CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-6236-FHHC-64MR
Vulnerability from github – Published: 2025-06-10 12:30 – Updated: 2025-06-11 15:30Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (DataMapper) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025
{
"affected": [],
"aliases": [
"CVE-2025-43697"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T12:15:24Z",
"severity": "HIGH"
},
"details": "Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (DataMapper) allows exposure of encrypted data.\nThis impacts OmniStudio: before Spring 2025",
"id": "GHSA-6236-fhhc-64mr",
"modified": "2025-06-11T15:30:26Z",
"published": "2025-06-10T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43697"
},
{
"type": "WEB",
"url": "https://help.salesforce.com/s/articleView?id=004980323\u0026type=1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-62WC-JJ78-F4F6
Vulnerability from github – Published: 2026-01-20 21:31 – Updated: 2026-06-30 03:35A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
{
"affected": [],
"aliases": [
"CVE-2025-55130"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-289"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T21:16:03Z",
"severity": "HIGH"
},
"details": "A flaw in Node.js\u2019s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.",
"id": "GHSA-62wc-jj78-f4f6",
"modified": "2026-06-30T03:35:27Z",
"published": "2026-01-20T21:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55130"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55130.json"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431352"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-55130"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2899"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2864"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2783"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2782"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2781"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2768"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2767"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2422"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2421"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2420"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1843"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-63QM-GR74-HVJ8
Vulnerability from github – Published: 2021-12-08 00:01 – Updated: 2021-12-08 00:01There is an Improper permission control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to obtain certain device information.
{
"affected": [],
"aliases": [
"CVE-2021-37056"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-07T16:15:00Z",
"severity": "MODERATE"
},
"details": "There is an Improper permission control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to obtain certain device information.",
"id": "GHSA-63qm-gr74-hvj8",
"modified": "2021-12-08T00:01:26Z",
"published": "2021-12-08T00:01:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37056"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2021/9"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/om/support/bulletin/2021/10"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-645G-Q3PQ-8Q25
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:35A vulnerability exists in Trellix Agent for Windows version 5.7.8 and earlier, that allows local users, during install/upgrade workflow, to replace one of the Agent’s executables before it can be executed. This allows the user to elevate their permissions.
{
"affected": [],
"aliases": [
"CVE-2023-0975"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-03T16:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in Trellix Agent for Windows version 5.7.8 and earlier, that allows local users, during install/upgrade workflow, to replace one of the Agent\u2019s executables before it can be executed. This allows the user to elevate their permissions.",
"id": "GHSA-645g-q3pq-8q25",
"modified": "2024-04-04T05:35:30Z",
"published": "2023-07-06T19:24:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0975"
},
{
"type": "WEB",
"url": "https://kcm.trellix.com/corporate/index?page=content\u0026id=SB10396"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-647Q-GC86-99GJ
Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. If the parent process then runs this replaced code, the executed script would be run with the parent process' privileges, escaping the sandbox on content processes. This vulnerability affects Firefox < 60.
{
"affected": [],
"aliases": [
"CVE-2018-5163"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T21:29:00Z",
"severity": "HIGH"
},
"details": "If a malicious attacker has used another vulnerability to gain full control over a content process, they may be able to replace the alternate data resources stored in the JavaScript Start-up Bytecode Cache (JSBC) for other JavaScript code. If the parent process then runs this replaced code, the executed script would be run with the parent process\u0027 privileges, escaping the sandbox on content processes. This vulnerability affects Firefox \u003c 60.",
"id": "GHSA-647q-gc86-99gj",
"modified": "2022-05-13T01:52:43Z",
"published": "2022-05-13T01:52:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5163"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1426353"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3645-1"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-11"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104139"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040896"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-64G8-8MM8-6QP6
Vulnerability from github – Published: 2024-12-19 00:37 – Updated: 2025-01-02 21:31In Matter (aka connectedhomeip or Project CHIP) through 1.4.0.0, the WriteAcl function deletes all existing ACL entries first, and then attempts to recreate them based on user input. If input validation fails during decoding, the process stops, and no entries are restored by access-control-server.cpp, i.e., a denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-56317"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-18T23:15:18Z",
"severity": "HIGH"
},
"details": "In Matter (aka connectedhomeip or Project CHIP) through 1.4.0.0, the WriteAcl function deletes all existing ACL entries first, and then attempts to recreate them based on user input. If input validation fails during decoding, the process stops, and no entries are restored by access-control-server.cpp, i.e., a denial of service.",
"id": "GHSA-64g8-8mm8-6qp6",
"modified": "2025-01-02T21:31:41Z",
"published": "2024-12-19T00:37:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56317"
},
{
"type": "WEB",
"url": "https://github.com/project-chip/connectedhomeip/issues/36535"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66PM-7M3Q-GH7C
Vulnerability from github – Published: 2023-11-20 12:30 – Updated: 2023-11-20 12:30in OpenHarmony v3.2.2 and prior versions allow a local attacker arbitrary file read and write through improper preservation of permissions.
{
"affected": [],
"aliases": [
"CVE-2023-43612"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-20T12:15:08Z",
"severity": "HIGH"
},
"details": "in OpenHarmony v3.2.2 and prior versions allow a local attacker arbitrary file read and write through improper preservation of permissions.",
"id": "GHSA-66pm-7m3q-gh7c",
"modified": "2023-11-20T12:30:27Z",
"published": "2023-11-20T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43612"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2023/2023-12.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66VW-V2X9-HW75
Vulnerability from github – Published: 2022-04-30 00:00 – Updated: 2024-09-16 17:22Podman is a tool for managing OCI containers and pods. A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containers/podman/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/containers/psgo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1227"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-03T06:15:16Z",
"nvd_published_at": "2022-04-29T16:15:00Z",
"severity": "HIGH"
},
"details": "Podman is a tool for managing OCI containers and pods. A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the \u0027podman top\u0027 command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.",
"id": "GHSA-66vw-v2x9-hw75",
"modified": "2024-09-16T17:22:51Z",
"published": "2022-04-30T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1227"
},
{
"type": "WEB",
"url": "https://github.com/containers/podman/issues/10941"
},
{
"type": "WEB",
"url": "https://github.com/containers/podman/pull/13862"
},
{
"type": "WEB",
"url": "https://github.com/containers/podman/pull/13862/commits/79a3e149c10f74db4cebff624287385c90179d09"
},
{
"type": "WEB",
"url": "https://github.com/containers/psgo/pull/92"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2070368"
},
{
"type": "PACKAGE",
"url": "https://github.com/containers/podman"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0558"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240628-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Podman publishes a malicious image to public registries"
}
GHSA-67CG-J2QQ-7WV4
Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30Unauthenticated Broken Access Control in wpForo Forum < 3.0.2 versions.
{
"affected": [],
"aliases": [
"CVE-2026-40767"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T21:16:49Z",
"severity": "HIGH"
},
"details": "Unauthenticated Broken Access Control in wpForo Forum \u003c 3.0.2 versions.",
"id": "GHSA-67cg-j2qq-7wv4",
"modified": "2026-06-15T21:30:46Z",
"published": "2026-06-15T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40767"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wpforo/vulnerability/wordpress-wpforo-forum-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6879-GF6Q-3QMJ
Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. A non-privileged user may be able to modify restricted network settings.
{
"affected": [],
"aliases": [
"CVE-2024-40770"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T00:15:48Z",
"severity": "HIGH"
},
"details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. A non-privileged user may be able to modify restricted network settings.",
"id": "GHSA-6879-gf6q-3qmj",
"modified": "2025-11-04T18:31:19Z",
"published": "2024-09-17T00:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40770"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121238"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Sep/33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.