CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-3429-H97R-HQQX
Vulnerability from github – Published: 2025-06-10 12:30 – Updated: 2025-06-10 18:32Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data.
This impacts OmniStudio: before version 254.
{
"affected": [],
"aliases": [
"CVE-2025-43701"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T12:15:24Z",
"severity": "HIGH"
},
"details": "Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data.\u00a0\n\nThis impacts OmniStudio: before version 254.",
"id": "GHSA-3429-h97r-hqqx",
"modified": "2025-06-10T18:32:25Z",
"published": "2025-06-10T12:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43701"
},
{
"type": "WEB",
"url": "https://help.salesforce.com/s/articleView?id=004980323\u0026type=1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-349H-PHX6-GHFJ
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-08-16 00:00A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.
{
"affected": [],
"aliases": [
"CVE-2021-20263"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-09T18:15:00Z",
"severity": "LOW"
},
"details": "A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new \u0027xattrmap\u0027 option may cause the \u0027security.capability\u0027 xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest.",
"id": "GHSA-349h-phx6-ghfj",
"modified": "2022-08-16T00:00:44Z",
"published": "2022-05-24T17:43:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20263"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1933668"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-27"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210507-0002"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2021/03/08/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-398J-X47F-2Q99
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. This vulnerability affects Firefox < 85.
{
"affected": [],
"aliases": [
"CVE-2021-23963"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-26T03:15:00Z",
"severity": "MODERATE"
},
"details": "When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. This vulnerability affects Firefox \u003c 85.",
"id": "GHSA-398j-x47f-2q99",
"modified": "2022-05-24T17:43:12Z",
"published": "2022-05-24T17:43:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23963"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1680793"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-03"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3FWX-PJGW-3558
Vulnerability from github – Published: 2024-01-31 23:28 – Updated: 2024-05-14 22:00Impact
A bug was found in Moby (Docker Engine) where the data directory (typically /var/lib/docker) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files.
Patches
This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed.
Workarounds
Limit access to the host to trusted users. Limit access to host volumes to trusted containers.
Credits
The Moby project would like to thank Joan Bruguera for responsibly disclosing this issue in accordance with the Moby security policy.
For more information
If you have any questions or comments about this advisory:
- Open an issue
- Email us at security@docker.com if you think you’ve found a security bug
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/moby/moby"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.10.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/docker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.10.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41091"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-31T23:28:58Z",
"nvd_published_at": "2021-10-04T21:15:00Z",
"severity": "MODERATE"
},
"details": "## Impact\n\nA bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files.\n\n## Patches\n\nThis bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed.\n\n## Workarounds\n\nLimit access to the host to trusted users. Limit access to host volumes to trusted containers.\n\n## Credits\n\nThe Moby project would like to thank Joan Bruguera for responsibly disclosing this issue in accordance with the [Moby security policy](https://github.com/moby/moby/blob/master/SECURITY.md).\n\n## For more information\n\nIf you have any questions or comments about this advisory:\n\n* [Open an issue](https://github.com/moby/moby/issues/new)\n* Email us at security@docker.com if you think you\u2019ve found a security bug",
"id": "GHSA-3fwx-pjgw-3558",
"modified": "2024-05-14T22:00:30Z",
"published": "2024-01-31T23:28:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41091"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf"
},
{
"type": "PACKAGE",
"url": "https://github.com/moby/moby"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Moby (Docker Engine) Insufficiently restricted permissions on data directory"
}
GHSA-3GH8-3438-MQWV
Vulnerability from github – Published: 2024-12-07 00:31 – Updated: 2024-12-12 03:33Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the executor_thread_.
