CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-PMR9-53H4-Q7GR
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09An incorrect permission preservation vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a remote user to perform an attack and bypass authentication on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-32465"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-04T19:15:00Z",
"severity": "HIGH"
},
"details": "An incorrect permission preservation vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a remote user to perform an attack and bypass authentication on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-pmr9-53h4-q7gr",
"modified": "2022-05-24T19:09:54Z",
"published": "2022-05-24T19:09:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32465"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/jp/solution/000287796"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000287819"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-911"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PPJ8-867G-RGJR
Vulnerability from github – Published: 2023-07-24 18:30 – Updated: 2024-04-17 18:31A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
{
"affected": [],
"aliases": [
"CVE-2023-1386"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-24T16:15:11Z",
"severity": "HIGH"
},
"details": "A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.",
"id": "GHSA-ppj8-867g-rgjr",
"modified": "2024-04-17T18:31:30Z",
"published": "2023-07-24T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1386"
},
{
"type": "WEB",
"url": "https://github.com/v9fs/linux/issues/29"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-1386"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2223985"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-ppj8-867g-rgjr"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230831-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PQFC-VH74-FMV2
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
{
"affected": [],
"aliases": [
"CVE-2020-13230"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-20T14:15:00Z",
"severity": "MODERATE"
},
"details": "In Cacti before 1.2.11, disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).",
"id": "GHSA-pqfc-vh74-fmv2",
"modified": "2022-05-24T17:18:12Z",
"published": "2022-05-24T17:18:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13230"
},
{
"type": "WEB",
"url": "https://github.com/Cacti/cacti/issues/3343"
},
{
"type": "WEB",
"url": "https://github.com/Cacti/cacti/releases/tag/release%2F1.2.11"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00038.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICJMWSY77IIGZYR6FE6NAQZFBO42VECO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q3PCDGNELH7HEBIXRNT5J5EWQEXQAU6B"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PXQF-JG9M-J88F
Vulnerability from github – Published: 2024-12-07 00:31 – Updated: 2024-12-12 03:32Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via the dyn_param_handler_ component.
{
"affected": [],
"aliases": [
"CVE-2024-41644"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T22:15:20Z",
"severity": "CRITICAL"
},
"details": "Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via the dyn_param_handler_ component.",
"id": "GHSA-pxqf-jg9m-j88f",
"modified": "2024-12-12T03:32:59Z",
"published": "2024-12-07T00:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41644"
},
{
"type": "WEB",
"url": "https://github.com/ros-navigation/navigation2/issues/4496"
},
{
"type": "WEB",
"url": "https://github.com/ros-navigation/navigation2/pull/4521"
},
{
"type": "WEB",
"url": "https://github.com/GoesM/ROS-CVE-CNVDs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q27X-Q82P-47RV
Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.
{
"affected": [],
"aliases": [
"CVE-2024-27858"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T00:15:47Z",
"severity": "MODERATE"
},
"details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.",
"id": "GHSA-q27x-q82p-47rv",
"modified": "2025-11-04T18:31:19Z",
"published": "2024-09-17T00:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27858"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121238"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Sep/33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q32M-5WQX-F57M
Vulnerability from github – Published: 2023-05-22 15:30 – Updated: 2024-04-04 04:16Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker with "User Operator" privileges to create a highly privileged user account. The vulnerability is caused by missing server-side validation, which can be exploited to gain full administrator privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2023-31923"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-22T15:15:09Z",
"severity": "HIGH"
},
"details": "Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker with \"User Operator\" privileges to create a highly privileged user account. The vulnerability is caused by missing server-side validation, which can be exploited to gain full administrator privileges on the system.",
"id": "GHSA-q32m-5wqx-f57m",
"modified": "2024-04-04T04:16:23Z",
"published": "2023-05-22T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31923"
},
{
"type": "WEB",
"url": "https://nobugescapes.com/blog/creating-a-new-user-with-admin-privilege"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q3XM-785W-F7GP
Vulnerability from github – Published: 2022-04-30 00:02 – Updated: 2022-04-30 00:02Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword.
{
"affected": [],
"aliases": [
"CVE-2017-5033"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-24T23:59:00Z",
"severity": "MODERATE"
},
"details": "Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword.",
"id": "GHSA-q3xm-785w-f7gp",
"modified": "2022-04-30T00:02:22Z",
"published": "2022-04-30T00:02:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5033"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/669086"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201704-02"
},
{
"type": "WEB",
"url": "https://twitter.com/Ma7h1as/status/907641276434063361"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0499.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3810"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96767"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q565-G228-CGG3
Vulnerability from github – Published: 2023-12-11 12:30 – Updated: 2025-02-13 18:32Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning.
In affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user.
{
"affected": [],
"aliases": [
"CVE-2023-6186"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-11T12:15:07Z",
"severity": "HIGH"
},
"details": "Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning.\n\nIn affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user.",
"id": "GHSA-q565-g228-cgg3",
"modified": "2025-02-13T18:32:05Z",
"published": "2023-12-11T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6186"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB7UB6CTWQUDOE657OVVRSDYUY3IPBJG"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5574"
},
{
"type": "WEB",
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2023-6186"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q6W2-JC9G-66QV
Vulnerability from github – Published: 2023-06-02 18:30 – Updated: 2024-04-04 04:30If temporary "one-time" permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that permission persisted in that tab for all other documents loaded from a file: URL. This is potentially dangerous if the local files came from different sources, such as in a download directory. This vulnerability affects Firefox < 111.
{
"affected": [],
"aliases": [
"CVE-2023-28161"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T17:15:12Z",
"severity": "HIGH"
},
"details": "If temporary \"one-time\" permissions, such as the ability to use the Camera, were granted to a document loaded using a file: URL, that permission persisted in that tab for all other documents loaded from a file: URL. This is potentially dangerous if the local files came from different sources, such as in a download directory. This vulnerability affects Firefox \u003c 111.",
"id": "GHSA-q6w2-jc9g-66qv",
"modified": "2024-04-04T04:30:28Z",
"published": "2023-06-02T18:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28161"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1811181"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2023-09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q72F-WGF9-7VP7
Vulnerability from github – Published: 2023-07-19 03:30 – Updated: 2024-04-04 06:16IBM Security Guardium 11.3 could allow a local user to escalate their privileges due to improper permission controls. IBM X-Force ID: 240908.
{
"affected": [],
"aliases": [
"CVE-2022-43910"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-19T03:15:10Z",
"severity": "HIGH"
},
"details": "\nIBM Security Guardium 11.3 could allow a local user to escalate their privileges due to improper permission controls. IBM X-Force ID: 240908.\n\n",
"id": "GHSA-q72f-wgf9-7vp7",
"modified": "2024-04-04T06:16:53Z",
"published": "2023-07-19T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43910"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/240908"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7007815"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.