CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-WXQH-RQGC-PFR9
Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-05-07 00:00A flaw was found in 3Scale APICast in versions prior to 2.11.0, where it incorrectly identified connections for reuse. This flaw allows an attacker to bypass security restrictions for an API request when hosting multiple APIs on the same IP address.
{
"affected": [],
"aliases": [
"CVE-2021-3523"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-27T21:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in 3Scale APICast in versions prior to 2.11.0, where it incorrectly identified connections for reuse. This flaw allows an attacker to bypass security restrictions for an API request when hosting multiple APIs on the same IP address.",
"id": "GHSA-wxqh-rqgc-pfr9",
"modified": "2022-05-07T00:00:56Z",
"published": "2022-04-28T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3523"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954805"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2WV-9P67-MH9W
Vulnerability from github – Published: 2026-04-22 18:31 – Updated: 2026-04-29 23:18The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "coreutils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35350"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-29T23:18:25Z",
"nvd_published_at": "2026-04-22T17:16:37Z",
"severity": "MODERATE"
},
"details": "The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p (preserve) flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining original privileged bits, creating unexpected privileged executables that violate local security policies. This differs from GNU cp, which clears these bits when ownership cannot be preserved.",
"id": "GHSA-x2wv-9p67-mh9w",
"modified": "2026-04-29T23:18:25Z",
"published": "2026-04-22T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35350"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/issues/9750"
},
{
"type": "PACKAGE",
"url": "https://github.com/uutils/coreutils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "uutils coreutils doesn\u0027t properly handle setuid and setgid bits when ownership preservation fails"
}
GHSA-X39C-H6FX-JR3F
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2022-07-13 00:01In onReceive of AlertReceiver.java, there is a possible way to dismiss system dialog due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-190403923
{
"affected": [],
"aliases": [
"CVE-2021-0985"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "HIGH"
},
"details": "In onReceive of AlertReceiver.java, there is a possible way to dismiss system dialog due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-190403923",
"id": "GHSA-x39c-h6fx-jr3f",
"modified": "2022-07-13T00:01:00Z",
"published": "2021-12-16T00:01:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0985"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X6MR-7Q99-R63G
Vulnerability from github – Published: 2024-07-30 00:34 – Updated: 2026-04-02 21:31The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.6. An app may be able to modify protected parts of the file system.
{
"affected": [],
"aliases": [
"CVE-2024-40811"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-29T23:15:13Z",
"severity": "HIGH"
},
"details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.6. An app may be able to modify protected parts of the file system.",
"id": "GHSA-x6mr-7q99-r63g",
"modified": "2026-04-02T21:31:51Z",
"published": "2024-07-30T00:34:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40811"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120911"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214119"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214119"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X73P-G67H-GMC8
Vulnerability from github – Published: 2023-09-13 00:30 – Updated: 2024-04-04 07:38The installer in XAMPP through 8.1.12 allows local users to write to the C:\xampp directory. Common use cases execute files under C:\xampp with administrative privileges.
{
"affected": [],
"aliases": [
"CVE-2022-47637"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-12T22:15:07Z",
"severity": "MODERATE"
},
"details": "The installer in XAMPP through 8.1.12 allows local users to write to the C:\\xampp directory. Common use cases execute files under C:\\xampp with administrative privileges.",
"id": "GHSA-x73p-g67h-gmc8",
"modified": "2024-04-04T07:38:37Z",
"published": "2023-09-13T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47637"
},
{
"type": "WEB",
"url": "https://shinnai.altervista.org/exploits/DVRT-2023-0001_CVE-2022-47637.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X883-2VMG-XWF7
Vulnerability from github – Published: 2024-04-22 15:52 – Updated: 2024-04-22 15:52Impact
Under very specific conditions changes to a users groups may not have the expected results.
The specific conditions are:
- The file authentication backend is being used.
- The watch option is set to true.
- The refresh_interval is configured to a non-disabled value.
- The users groups are adjusted by an administrator.
- The user attempts to access a resource that their groups previously had access to but their new groups do not have access to.
When these conditions are met administrators may find the changes are not taken into account by access control for longer than expected periods. While this may not necessarily be a security vulnerability it's security-adjacent and because of the unexpected nature of it and our dedication to a security-first culture we feel it's important to make users aware of this behaviour utilizing a security advisory and the existence of a fix.
This:
- Can not have an Impact for Unauthenticated Users.
- Can not have an Impact for Configurations utilizing the LDAP Backend.
- Can not be directly or indirectly caused by a users or third parties actions.
Patches
This behaviour was identified after it was inadvertently fixed in the master branch during the multi-cookie domain rework (i.e. between feature releases). A patch for prior versions can be provided upon request. The fix was to ensure the details are updated regardless of backend, it was a small oversight in previous functionality which made refreshing ineffectual prior to v4.37.0.
Workarounds
Ensure you restart between user database changes.
