CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5451 vulnerabilities reference this CWE, most recent first.
GHSA-CJG6-44J4-FFF5
Vulnerability from github – Published: 2025-07-15 21:31 – Updated: 2025-07-15 21:31Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
{
"affected": [],
"aliases": [
"CVE-2025-50064"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-15T20:15:40Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).",
"id": "GHSA-cjg6-44j4-fff5",
"modified": "2025-07-15T21:31:40Z",
"published": "2025-07-15T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50064"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJGX-JX6J-CMG7
Vulnerability from github – Published: 2023-10-17 15:30 – Updated: 2024-07-03 18:33An improper privilege management in the AMD Radeon™ Graphics driver may allow an authenticated attacker to craft an IOCTL request to gain I/O control over arbitrary hardware ports or physical addresses resulting in a potential arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2023-20598"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-17T14:15:09Z",
"severity": "HIGH"
},
"details": "\n\n\nAn improper privilege management in the AMD Radeon\u2122\u00a0Graphics driver may allow an authenticated attacker to craft an IOCTL request to gain I/O control over arbitrary hardware ports or physical addresses resulting in a potential arbitrary code execution.\n\n\n\n",
"id": "GHSA-cjgx-jx6j-cmg7",
"modified": "2024-07-03T18:33:10Z",
"published": "2023-10-17T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20598"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-6009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CJH4-HRFC-4XJ7
Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2024-02-13 21:30Insufficient protections in System Management Mode (SMM) code may allow an attacker to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2023-20563"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T19:15:15Z",
"severity": "HIGH"
},
"details": "Insufficient protections in System Management Mode (SMM) code may allow an attacker to potentially enable escalation of privilege via local access.\n\n\n\n\n\n\n\n\n",
"id": "GHSA-cjh4-hrfc-4xj7",
"modified": "2024-02-13T21:30:26Z",
"published": "2023-11-14T21:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20563"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-4002"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-5001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CJJW-5Q77-9XC9
Vulnerability from github – Published: 2024-05-21 21:30 – Updated: 2024-08-26 15:31An issue in MarvinTest Solutions Hardware Access Driver v.5.0.3.0 and before and fixed in v.5.0.4.0 allows a local attacker to escalate privileges via the Hw65.sys component.
{
"affected": [],
"aliases": [
"CVE-2024-31756"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T20:15:08Z",
"severity": "HIGH"
},
"details": "An issue in MarvinTest Solutions Hardware Access Driver v.5.0.3.0 and before and fixed in v.5.0.4.0 allows a local attacker to escalate privileges via the Hw65.sys component.",
"id": "GHSA-cjjw-5q77-9xc9",
"modified": "2024-08-26T15:31:13Z",
"published": "2024-05-21T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31756"
},
{
"type": "WEB",
"url": "https://northwave-cybersecurity.com/vulnerability-notice-hardware-access-driver-marvintest-solutions"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CJQ2-J283-VJ49
Vulnerability from github – Published: 2023-02-27 21:30 – Updated: 2023-03-07 21:30This issue was addressed with improved checks. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, tvOS 16. An app may be able to execute arbitrary code with kernel privileges.
{
"affected": [],
"aliases": [
"CVE-2022-32949"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-27T20:15:00Z",
"severity": "HIGH"
},
"details": "This issue was addressed with improved checks. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, tvOS 16. An app may be able to execute arbitrary code with kernel privileges.",
"id": "GHSA-cjq2-j283-vj49",
"modified": "2023-03-07T21:30:16Z",
"published": "2023-02-27T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32949"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213487"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213490"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CJXF-HQC4-WP33
Vulnerability from github – Published: 2022-08-10 00:00 – Updated: 2022-08-10 00:00Azure Batch Node Agent Elevation of Privilege Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-33646"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-09T20:15:00Z",
"severity": "HIGH"
},
"details": "Azure Batch Node Agent Elevation of Privilege Vulnerability.",
"id": "GHSA-cjxf-hqc4-wp33",
"modified": "2022-08-10T00:00:18Z",
"published": "2022-08-10T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33646"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33646"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-33646"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CM6F-XJJV-F446
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2024-04-04 02:50A malicious extension could have called browser.identity.launchWebAuthFlow, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user's account at the service provider. This vulnerability affects Firefox < 75.
{
"affected": [],
"aliases": [
"CVE-2020-6823"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-24T16:15:00Z",
"severity": "CRITICAL"
},
"details": "A malicious extension could have called \u003ccode\u003ebrowser.identity.launchWebAuthFlow\u003c/code\u003e, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user\u0027s account at the service provider. This vulnerability affects Firefox \u003c 75.",
"id": "GHSA-cm6f-xjjv-f446",
"modified": "2024-04-04T02:50:13Z",
"published": "2022-05-24T17:16:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6823"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1614919"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CM7F-83PQ-PFP3
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37Stratodesk NoTouch Center before 4.4.68 is affected by: Incorrect Access Control. A low privileged user on the platform, for example a user with "helpdesk" privileges, can perform privileged operations including adding a new administrator to the platform via the easyadmin/user/submitCreateTCUser.do page.
{
"affected": [],
"aliases": [
"CVE-2020-25917"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-26T02:15:00Z",
"severity": "HIGH"
},
"details": "Stratodesk NoTouch Center before 4.4.68 is affected by: Incorrect Access Control. A low privileged user on the platform, for example a user with \"helpdesk\" privileges, can perform privileged operations including adding a new administrator to the platform via the easyadmin/user/submitCreateTCUser.do page.",
"id": "GHSA-cm7f-83pq-pfp3",
"modified": "2022-05-24T17:37:18Z",
"published": "2022-05-24T17:37:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25917"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160652/Stratodesk-NoTouch-Center-Privilege-Escalation.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CM8V-JCCF-47QV
Vulnerability from github – Published: 2022-02-09 00:00 – Updated: 2022-07-13 00:01Micro-Star International (MSI) App Player <= 4.280.1.6309 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the NTIOLib_X64.sys and BstkDrv_msi2.sys drivers components. All the vulnerabilities are triggered by sending specific IOCTL requests.
{
"affected": [],
"aliases": [
"CVE-2021-44900"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-04T11:15:00Z",
"severity": "HIGH"
},
"details": "Micro-Star International (MSI) App Player \u003c= 4.280.1.6309 is vulnerable to multiple Privilege Escalation (LPE/EoP) vulnerabilities in the NTIOLib_X64.sys and BstkDrv_msi2.sys drivers components. All the vulnerabilities are triggered by sending specific IOCTL requests.",
"id": "GHSA-cm8v-jccf-47qv",
"modified": "2022-07-13T00:01:49Z",
"published": "2022-02-09T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44900"
},
{
"type": "WEB",
"url": "https://voidsec.com"
},
{
"type": "WEB",
"url": "https://voidsec.com/advisories/cve-2021-44900"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CMPF-FMF9-35PM
Vulnerability from github – Published: 2023-01-30 09:30 – Updated: 2023-02-07 18:30Potential vulnerabilities have been identified in HP Security Manager which may allow escalation of privilege, arbitrary code execution, and information disclosure.
{
"affected": [],
"aliases": [
"CVE-2022-46357"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T08:15:00Z",
"severity": "HIGH"
},
"details": "Potential vulnerabilities have been identified in HP Security Manager which may allow escalation of privilege, arbitrary code execution, and information disclosure.",
"id": "GHSA-cmpf-fmf9-35pm",
"modified": "2023-02-07T18:30:19Z",
"published": "2023-01-30T09:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46357"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_7334353-7334378-16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.