CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-5CCQ-W6WJ-JCQQ
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2025-04-02 15:30An issue was discovered in Rehau devices that use a pCOWeb card BIOS v6.27, BOOT v5.00, web version v2.2, allows attackers to gain full unauthenticated access to the configuration and service interface.
{
"affected": [],
"aliases": [
"CVE-2020-18329"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-26T21:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Rehau devices that use a pCOWeb card BIOS v6.27, BOOT v5.00, web version v2.2, allows attackers to gain full unauthenticated access to the configuration and service interface.",
"id": "GHSA-5ccq-w6wj-jcqq",
"modified": "2025-04-02T15:30:29Z",
"published": "2023-01-26T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18329"
},
{
"type": "WEB",
"url": "https://github.com/cybertoxin/CVEs/blob/main/CVE_2020_18329.md"
},
{
"type": "WEB",
"url": "https://medium.com/%40SergiuSechel/insecure-permissions-in-rehau-group-unlimited-polymer-solutions-implementation-of-carel-pcoweb-514c148ae694"
},
{
"type": "WEB",
"url": "https://medium.com/@SergiuSechel/insecure-permissions-in-rehau-group-unlimited-polymer-solutions-implementation-of-carel-pcoweb-514c148ae694"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5F27-4GV5-7JHC
Vulnerability from github – Published: 2023-02-09 18:30 – Updated: 2025-03-25 15:31The SystemUI has a vulnerability in permission management. Successful exploitation of this vulnerability may cause users to receive broadcasts from malicious apps, conveying false alarm information about external storage devices.
{
"affected": [],
"aliases": [
"CVE-2022-48296"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T17:15:00Z",
"severity": "MODERATE"
},
"details": "The SystemUI has a vulnerability in permission management. Successful exploitation of this vulnerability may cause users to receive broadcasts from malicious apps, conveying false alarm information about external storage devices.",
"id": "GHSA-5f27-4gv5-7jhc",
"modified": "2025-03-25T15:31:13Z",
"published": "2023-02-09T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48296"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2023/2"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202302-0000001454769474"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5H99-8M23-J8RF
Vulnerability from github – Published: 2022-04-30 18:15 – Updated: 2024-01-25 21:32sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/shadow, which makes it world-readable and could allow local users to gain privileges via password cracking.
{
"affected": [],
"aliases": [
"CVE-2001-0195"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-03-26T05:00:00Z",
"severity": "LOW"
},
"details": "sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/shadow, which makes it world-readable and could allow local users to gain privileges via password cracking.",
"id": "GHSA-5h99-8m23-j8rf",
"modified": "2024-01-25T21:32:09Z",
"published": "2022-04-30T18:15:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-0195"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/5994"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2001/dsa-015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5J5J-GH4V-9Q6C
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. Affected product versions include:E3372 E3372h-153TCPU-V200R002B333D01SP00C00.
{
"affected": [],
"aliases": [
"CVE-2021-22382"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-22T19:15:00Z",
"severity": "MODERATE"
},
"details": "Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. Affected product versions include:E3372 E3372h-153TCPU-V200R002B333D01SP00C00.",
"id": "GHSA-5j5j-gh4v-9q6c",
"modified": "2022-05-24T19:05:50Z",
"published": "2022-05-24T19:05:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22382"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210602-01-permission-en"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5J9P-7Q54-GVH7
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-12 03:33Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to cause disrupt communications between the controller and the device itself via repeatedly sending crafted packets to the controller.
{
"affected": [],
"aliases": [
"CVE-2024-50924"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T19:15:30Z",
"severity": "MODERATE"
},
"details": "Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to cause disrupt communications between the controller and the device itself via repeatedly sending crafted packets to the controller.",
"id": "GHSA-5j9p-7q54-gvh7",
"modified": "2024-12-12T03:33:01Z",
"published": "2024-12-10T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50924"
},
{
"type": "WEB",
"url": "https://github.com/CNK2100/2024-CVE/blob/main/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5PJ3-6FQM-8M7M
Vulnerability from github – Published: 2022-10-30 12:00 – Updated: 2024-04-22 22:35An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an "unsupported, production-like configuration."
