CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-QQQ3-XH7J-8R23
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8577, CVE-2017-8580, CVE-2017-8581, and CVE-2017-8467.
{
"affected": [],
"aliases": [
"CVE-2017-8578"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T21:29:00Z",
"severity": "HIGH"
},
"details": "Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8577, CVE-2017-8580, CVE-2017-8581, and CVE-2017-8467.",
"id": "GHSA-qqq3-xh7j-8r23",
"modified": "2022-05-13T01:47:37Z",
"published": "2022-05-13T01:47:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8578"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8578"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99419"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038853"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRW5-W925-F5G8
Vulnerability from github – Published: 2022-10-20 12:00 – Updated: 2025-05-08 21:32Relatedcode's Messenger version 7bcd20b allows an authenticated external attacker to access existing chats in the workspaces of any user of the application. This is possible because the application does not validate permissions correctly.
{
"affected": [],
"aliases": [
"CVE-2022-41708"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-19T19:15:00Z",
"severity": "MODERATE"
},
"details": "Relatedcode\u0027s Messenger version 7bcd20b allows an authenticated external attacker to access existing chats in the workspaces of any user of the application. This is possible because the application does not validate permissions correctly.",
"id": "GHSA-qrw5-w925-f5g8",
"modified": "2025-05-08T21:32:44Z",
"published": "2022-10-20T12:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41708"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/tiesto"
},
{
"type": "WEB",
"url": "https://github.com/relatedcode/Messenger"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R2WH-VQ7H-JHG4
Vulnerability from github – Published: 2024-07-30 00:34 – Updated: 2026-04-02 21:31This issue was addressed through improved state management. This issue is fixed in watchOS 10.6, macOS Sonoma 14.6, iOS 17.6 and iPadOS 17.6, tvOS 17.6. An app may be able to bypass Privacy preferences.
{
"affected": [],
"aliases": [
"CVE-2024-40824"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-29T23:15:13Z",
"severity": "HIGH"
},
"details": "This issue was addressed through improved state management. This issue is fixed in watchOS 10.6, macOS Sonoma 14.6, iOS 17.6 and iPadOS 17.6, tvOS 17.6. An app may be able to bypass Privacy preferences.",
"id": "GHSA-r2wh-vq7h-jhg4",
"modified": "2026-04-02T21:31:52Z",
"published": "2024-07-30T00:34:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40824"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120909"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120911"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120914"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120916"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214117"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214119"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214122"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214124"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214117"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214119"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214122"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214124"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/16"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/18"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/21"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R4HJ-JP53-QX72
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08Acronis True Image for Mac before 2021 Update 4 allowed local privilege escalation due to insecure folder permissions.
{
"affected": [],
"aliases": [
"CVE-2020-15496"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-15T14:15:00Z",
"severity": "HIGH"
},
"details": "Acronis True Image for Mac before 2021 Update 4 allowed local privilege escalation due to insecure folder permissions.",
"id": "GHSA-r4hj-jp53-qx72",
"modified": "2022-05-24T19:08:13Z",
"published": "2022-05-24T19:08:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15496"
},
{
"type": "WEB",
"url": "https://kb.acronis.com/content/68396"
},
{
"type": "WEB",
"url": "https://www.acronis.com/en-us/support/updates/index.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R55R-28G8-8H44
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30Windows kernel in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability due to the way it handles objects in memory, aka "Windows Kernel Elevation of Privilege Vulnerability".
