CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-95JF-85V4-5P6V
Vulnerability from github – Published: 2024-06-22 00:30 – Updated: 2024-07-03 18:46Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
{
"affected": [],
"aliases": [
"CVE-2024-36532"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-21T22:15:11Z",
"severity": "CRITICAL"
},
"details": "Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account\u0027s token.",
"id": "GHSA-95jf-85v4-5p6v",
"modified": "2024-07-03T18:46:22Z",
"published": "2024-06-22T00:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36532"
},
{
"type": "WEB",
"url": "https://gist.github.com/HouqiyuA/43488e1d41110a5610146b87b2e88a02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-96FJ-F5H7-247V
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow a locally-authenticated attacker to run a specially crafted application on a targeted system when Windows Secure Kernel Mode fails to properly handle objects in memory, aka "Windows Elevation of Privilege Vulnerability".
{
"affected": [],
"aliases": [
"CVE-2017-8494"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-15T01:29:00Z",
"severity": "HIGH"
},
"details": "Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow a locally-authenticated attacker to run a specially crafted application on a targeted system when Windows Secure Kernel Mode fails to properly handle objects in memory, aka \"Windows Elevation of Privilege Vulnerability\".",
"id": "GHSA-96fj-f5h7-247v",
"modified": "2022-05-13T01:47:34Z",
"published": "2022-05-13T01:47:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8494"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8494"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98855"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-97MV-G3JG-WG68
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-28 21:31An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role.
{
"affected": [],
"aliases": [
"CVE-2024-56178"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T23:15:09Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role.",
"id": "GHSA-97mv-g3jg-wg68",
"modified": "2025-01-28T21:31:03Z",
"published": "2025-01-28T00:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56178"
},
{
"type": "WEB",
"url": "https://www.couchbase.com/alerts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-97QM-2H4W-QGHQ
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2025-11-04 00:32The issue was resolved by sanitizing logging. This issue is fixed in macOS Sequoia 15.2. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2024-54484"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:15:29Z",
"severity": "MODERATE"
},
"details": "The issue was resolved by sanitizing logging. This issue is fixed in macOS Sequoia 15.2. An app may be able to access user-sensitive data.",
"id": "GHSA-97qm-2h4w-qghq",
"modified": "2025-11-04T00:32:13Z",
"published": "2024-12-12T03:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54484"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9832-MGG4-3GR6
Vulnerability from github – Published: 2023-09-06 15:30 – Updated: 2023-09-07 13:59An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-superset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-36387"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-863",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-07T13:59:27Z",
"nvd_published_at": "2023-09-06T13:15:08Z",
"severity": "MODERATE"
},
"details": "An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.\n",
"id": "GHSA-9832-mgg4-3gr6",
"modified": "2023-09-07T13:59:27Z",
"published": "2023-09-06T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36387"
},
{
"type": "WEB",
"url": "https://github.com/apache/superset/pull/24185"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/superset"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Apache Superset has improper default REST API permission for Gamma users"
}
GHSA-983X-WCJM-36QG
Vulnerability from github – Published: 2025-01-14 00:30 – Updated: 2025-01-23 18:31Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can delete admin users by sending a request to the "WSCView/Delete" function.
{
"affected": [],
"aliases": [
"CVE-2023-42231"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-13T22:15:11Z",
"severity": "HIGH"
},
"details": "Pat Infinite Solutions HelpdeskAdvanced \u003c= 11.0.33 is vulnerable to Incorrect Access Control. Low privileged users can delete admin users by sending a request to the \"WSCView/Delete\" function.",
"id": "GHSA-983x-wcjm-36qg",
"modified": "2025-01-23T18:31:15Z",
"published": "2025-01-14T00:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42231"
},
{
"type": "WEB",
"url": "https://gitlab.com/daniele_m/cve-list/-/blob/main/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-985Q-9W8F-WXJ5
Vulnerability from github – Published: 2022-01-04 00:01 – Updated: 2022-01-13 00:01Possible access control violation while setting current permission for VMIDs due to improper permission masking in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking
{
"affected": [],
"aliases": [
"CVE-2021-30279"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-03T08:15:00Z",
"severity": "HIGH"
},
"details": "Possible access control violation while setting current permission for VMIDs due to improper permission masking in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking",
"id": "GHSA-985q-9w8f-wxj5",
"modified": "2022-01-13T00:01:42Z",
"published": "2022-01-04T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30279"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/december-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9FFV-QJRG-84GF
Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2025-05-05 18:31Improper permissions in the SafeNet Sentinel driver for Intel(R) Quartus(R) Prime Standard Edition before version 21.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-21203"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T23:15:00Z",
"severity": "HIGH"
},
"details": "Improper permissions in the SafeNet Sentinel driver for Intel(R) Quartus(R) Prime Standard Edition before version 21.1 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-9ffv-qjrg-84gf",
"modified": "2025-05-05T18:31:35Z",
"published": "2022-02-11T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21203"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00632.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9G8J-GQ2H-2QFX
Vulnerability from github – Published: 2022-08-27 00:00 – Updated: 2022-09-02 00:01A flaw was found in satellite. When giving granular permission related to the organization, other permissions allowing a user to view and manage other organizations are also granted. The highest threat from this vulnerability is to data confidentiality.
{
"affected": [],
"aliases": [
"CVE-2021-3414"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-26T16:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in satellite. When giving granular permission related to the organization, other permissions allowing a user to view and manage other organizations are also granted. The highest threat from this vulnerability is to data confidentiality.",
"id": "GHSA-9g8j-gq2h-2qfx",
"modified": "2022-09-02T00:01:10Z",
"published": "2022-08-27T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3414"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-3414"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1926139"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9GW2-P8MJ-GVH2
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2022-07-13 00:01In AndroidManifest.xml of Settings, there is a possible pairing of a Bluetooth device without user's consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-194300867
{
"affected": [],
"aliases": [
"CVE-2021-0965"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "HIGH"
},
"details": "In AndroidManifest.xml of Settings, there is a possible pairing of a Bluetooth device without user\u0027s consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-194300867",
"id": "GHSA-9gw2-p8mj-gvh2",
"modified": "2022-07-13T00:01:00Z",
"published": "2021-12-16T00:01:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0965"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.