CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5455 vulnerabilities reference this CWE, most recent first.
GHSA-9W6H-RQM5-MX37
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33Improper access control in the Intel(R) XTU before version 6.5.1.360 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-12350"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T19:15:00Z",
"severity": "HIGH"
},
"details": "Improper access control in the Intel(R) XTU before version 6.5.1.360 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-9w6h-rqm5-mx37",
"modified": "2022-05-24T17:33:36Z",
"published": "2022-05-24T17:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12350"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00429"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9W89-223R-7HM3
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2025-04-01 18:30Incorrect access control in Aternity agent in Riverbed Aternity before 12.1.4.27 allows for local privilege escalation. There is an insufficiently protected handle to the A180AG.exe SYSTEM process with PROCESS_ALL_ACCESS rights.
{
"affected": [],
"aliases": [
"CVE-2022-43997"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-26T21:17:00Z",
"severity": "HIGH"
},
"details": "Incorrect access control in Aternity agent in Riverbed Aternity before 12.1.4.27 allows for local privilege escalation. There is an insufficiently protected handle to the A180AG.exe SYSTEM process with PROCESS_ALL_ACCESS rights.",
"id": "GHSA-9w89-223r-7hm3",
"modified": "2025-04-01T18:30:31Z",
"published": "2023-01-26T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43997"
},
{
"type": "WEB",
"url": "https://gist.github.com/jackullrich/21fcfe75aeb5e18c60b80e684b83d741"
},
{
"type": "WEB",
"url": "https://winternl.com/cve-2022-43997"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9W9G-MC45-WP73
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18Unnecessary privilege vulnerabilities in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-42105, 42106 and 42107.
{
"affected": [],
"aliases": [
"CVE-2021-42104"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-21T08:15:00Z",
"severity": "HIGH"
},
"details": "Unnecessary privilege vulnerabilities in Trend Micro Apex One, Apex One as a Service, Worry-Free Business Security 10.0 SP1 and Worry-Free Business Security Services could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-42105, 42106 and 42107.",
"id": "GHSA-9w9g-mc45-wp73",
"modified": "2022-05-24T19:18:29Z",
"published": "2022-05-24T19:18:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42104"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000289229"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000289230"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1216"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9W9Q-QWWR-2MVH
Vulnerability from github – Published: 2022-06-17 00:01 – Updated: 2022-06-29 00:00Insecure permissions configuration in Adaware Protect v1.2.439.4251 allows attackers to escalate privileges via changing the service binary path.
{
"affected": [],
"aliases": [
"CVE-2022-31464"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-16T19:15:00Z",
"severity": "HIGH"
},
"details": "Insecure permissions configuration in Adaware Protect v1.2.439.4251 allows attackers to escalate privileges via changing the service binary path.",
"id": "GHSA-9w9q-qwwr-2mvh",
"modified": "2022-06-29T00:00:28Z",
"published": "2022-06-17T00:01:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31464"
},
{
"type": "WEB",
"url": "https://r0h1rr1m.medium.com/adaware-protect-local-privilege-escalation-through-insecure-service-permissions-44d0eeb6c933"
},
{
"type": "WEB",
"url": "https://www.adaware.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9WC4-4F8P-MMHX
Vulnerability from github – Published: 2025-03-05 06:31 – Updated: 2025-11-03 21:33Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.1002 Application 20.0.2614 allows Privilege Escalation V-2024-015.
{
"affected": [],
"aliases": [
"CVE-2025-27639"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-05T06:15:35Z",
"severity": "HIGH"
},
"details": "Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.1002 Application 20.0.2614 allows Privilege Escalation V-2024-015.",
"id": "GHSA-9wc4-4f8p-mmhx",
"modified": "2025-11-03T21:33:05Z",
"published": "2025-03-05T06:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27639"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9WF6-88X4-6XVJ
Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2024-04-25 20:34An issue was discovered in includes/component.php in the BuddyPress Docs plugin before 1.9.3 for WordPress. It is possible for authenticated users to edit documents of other users without proper permissions.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "buddypress/buddypress"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-6954"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-25T20:34:24Z",
"nvd_published_at": "2017-03-17T09:59:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in `includes/component.php` in the BuddyPress Docs plugin before 1.9.3 for WordPress. It is possible for authenticated users to edit documents of other users without proper permissions.",
"id": "GHSA-9wf6-88x4-6xvj",
"modified": "2024-04-25T20:34:24Z",
"published": "2022-05-13T01:46:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6954"
},
{
"type": "WEB",
"url": "https://github.com/boonebgorges/buddypress-docs/commit/75293ed4e5f31f04e54689bfe2c647e3e3f5e1a9"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/buddypress-docs/changelog"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97238"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "BuddyPress Docs plugin Improper Privilege Management"
}
GHSA-9WGR-42X2-JHMX
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: EAI). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in takeover of Siebel CRM Integration. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
{
"affected": [],
"aliases": [
"CVE-2026-46885"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T10:54:06Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: EAI). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in takeover of Siebel CRM Integration. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).",
"id": "GHSA-9wgr-42x2-jhmx",
"modified": "2026-06-17T18:35:34Z",
"published": "2026-06-17T18:35:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46885"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cspujun2026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9WJQ-8XPW-JM38
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19SolarWinds Advanced Monitoring Agent before 10.8.9 allows local users to gain privileges via a Trojan horse .exe file, because everyone can write to a certain .exe file.
{
"affected": [],
"aliases": [
"CVE-2020-13912"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-07T21:15:00Z",
"severity": "MODERATE"
},
"details": "SolarWinds Advanced Monitoring Agent before 10.8.9 allows local users to gain privileges via a Trojan horse .exe file, because everyone can write to a certain .exe file.",
"id": "GHSA-9wjq-8xpw-jm38",
"modified": "2022-05-24T17:19:29Z",
"published": "2022-05-24T17:19:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13912"
},
{
"type": "WEB",
"url": "https://hansesecure.de/2020/06/vulnerability-in-monitoring-software/?lang=en"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9WM7-8QF3-9V98
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-07-01 19:43Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL.
AppSpider Plugin 1.0.18 requires Overall/Administer permission to use the affected method implementing form validation.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.17"
},
"package": {
"ecosystem": "Maven",
"name": "com.rapid7:jenkinsci-appspider-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48923"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T19:43:17Z",
"nvd_published_at": "2026-05-27T15:16:31Z",
"severity": "MODERATE"
},
"details": "Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified URL.\n\nAppSpider Plugin 1.0.18 requires Overall/Administer permission to use the affected method implementing form validation.",
"id": "GHSA-9wm7-8qf3-9v98",
"modified": "2026-07-01T19:43:17Z",
"published": "2026-05-27T15:33:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48923"
},
{
"type": "PACKAGE",
"url": "https://github.com/rapid7/jenkinsci-appspider-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins AppSpider Plugin does not perform a permission check in a method implementing form validation"
}
GHSA-9WR3-8F4C-6RJH
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10Sophos HitmanPro.Alert before build 861 allows local elevation of privilege.
{
"affected": [],
"aliases": [
"CVE-2020-9540"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-02T00:15:00Z",
"severity": "MODERATE"
},
"details": "Sophos HitmanPro.Alert before build 861 allows local elevation of privilege.",
"id": "GHSA-9wr3-8f4c-6rjh",
"modified": "2022-05-24T17:10:03Z",
"published": "2022-05-24T17:10:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9540"
},
{
"type": "WEB",
"url": "https://www.hitmanpro.com/en-us/whatsnewalert.aspx"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.