{
"affected": [],
"aliases": [
"CVE-2017-8561"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T21:29:00Z",
"severity": "HIGH"
},
"details": "Windows kernel in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability due to the way it handles objects in memory, aka \"Windows Kernel Elevation of Privilege Vulnerability\".",
"id": "GHSA-r55r-28g8-8h44",
"modified": "2022-05-13T01:30:40Z",
"published": "2022-05-13T01:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8561"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8561"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99426"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R8M9-C8Q4-99Q2
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33Insecure inherited permissions in firmware update tool for some Intel(R) NUCs may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-24525"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T19:15:00Z",
"severity": "HIGH"
},
"details": "Insecure inherited permissions in firmware update tool for some Intel(R) NUCs may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-r8m9-c8q4-99q2",
"modified": "2022-05-24T17:33:57Z",
"published": "2022-05-24T17:33:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24525"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00414"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Nov/26"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R95G-MX5P-6Q87
Vulnerability from github – Published: 2025-03-14 18:30 – Updated: 2025-03-19 21:30An issue in Open Panel v.0.3.4 allows a remote attacker to escalate privileges via the Fix Permissions function
{
"affected": [],
"aliases": [
"CVE-2025-25871"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-14T16:15:40Z",
"severity": "HIGH"
},
"details": "An issue in Open Panel v.0.3.4 allows a remote attacker to escalate privileges via the Fix Permissions function",
"id": "GHSA-r95g-mx5p-6q87",
"modified": "2025-03-19T21:30:48Z",
"published": "2025-03-14T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25871"
},
{
"type": "WEB",
"url": "https://openpanel.com/docs/changelog/0.3.5/#%EF%B8%8F-security-fixes"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/189621"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R9HW-MJ3W-PHCQ
Vulnerability from github – Published: 2026-07-06 21:54 – Updated: 2026-07-06 21:54uutils calls mknod before setting the SELinux context (GNU uses setfscreatecon first, labeling atomically). If set_selinux_security_context fails, cleanup uses std::fs::remove_dir, which cannot remove device nodes or FIFOs, leaving the mislabeled node behind.
Impact: on SELinux-enforcing systems the node is created with the wrong context; the command reports failure but leaves a mislabeled device node that may bypass mandatory access control, and orphaned nodes can persist across reboots. Recommendation: use setfscreatecon before mknod, abort on failure, and use remove_file for cleanup.
Remediation: Acknowledged by Canonical.
Reported by Zellic in the uutils coreutils Program Security Assessment (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.58. Credit: Zellic.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "uu_mknod"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35361"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-459",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T21:54:05Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "uutils calls `mknod` *before* setting the SELinux context (GNU uses `setfscreatecon` first, labeling atomically). If `set_selinux_security_context` fails, cleanup uses `std::fs::remove_dir`, which cannot remove device nodes or FIFOs, leaving the mislabeled node behind.\n\n**Impact:** on SELinux-enforcing systems the node is created with the wrong context; the command reports failure but leaves a mislabeled device node that may bypass mandatory access control, and orphaned nodes can persist across reboots. Recommendation: use `setfscreatecon` before `mknod`, abort on failure, and use `remove_file` for cleanup.\n\n**Remediation:** Acknowledged by Canonical.\n\n---\n_Reported by Zellic in the *uutils coreutils Program Security Assessment* (prepared for Canonical, Jan 20 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`. Finding 3.58. Credit: Zellic._",
"id": "GHSA-r9hw-mj3w-phcq",
"modified": "2026-07-06T21:54:05Z",
"published": "2026-07-06T21:54:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/security/advisories/GHSA-r9hw-mj3w-phcq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35361"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/pull/10582"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/commit/42b2ad83cdcf6e959ecb378c5040c60d9c64becf"
},
{
"type": "PACKAGE",
"url": "https://github.com/uutils/coreutils"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/releases/tag/0.6.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "mknod: Device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node)"
}
GHSA-RC2Q-3PMV-73VX
Vulnerability from github – Published: 2023-08-02 03:30 – Updated: 2025-02-13 18:31System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0.
{
"affected": [],
"aliases": [
"CVE-2023-31926"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-02T01:15:09Z",
"severity": "HIGH"
},
"details": "System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0.",
"id": "GHSA-rc2q-3pmv-73vx",
"modified": "2025-02-13T18:31:44Z",
"published": "2023-08-02T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31926"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230908-0007"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/22388"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCVW-67J5-HC25
Vulnerability from github – Published: 2024-12-07 00:31 – Updated: 2024-12-12 03:33Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_dwb_controller.
{
"affected": [],
"aliases": [
"CVE-2024-41646"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T22:15:20Z",
"severity": "CRITICAL"
},
"details": "Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_dwb_controller.",
"id": "GHSA-rcvw-67j5-hc25",
"modified": "2024-12-12T03:33:00Z",
"published": "2024-12-07T00:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41646"
},
{
"type": "WEB",
"url": "https://github.com/ros-navigation/navigation2/issues/4437"
},
{
"type": "WEB",
"url": "https://github.com/ros-navigation/navigation2/pull/4463"
},
{
"type": "WEB",
"url": "https://github.com/GoesM/ROS-CVE-CNVDs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.