CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-8Q4V-39JW-37MV
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Windows Cursor in Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows improper elevation of privilege, aka "Windows Cursor Elevation of Privilege Vulnerability".
{
"affected": [],
"aliases": [
"CVE-2017-8466"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-15T01:29:00Z",
"severity": "HIGH"
},
"details": "Windows Cursor in Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows improper elevation of privilege, aka \"Windows Cursor Elevation of Privilege Vulnerability\".",
"id": "GHSA-8q4v-39jw-37mv",
"modified": "2022-05-13T01:47:33Z",
"published": "2022-05-13T01:47:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8466"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8466"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98844"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R46-M6M6-R9PQ
Vulnerability from github – Published: 2023-04-16 06:30 – Updated: 2024-03-21 03:35Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists.
{
"affected": [],
"aliases": [
"CVE-2021-33990"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-16T04:15:00Z",
"severity": "CRITICAL"
},
"details": "Liferay Portal 6.2.5 allows Command=FileUpload\u0026Type=File\u0026CurrentFolder=/ requests when frmfolders.html exists.",
"id": "GHSA-8r46-m6m6-r9pq",
"modified": "2024-03-21T03:35:08Z",
"published": "2023-04-16T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33990"
},
{
"type": "WEB",
"url": "https://github.com/fu2x2000/Liferay_exploit_Poc"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171701/Liferay-Portal-6.2.5-Insecure-Permissions.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8W43-765R-W2W5
Vulnerability from github – Published: 2022-10-20 12:00 – Updated: 2022-10-21 19:01The MSI installer in Verint Desktop Resources 15.2 allows an unprivileged local user to elevate their privileges during install or repair.
{
"affected": [],
"aliases": [
"CVE-2020-12744"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-20T11:15:00Z",
"severity": "HIGH"
},
"details": "The MSI installer in Verint Desktop Resources 15.2 allows an unprivileged local user to elevate their privileges during install or repair.",
"id": "GHSA-8w43-765r-w2w5",
"modified": "2022-10-21T19:01:10Z",
"published": "2022-10-20T12:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12744"
},
{
"type": "WEB",
"url": "https://github.com/bwiltse/cve/blob/master/Verint/Verint-CVE-2020-12744.txt"
},
{
"type": "WEB",
"url": "https://github.com/bwiltse/verint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-92VM-P8P9-G4X5
Vulnerability from github – Published: 2024-05-17 18:30 – Updated: 2024-05-17 18:30When installing Nessus to a directory outside of the default location on a Windows host, Nessus versions prior to 10.7.3 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.
{
"affected": [],
"aliases": [
"CVE-2024-3289"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T17:15:07Z",
"severity": "HIGH"
},
"details": "When installing Nessus to a directory outside of the default location on a Windows host, Nessus versions prior to 10.7.3 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.",
"id": "GHSA-92vm-p8p9-g4x5",
"modified": "2024-05-17T18:30:43Z",
"published": "2024-05-17T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3289"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2024-08"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9347-9W64-Q5WP
Vulnerability from github – Published: 2022-05-14 02:05 – Updated: 2023-08-17 22:33Jython before 2.7.2b3 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.python:jython-standalone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2b3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-2027"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-17T22:33:35Z",
"nvd_published_at": "2015-02-13T15:59:00Z",
"severity": "MODERATE"
},
"details": "Jython before 2.7.2b3 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors.",
"id": "GHSA-9347-9w64-q5wp",
"modified": "2023-08-17T22:33:35Z",
"published": "2022-05-14T02:05:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2027"
},
{
"type": "WEB",
"url": "https://github.com/jython/frozen-mirror/commit/053949e66d307168fd70b39725f4d3e6b642acc1"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=947949"
},
{
"type": "WEB",
"url": "https://github.com/jython/frozen-mirror/blob/b8d7aa4cee50c0c0fe2f4b235dd62922dd0f3f99/NEWS#L25C8-L25C15"
},
{
"type": "WEB",
"url": "http://advisories.mageia.org/MGASA-2015-0096.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00055.html"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:158"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"type": "PACKAGE",
"url": "jython/frozen-mirror"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Jython Improper Access Restrictions vulnerability"
}
GHSA-93FW-JJ7X-4XH7
Vulnerability from github – Published: 2022-03-17 00:00 – Updated: 2022-03-24 00:00In checkFileUriDestination of DownloadProvider.java, there is a possible way to bypass external storage private directories protection due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-200813547
{
"affected": [],
"aliases": [
"CVE-2021-39697"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-16T15:15:00Z",
"severity": "HIGH"
},
"details": "In checkFileUriDestination of DownloadProvider.java, there is a possible way to bypass external storage private directories protection due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-200813547",
"id": "GHSA-93fw-jj7x-4xh7",
"modified": "2022-03-24T00:00:39Z",
"published": "2022-03-17T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39697"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-93PR-4CPG-PRWH
Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-25 00:00This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A plug-in may be able to inherit the application's permissions and access user data.
{
"affected": [],
"aliases": [
"CVE-2022-22650"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-18T18:15:00Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.6.5, macOS Monterey 12.3, Security Update 2022-003 Catalina. A plug-in may be able to inherit the application\u0027s permissions and access user data.",
"id": "GHSA-93pr-4cpg-prwh",
"modified": "2022-03-25T00:00:45Z",
"published": "2022-03-19T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22650"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213183"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213184"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213185"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-94FV-WXC5-F8VM
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:54An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 3 of 3). When a project with visibility more permissive than the target group is imported, it will retain its prior visibility.
{
"affected": [],
"aliases": [
"CVE-2019-6791"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 3 of 3). When a project with visibility more permissive than the target group is imported, it will retain its prior visibility.",
"id": "GHSA-94fv-wxc5-f8vm",
"modified": "2024-04-04T01:54:42Z",
"published": "2022-05-24T16:55:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6791"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-94W9-FCWH-P5JV
Vulnerability from github – Published: 2024-12-20 06:30 – Updated: 2025-11-04 00:32This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.1. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2024-44211"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-20T04:15:05Z",
"severity": "HIGH"
},
"details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.1. An app may be able to access user-sensitive data.",
"id": "GHSA-94w9-fcwh-p5jv",
"modified": "2025-11-04T00:32:15Z",
"published": "2024-12-20T06:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44211"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121564"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-957R-R8GC-VV3H
Vulnerability from github – Published: 2026-04-22 18:31 – Updated: 2026-04-29 23:18The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "coreutils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35351"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-29T23:18:01Z",
"nvd_published_at": "2026-04-22T17:16:37Z",
"severity": "MODERATE"
},
"details": "The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller\u0027s UID/GID rather than the source\u0027s metadata. This flaw breaks backups and migrations, causing files moved by a privileged user (e.g., root) to become root-owned unexpectedly, which can lead to information disclosure or restricted access for the intended owners.",
"id": "GHSA-957r-r8gc-vv3h",
"modified": "2026-04-29T23:18:01Z",
"published": "2026-04-22T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35351"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/issues/9714"
},
{
"type": "PACKAGE",
"url": "https://github.com/uutils/coreutils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "uutils coreutils doesn\u0027t preserve file ownership during moves across different filesystem boundaries"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.