CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-46CF-CFHC-26C8
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This CVE ID is unique from CVE-2017-8468.
{
"affected": [],
"aliases": [
"CVE-2017-8465"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-15T01:29:00Z",
"severity": "HIGH"
},
"details": "Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka \"Win32k Elevation of Privilege Vulnerability.\" This CVE ID is unique from CVE-2017-8468.",
"id": "GHSA-46cf-cfhc-26c8",
"modified": "2022-05-13T01:47:32Z",
"published": "2022-05-13T01:47:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8465"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8465"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98843"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-47J8-QFH2-377Q
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32The issue was addressed with additional permissions checks. This issue is fixed in macOS Sequoia 15.3. An app may be able to access protected user data.
{
"affected": [],
"aliases": [
"CVE-2025-24087"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:15Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with additional permissions checks. This issue is fixed in macOS Sequoia 15.3. An app may be able to access protected user data.",
"id": "GHSA-47j8-qfh2-377q",
"modified": "2025-11-03T21:32:24Z",
"published": "2025-01-28T00:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24087"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122068"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-489W-9JRV-G2W4
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33Improper permissions in the installer for the Intel(R) Falcon 8+ UAS AscTec Thermal Viewer, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-12330"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T19:15:00Z",
"severity": "HIGH"
},
"details": "Improper permissions in the installer for the Intel(R) Falcon 8+ UAS AscTec Thermal Viewer, all versions, may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-489w-9jrv-g2w4",
"modified": "2022-05-24T17:33:35Z",
"published": "2022-05-24T17:33:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12330"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00416"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4C7M-VV47-7C69
Vulnerability from github – Published: 2021-05-18 20:33 – Updated: 2021-05-12 14:55In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email" check.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-14958"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T14:55:34Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a \"not the owner of the email\" check.",
"id": "GHSA-4c7m-vv47-7c69",
"modified": "2021-05-12T14:55:34Z",
"published": "2021-05-18T20:33:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14958"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/pull/5988"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/82ff0c5852f29daa5f95d965fd50665581e7ea3c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insecure Permissions in Gogs"
}
GHSA-4F95-9C7F-VGP9
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2022-07-13 00:01In enqueueNotification of NetworkPolicyManagerService.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-177931370
{
"affected": [],
"aliases": [
"CVE-2021-0653"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "In enqueueNotification of NetworkPolicyManagerService.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-177931370",
"id": "GHSA-4f95-9c7f-vgp9",
"modified": "2022-07-13T00:01:00Z",
"published": "2021-12-16T00:01:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0653"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-11-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4FM9-9M4X-VRQW
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47A kernel-mode driver in Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windows 8 allows an elevation of privilege when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability". This CVE is unique from CVE-2017-0263.
{
"affected": [],
"aliases": [
"CVE-2017-8552"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-15T01:29:00Z",
"severity": "HIGH"
},
"details": "A kernel-mode driver in Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windows 8 allows an elevation of privilege when it fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability\". This CVE is unique from CVE-2017-0263.",
"id": "GHSA-4fm9-9m4x-vrqw",
"modified": "2022-05-13T01:47:36Z",
"published": "2022-05-13T01:47:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8552"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8552"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4GH2-M88H-8CJ8
Vulnerability from github – Published: 2023-09-06 15:30 – Updated: 2024-01-30 23:07Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:ssh2easy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-41939"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T23:07:24Z",
"nvd_published_at": "2023-09-06T13:15:10Z",
"severity": "HIGH"
},
"details": "Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they\u0027re no longer entitled to.",
"id": "GHSA-4gh2-m88h-8cj8",
"modified": "2024-01-30T23:07:24Z",
"published": "2023-09-06T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41939"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3064"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/06/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Disabled permissions can be granted by Jenkins SSH2 Easy Plugin"
}
GHSA-4GJR-VGFX-9QVW
Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2022-12-14 21:54Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one). Version 3.5.1 contains a patch.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/alist-org/alist/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-45968"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-12T22:30:02Z",
"nvd_published_at": "2022-12-12T14:15:00Z",
"severity": "HIGH"
},
"details": "Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one). Version 3.5.1 contains a patch.",
"id": "GHSA-4gjr-vgfx-9qvw",
"modified": "2022-12-14T21:54:22Z",
"published": "2022-12-12T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45968"
},
{
"type": "WEB",
"url": "https://github.com/alist-org/alist/issues/2444"
},
{
"type": "WEB",
"url": "https://github.com/alist-org/alist/commit/85e1350af82e1759ca6580895e48ab969eb566cf"
},
{
"type": "PACKAGE",
"url": "https://github.com/alist-org/alist"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "AList vulnerable to Improper Preservation of Permissions"
}
GHSA-4M5G-9H9Q-7X5H
Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.
{
"affected": [],
"aliases": [
"CVE-2024-44149"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T00:15:50Z",
"severity": "HIGH"
},
"details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.",
"id": "GHSA-4m5g-9h9q-7x5h",
"modified": "2025-11-04T18:31:22Z",
"published": "2024-09-17T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44149"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121238"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Sep/33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4Q49-4C9Q-84RG
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This CVE ID is unique from CVE-2017-8465.
{
"affected": [],
"aliases": [
"CVE-2017-8468"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-15T01:29:00Z",
"severity": "HIGH"
},
"details": "Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka \"Win32k Elevation of Privilege Vulnerability.\" This CVE ID is unique from CVE-2017-8465.",
"id": "GHSA-4q49-4c9q-84rg",
"modified": "2022-05-13T01:47:34Z",
"published": "2022-05-13T01:47:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8468"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8468"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98846"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.