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sushy-tools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.21.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "virtualbmc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-44020"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T22:35:35Z",
"nvd_published_at": "2022-10-30T00:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in OpenStack Sushy-Tools through 0.21.0 and VirtualBMC through 2.2.2. Changing the boot device configuration with these packages removes password protection from the managed libvirt XML domain. NOTE: this only affects an \"unsupported, production-like configuration.\"",
"id": "GHSA-5pj3-6fqm-8m7m",
"modified": "2024-04-22T22:35:35Z",
"published": "2022-10-30T12:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44020"
},
{
"type": "PACKAGE",
"url": "https://github.com/umago/virtualbmc"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GAD7QJIUWPCKJIGYP7PPHH5DILOEONFE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEQVJF3OQGSDCSQTQQSC54JEGLMSNB4Q"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMSUGS4B6EBRHBJMTRXL5RIKJTZTEMJC"
},
{
"type": "WEB",
"url": "https://review.opendev.org/c/openstack/sushy-tools/+/862625"
},
{
"type": "WEB",
"url": "https://review.opendev.org/c/openstack/virtualbmc/+/862620"
},
{
"type": "WEB",
"url": "https://storyboard.openstack.org/#!/story/2010382"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Sushy-Tools and VirtualBMC Improper Preservation of Permissions"
}
GHSA-5QJJ-R3MQ-X5VJ
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an elevation of privilege vulnerability due to the way that the Windows Common Log File System (CLFS) driver handles objects in memory, aka "Windows CLFS Elevation of Privilege Vulnerability".
{
"affected": [],
"aliases": [
"CVE-2017-8590"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T21:29:00Z",
"severity": "HIGH"
},
"details": "Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an elevation of privilege vulnerability due to the way that the Windows Common Log File System (CLFS) driver handles objects in memory, aka \"Windows CLFS Elevation of Privilege Vulnerability\".",
"id": "GHSA-5qjj-r3mq-x5vj",
"modified": "2022-05-13T01:47:38Z",
"published": "2022-05-13T01:47:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8590"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8590"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99427"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038853"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5VFG-HF4P-8HCF
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2023-12-31 21:30A security feature bypass vulnerability exists when Microsoft Windows fails to handle file creation permissions, which could allow an attacker to create files in a protected Unified Extensible Firmware Interface (UEFI) location.To exploit this vulnerability, an attacker could run a specially crafted application to bypass Unified Extensible Firmware Interface (UEFI) variable security in Windows.The security update addresses the vulnerability by correcting security feature behavior to enforce permissions., aka 'Windows Security Feature Bypass Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-16910"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-16T23:15:00Z",
"severity": "MODERATE"
},
"details": "A security feature bypass vulnerability exists when Microsoft Windows fails to handle file creation permissions, which could allow an attacker to create files in a protected Unified Extensible Firmware Interface (UEFI) location.To exploit this vulnerability, an attacker could run a specially crafted application to bypass Unified Extensible Firmware Interface (UEFI) variable security in Windows.The security update addresses the vulnerability by correcting security feature behavior to enforce permissions., aka \u0027Windows Security Feature Bypass Vulnerability\u0027.",
"id": "GHSA-5vfg-hf4p-8hcf",
"modified": "2023-12-31T21:30:22Z",
"published": "2022-05-24T17:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16910"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16910"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5X4F-7XGQ-R42X
Vulnerability from github – Published: 2022-04-29 15:39 – Updated: 2022-04-29 15:39Object state limitation is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontent is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezpublish-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "7.5.0"
},
{
"fixed": "7.5.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-29T15:39:18Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Object state limitation is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontent is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.",
"id": "GHSA-5x4f-7xgq-r42x",
"modified": "2022-04-29T15:39:18Z",
"published": "2022-04-29T15:39:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezpublish-kernel/security/advisories/GHSA-5x4f-7xgq-r42x"
},
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezpublish-kernel/commit/133c33cbcaa330953d6283865153f3dfdc7a2e45"
},
{
"type": "WEB",
"url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge"
},
{
"type": "PACKAGE",
"url": "https://github.com/ezsystems/ezpublish-kernel"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Object state limitation has no effect"
}
GHSA-5XXV-WCW2-XF9P
Vulnerability from github – Published: 2022-04-22 00:00 – Updated: 2022-05-04 00:00The Labeling tool in Titus Classification Suite 18.8.1910.140 allows users to avoid the generation of a classification label by using Excel's safe mode.
{
"affected": [],
"aliases": [
"CVE-2021-43708"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-21T19:15:00Z",
"severity": "MODERATE"
},
"details": "The Labeling tool in Titus Classification Suite 18.8.1910.140 allows users to avoid the generation of a classification label by using Excel\u0027s safe mode.",
"id": "GHSA-5xxv-wcw2-xf9p",
"modified": "2022-05-04T00:00:38Z",
"published": "2022-04-22T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43708"
},
{
"type": "WEB",
"url": "https://medium.com/@way2goraj/bypass-data-classification-labelling-tool-aa037ff86dee"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.