Common Weakness Enumeration

CWE-281

Allowed

Improper Preservation of Permissions

Abstraction: Base · Status: Draft

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

432 vulnerabilities reference this CWE, most recent first.

GHSA-WXQH-RQGC-PFR9

Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-05-07 00:00
VLAI
Details

A flaw was found in 3Scale APICast in versions prior to 2.11.0, where it incorrectly identified connections for reuse. This flaw allows an attacker to bypass security restrictions for an API request when hosting multiple APIs on the same IP address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-27T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in 3Scale APICast in versions prior to 2.11.0, where it incorrectly identified connections for reuse. This flaw allows an attacker to bypass security restrictions for an API request when hosting multiple APIs on the same IP address.",
  "id": "GHSA-wxqh-rqgc-pfr9",
  "modified": "2022-05-07T00:00:56Z",
  "published": "2022-04-28T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3523"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954805"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2WV-9P67-MH9W

Vulnerability from github – Published: 2026-04-22 18:31 – Updated: 2026-04-29 23:18
VLAI
Summary
uutils coreutils doesn't properly handle setuid and setgid bits when ownership preservation fails
Details

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "coreutils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T23:18:25Z",
    "nvd_published_at": "2026-04-22T17:16:37Z",
    "severity": "MODERATE"
  },
  "details": "The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.",
  "id": "GHSA-x2wv-9p67-mh9w",
  "modified": "2026-04-29T23:18:25Z",
  "published": "2026-04-22T18:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35350"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uutils/coreutils/issues/9750"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/uutils/coreutils"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "uutils coreutils doesn\u0027t properly handle setuid and setgid bits when ownership preservation fails"
}

GHSA-X39C-H6FX-JR3F

Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2022-07-13 00:01
VLAI
Details

In onReceive of AlertReceiver.java, there is a possible way to dismiss system dialog due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-190403923

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "In onReceive of AlertReceiver.java, there is a possible way to dismiss system dialog due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-190403923",
  "id": "GHSA-x39c-h6fx-jr3f",
  "modified": "2022-07-13T00:01:00Z",
  "published": "2021-12-16T00:01:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0985"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X6MR-7Q99-R63G

Vulnerability from github – Published: 2024-07-30 00:34 – Updated: 2026-04-02 21:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.6. An app may be able to modify protected parts of the file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T23:15:13Z",
    "severity": "HIGH"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.6. An app may be able to modify protected parts of the file system.",
  "id": "GHSA-x6mr-7q99-r63g",
  "modified": "2026-04-02T21:31:51Z",
  "published": "2024-07-30T00:34:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40811"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120911"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214119"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214119"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X73P-G67H-GMC8

Vulnerability from github – Published: 2023-09-13 00:30 – Updated: 2024-04-04 07:38
VLAI
Details

The installer in XAMPP through 8.1.12 allows local users to write to the C:\xampp directory. Common use cases execute files under C:\xampp with administrative privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-12T22:15:07Z",
    "severity": "MODERATE"
  },
  "details": "The installer in XAMPP through 8.1.12 allows local users to write to the C:\\xampp directory. Common use cases execute files under C:\\xampp with administrative privileges.",
  "id": "GHSA-x73p-g67h-gmc8",
  "modified": "2024-04-04T07:38:37Z",
  "published": "2023-09-13T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47637"
    },
    {
      "type": "WEB",
      "url": "https://shinnai.altervista.org/exploits/DVRT-2023-0001_CVE-2022-47637.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X883-2VMG-XWF7

Vulnerability from github – Published: 2024-04-22 15:52 – Updated: 2024-04-22 15:52
VLAI
Summary
Authelia's Group Changes may not have the expected results (YAML file backend)
Details

Impact

Under very specific conditions changes to a users groups may not have the expected results.

The specific conditions are:

  • The file authentication backend is being used.
  • The watch option is set to true.
  • The refresh_interval is configured to a non-disabled value.
  • The users groups are adjusted by an administrator.
  • The user attempts to access a resource that their groups previously had access to but their new groups do not have access to.

When these conditions are met administrators may find the changes are not taken into account by access control for longer than expected periods. While this may not necessarily be a security vulnerability it's security-adjacent and because of the unexpected nature of it and our dedication to a security-first culture we feel it's important to make users aware of this behaviour utilizing a security advisory and the existence of a fix.

This:

  • Can not have an Impact for Unauthenticated Users.
  • Can not have an Impact for Configurations utilizing the LDAP Backend.
  • Can not be directly or indirectly caused by a users or third parties actions.

Patches

This behaviour was identified after it was inadvertently fixed in the master branch during the multi-cookie domain rework (i.e. between feature releases). A patch for prior versions can be provided upon request. The fix was to ensure the details are updated regardless of backend, it was a small oversight in previous functionality which made refreshing ineffectual prior to v4.37.0.