References
- https://github.com/authelia/authelia/blob/v4.37.5/internal/handlers/handler_verify.go#L376-L394
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/authelia/authelia/v4"
},
"ranges": [
{
"events": [
{
"introduced": "4.37.0"
},
{
"fixed": "4.38.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T15:52:39Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\n\nUnder very specific conditions changes to a users groups may not have the expected results.\n\nThe specific conditions are:\n\n* The file authentication backend is being used.\n* The [watch](https://www.authelia.com/configuration/first-factor/file/#watch) option is set to true.\n* The [refresh_interval](https://www.authelia.com/configuration/first-factor/introduction/#refresh_interval) is configured to a non-disabled value.\n* The users groups are adjusted by an administrator.\n* The user attempts to access a resource that their groups previously had access to but their new groups do not have access to.\n\nWhen these conditions are met administrators may find the changes are not taken into account by access control for longer than expected periods. While this may not necessarily be a security vulnerability it\u0027s security-adjacent and because of the unexpected nature of it and our dedication to a security-first culture we feel it\u0027s important to make users aware of this behaviour utilizing a security advisory and the existence of a fix.\n\nThis:\n\n* Can not have an Impact for Unauthenticated Users.\n* Can not have an Impact for Configurations utilizing the LDAP Backend.\n* Can not be directly or indirectly caused by a users or third parties actions.\n\n### Patches\n\nThis behaviour was identified **_after_** it was inadvertently fixed in the `master` branch during the multi-cookie domain rework (i.e. between feature releases). A patch for prior versions can be provided upon request. The fix was to ensure the details are updated regardless of backend, it was a small oversight in previous functionality which made refreshing ineffectual prior to v4.37.0.\n\n### Workarounds\n\nEnsure you restart between user database changes.\n\n### References\n\n* https://github.com/authelia/authelia/blob/v4.37.5/internal/handlers/handler_verify.go#L376-L394\n",
"id": "GHSA-x883-2vmg-xwf7",
"modified": "2024-04-22T15:52:39Z",
"published": "2024-04-22T15:52:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/authelia/authelia/security/advisories/GHSA-x883-2vmg-xwf7"
},
{
"type": "PACKAGE",
"url": "https://github.com/authelia/authelia"
},
{
"type": "WEB",
"url": "https://github.com/authelia/authelia/blob/v4.37.5/internal/handlers/handler_verify.go#L376-L394"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authelia\u0027s Group Changes may not have the expected results (YAML file backend)"
}
GHSA-X973-F6RM-J4V5
Vulnerability from github – Published: 2024-08-02 18:31 – Updated: 2025-11-04 18:31Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3
{
"affected": [],
"aliases": [
"CVE-2024-33892"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-02T18:16:18Z",
"severity": "MODERATE"
},
"details": "Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3",
"id": "GHSA-x973-f6rm-j4v5",
"modified": "2025-11-04T18:31:15Z",
"published": "2024-08-02T18:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33892"
},
{
"type": "WEB",
"url": "https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway"
},
{
"type": "WEB",
"url": "https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf"
},
{
"type": "WEB",
"url": "https://www.ewon.biz/products/cosy/ewon-cosy-wifi"
},
{
"type": "WEB",
"url": "https://www.hms-networks.com/cyber-security"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Aug/20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X99P-QWH9-PFQR
Vulnerability from github – Published: 2024-12-20 06:30 – Updated: 2025-11-04 21:31This issue was addressed with improved validation of the process entitlement and Team ID. This issue is fixed in GarageBand 10.4.9. An app may be able to gain root privileges.
{
"affected": [],
"aliases": [
"CVE-2023-42867"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-20T04:15:05Z",
"severity": "HIGH"
},
"details": "This issue was addressed with improved validation of the process entitlement and Team ID. This issue is fixed in GarageBand 10.4.9. An app may be able to gain root privileges.",
"id": "GHSA-x99p-qwh9-pfqr",
"modified": "2025-11-04T21:31:29Z",
"published": "2024-12-20T06:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42867"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120299"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214042"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X9J9-WW89-PPFX
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-12 03:33Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to change the wakeup interval of end devices in controller memory, disrupting the device's communications with the controller.
{
"affected": [],
"aliases": [
"CVE-2024-50928"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T19:15:30Z",
"severity": "MODERATE"
},
"details": "Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to change the wakeup interval of end devices in controller memory, disrupting the device\u0027s communications with the controller.",
"id": "GHSA-x9j9-ww89-ppfx",
"modified": "2024-12-12T03:33:01Z",
"published": "2024-12-10T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50928"
},
{
"type": "WEB",
"url": "https://github.com/CNK2100/2024-CVE/blob/main/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XF39-XCGH-X46J
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Graphics in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Microsoft Graphics Component Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8573 and CVE-2017-8556.
{
"affected": [],
"aliases": [
"CVE-2017-8574"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T21:29:00Z",
"severity": "HIGH"
},
"details": "Graphics in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Microsoft Graphics Component Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8573 and CVE-2017-8556.",
"id": "GHSA-xf39-xcgh-x46j",
"modified": "2022-05-13T01:47:37Z",
"published": "2022-05-13T01:47:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8574"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8574"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99438"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038856"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.