER appuser
  CMD ["node", "server.js"]

☸️ Kubernetes Ver tudo Kubernetes detalhes →

Privilege Escalation Allowed HIGH

Set allowPrivilegeEscalation: false to prevent containers from gaining additional privileges

+1 -1 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
-       allowPrivilegeEscalation: true
+       allowPrivilegeEscalation: false

Dangerous Linux Capabilities Added CRITICAL

Remove dangerous capabilities like SYS_ADMIN, NET_ADMIN, SYS_PTRACE and drop ALL instead

+4 -3 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      image: nginx:1.25
      securityContext:
        capabilities:
-         add:
-           - SYS_ADMIN
-           - NET_ADMIN
+         drop:
+           - ALL
+         add:
+           - NET_BIND_SERVICE

Host Namespace Access Enabled CRITICAL

Disable host namespace access (hostNetwork, hostPID, hostIPC) to isolate pods from the host

+3 -2 yaml

  apiVersion: v1
  kind: Pod
  spec:
-   hostNetwork: true
-   hostPID: true
+   hostNetwork: false
+   hostPID: false
+   hostIPC: false
    containers:
    - name: app
      image: nginx:1.25

3 Detecção

Encontre vulnerabilidades no seu código

Use o Shoulder para escanear seu código em busca de padrões Execution with Unnecessary Privileges. 10 regras.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=250

# Or scan entire project
npx @shoulderdev/cli trust .

Regras de Detecção (10)

📄 Yaml 8 rules

Privilege Escalation Allowed HIGH

Detects containers with privilege escalation explicitly enabled.

Dangerous Linux Capabilities Added CRITICAL

Detects containers adding dangerous Linux capabilities like SYS_ADMIN, NET_ADMIN, or SYS_PTRACE.

Host Namespace Access Enabled CRITICAL

Detects pods configured to access host namespaces (network, PID, or IPC).

Missing Capability Restrictions MEDIUM

Detects containers that do not drop unnecessary Linux capabilities.

Missing allowPrivilegeEscalation Setting MEDIUM

Detects containers with securityContext that do not explicitly set allowPrivilegeEscalation.

Missing Container Security Context HIGH

Detects containers without securityContext configuration.

Privileged Container Detected CRITICAL

Detects containers running with privileged security context.

Container Running as Root User HIGH

Detects containers configured to run as root user (UID 0).

🐳 Dockerfile 2 rules

Container runs as root HIGH

Detects CMD or ENTRYPOINT without a preceding USER instruction. The container will run as root, which is a security risk.

Docker User and File Permissions HIGH

Detects explicit root user and overly permissive chmod 777 permissions.

4 Sinais de Alerta

O que observar nas revisões de código

Estes padrões indicam vulnerabilidades potenciais de Execution with Unnecessary Privileges. Procure-os durante revisões de código e auditorias de segurança.

🟠

No USER instruction before CMD/ENTRYPOINT - container runs as root docker-missing-user

🟠

CMD or ENTRYPOINT without a preceding USER instruction docker-missing-user

🟠

Dockerfile contains ...: ... docker-user-permissions

🟠

explicit root user and overly permissive chmod 777 permissions docker-user-permissions

🟠

Container allows privilege escalation, which can enable attackers to gain additional privileges through exploits. kubernetes-allow-privilege-escalation

🟠

containers with privilege escalation explicitly enabled kubernetes-allow-privilege-escalation

🟠

Containers should run with security constraints defined in securityContext. kubernetes-missing-security-context

🟠

containers without securityContext configuration kubernetes-missing-security-context

🔍

Escaneie seu código para Execution with Unnecessary Privileges

O Shoulder CLI encontra padrões vulneráveis em todo o seu código.

npx shoulder trust Ver todas as regras