Workarounds

Ensure you restart between user database changes.

References

  • https://github.com/authelia/authelia/blob/v4.37.5/internal/handlers/handler_verify.go#L376-L394
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/authelia/authelia/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.37.0"
            },
            {
              "fixed": "4.38.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T15:52:39Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\nUnder very specific conditions changes to a users groups may not have the expected results.\n\nThe specific conditions are:\n\n* The file authentication backend is being used.\n* The [watch](https://www.authelia.com/configuration/first-factor/file/#watch) option is set to true.\n* The [refresh_interval](https://www.authelia.com/configuration/first-factor/introduction/#refresh_interval) is configured to a non-disabled value.\n* The users groups are adjusted by an administrator.\n* The user attempts to access a resource that their groups previously had access to but their new groups do not have access to.\n\nWhen these conditions are met administrators may find the changes are not taken into account by access control for longer than expected periods. While this may not necessarily be a security vulnerability it\u0027s security-adjacent and because of the unexpected nature of it and our dedication to a security-first culture we feel it\u0027s important to make users aware of this behaviour utilizing a security advisory and the existence of a fix.\n\nThis:\n\n* Can not have an Impact for Unauthenticated Users.\n* Can not have an Impact for Configurations utilizing the LDAP Backend.\n* Can not be directly or indirectly caused by a users or third parties actions.\n\n### Patches\n\nThis behaviour was identified **_after_** it was inadvertently fixed in the `master` branch during the multi-cookie domain rework (i.e. between feature releases). A patch for prior versions can be provided upon request. The fix was to ensure the details are updated regardless of backend, it was a small oversight in previous functionality which made refreshing ineffectual prior to v4.37.0.\n\n### Workarounds\n\nEnsure you restart between user database changes.\n\n### References\n\n* https://github.com/authelia/authelia/blob/v4.37.5/internal/handlers/handler_verify.go#L376-L394\n",
  "id": "GHSA-x883-2vmg-xwf7",
  "modified": "2024-04-22T15:52:39Z",
  "published": "2024-04-22T15:52:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authelia/authelia/security/advisories/GHSA-x883-2vmg-xwf7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authelia/authelia"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authelia/authelia/blob/v4.37.5/internal/handlers/handler_verify.go#L376-L394"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authelia\u0027s Group Changes may not have the expected results (YAML file backend)"
}

GHSA-X973-F6RM-J4V5

Vulnerability from github – Published: 2024-08-02 18:31 – Updated: 2025-11-04 18:31
VLAI
Details

Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-02T18:16:18Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3",
  "id": "GHSA-x973-f6rm-j4v5",
  "modified": "2025-11-04T18:31:15Z",
  "published": "2024-08-02T18:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33892"
    },
    {
      "type": "WEB",
      "url": "https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway"
    },
    {
      "type": "WEB",
      "url": "https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.ewon.biz/products/cosy/ewon-cosy-wifi"
    },
    {
      "type": "WEB",
      "url": "https://www.hms-networks.com/cyber-security"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Aug/20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X99P-QWH9-PFQR

Vulnerability from github – Published: 2024-12-20 06:30 – Updated: 2025-11-04 21:31
VLAI
Details

This issue was addressed with improved validation of the process entitlement and Team ID. This issue is fixed in GarageBand 10.4.9. An app may be able to gain root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-20T04:15:05Z",
    "severity": "HIGH"
  },
  "details": "This issue was addressed with improved validation of the process entitlement and Team ID. This issue is fixed in GarageBand 10.4.9. An app may be able to gain root privileges.",
  "id": "GHSA-x99p-qwh9-pfqr",
  "modified": "2025-11-04T21:31:29Z",
  "published": "2024-12-20T06:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42867"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120299"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214042"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9J9-WW89-PPFX

Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-12 03:33
VLAI
Details

Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to change the wakeup interval of end devices in controller memory, disrupting the device's communications with the controller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-10T19:15:30Z",
    "severity": "MODERATE"
  },
  "details": "Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to change the wakeup interval of end devices in controller memory, disrupting the device\u0027s communications with the controller.",
  "id": "GHSA-x9j9-ww89-ppfx",
  "modified": "2024-12-12T03:33:01Z",
  "published": "2024-12-10T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50928"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CNK2100/2024-CVE/blob/main/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XF39-XCGH-X46J

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

Graphics in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Microsoft Graphics Component Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8573 and CVE-2017-8556.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-11T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Graphics in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Microsoft Graphics Component Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8573 and CVE-2017-8556.",
  "id": "GHSA-xf39-xcgh-x46j",
  "modified": "2022-05-13T01:47:37Z",
  "published": "2022-05-13T01:47:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8574"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8574"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99438"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038856"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.