{
"affected": [],
"aliases": [
"CVE-2024-41649"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T22:15:21Z",
"severity": "CRITICAL"
},
"details": "Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the executor_thread_.",
"id": "GHSA-3gh8-3438-mqwv",
"modified": "2024-12-12T03:33:00Z",
"published": "2024-12-07T00:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41649"
},
{
"type": "WEB",
"url": "https://github.com/open-navigation/navigation2/issues/4323"
},
{
"type": "WEB",
"url": "https://github.com/ros-navigation/navigation2/pull/4385"
},
{
"type": "WEB",
"url": "https://github.com/GoesM/ROS-CVE-CNVDs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3H6F-G5F3-GC4W
Vulnerability from github – Published: 2023-07-19 15:30 – Updated: 2024-10-28 19:30Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-config"
},
"ranges": [
{
"events": [
{
"introduced": "5.6.0"
},
{
"fixed": "5.6.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-config"
},
"ranges": [
{
"events": [
{
"introduced": "5.7.0"
},
{
"fixed": "5.7.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-config"
},
"ranges": [
{
"events": [
{
"introduced": "5.8.0"
},
{
"fixed": "5.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-config"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-config"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-34034"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-31T21:19:15Z",
"nvd_published_at": "2023-07-19T15:15:11Z",
"severity": "CRITICAL"
},
"details": "Using \"**\" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.\n\n",
"id": "GHSA-3h6f-g5f3-gc4w",
"modified": "2024-10-28T19:30:27Z",
"published": "2023-07-19T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34034"
},
{
"type": "WEB",
"url": "https://ossindex.sonatype.org/vulnerability/CVE-2023-34034"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230814-0008"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-5777893"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2023-34034"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Access Control Bypass in Spring Security"
}
GHSA-3HRV-GHRW-48W6
Vulnerability from github – Published: 2024-08-06 18:30 – Updated: 2024-08-06 18:30In certain cases, Zscaler Internet Access (ZIA) can be disabled by PowerShell commands with admin rights. This affects Zscaler Client Connector on Windows <4.2.1
{
"affected": [],
"aliases": [
"CVE-2024-23464"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T16:15:47Z",
"severity": "HIGH"
},
"details": "In certain cases, Zscaler Internet Access (ZIA) can be disabled by PowerShell commands with admin rights. This affects Zscaler Client Connector on Windows \u003c4.2.1",
"id": "GHSA-3hrv-ghrw-48w6",
"modified": "2024-08-06T18:30:56Z",
"published": "2024-08-06T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23464"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Windows\u0026applicable_version=4.2.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3HVP-QHFG-J3VJ
Vulnerability from github – Published: 2025-06-10 12:30 – Updated: 2025-06-18 15:30Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for OmniUICard objects.
This impacts OmniStudio: before Spring 2025
{
"affected": [],
"aliases": [
"CVE-2025-43699"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-602"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T12:15:24Z",
"severity": "MODERATE"
},
"details": "Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for OmniUICard objects.\u00a0\n\nThis impacts OmniStudio: before Spring 2025",
"id": "GHSA-3hvp-qhfg-j3vj",
"modified": "2025-06-18T15:30:40Z",
"published": "2025-06-10T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43699"
},
{
"type": "WEB",
"url": "https://help.salesforce.com/s/articleView?id=004980323\u0026type=1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3HX8-QGVH-CHJG
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly
{
"affected": [],
"aliases": [
"CVE-2021-30482"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-11T13:15:00Z",
"severity": "HIGH"
},
"details": "In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly",
"id": "GHSA-3hx8-qgvh-chjg",
"modified": "2022-05-24T19:02:07Z",
"published": "2022-05-24T19:02:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30482"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2021/05/07/jetbrains-security-bulletin-q1-2021"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3MWH-P3HQ-RRH2
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Microsoft Win32k in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability".
{
"affected": [],
"aliases": [
"CVE-2017-8593"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-08T21:29:00Z",
"severity": "HIGH"
},
"details": "Microsoft Win32k in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability\".",
"id": "GHSA-3mwh-p3hq-rrh2",
"modified": "2022-05-13T01:47:39Z",
"published": "2022-05-13T01:47:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8593"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8593"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100032"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039105"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.