CWE-269
DiscouragedImproper Privilege Management
Abstraction: Class · Status: Draft
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
5439 vulnerabilities reference this CWE, most recent first.
GHSA-P64X-C79M-M5MV
Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2023-06-29 06:30Win32k Elevation of Privilege Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-21996"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T17:15:00Z",
"severity": "HIGH"
},
"details": "Win32k Elevation of Privilege Vulnerability.",
"id": "GHSA-p64x-c79m-m5mv",
"modified": "2023-06-29T06:30:16Z",
"published": "2022-02-10T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21996"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21996"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21996"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P6FR-7234-RW5G
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29A vulnerability in Trend Micro Apex One may allow a local attacker to manipulate the process of the security agent unload option (if configured), which then could be manipulated to gain a privilege escalation and code execution.
An attacker must first obtain the ability to execute low-privileged code on the target in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-24563"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-29T00:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in Trend Micro Apex One may allow a local attacker to manipulate the process of the security agent unload option (if configured), which then could be manipulated to gain a privilege escalation and code execution.\n\nAn attacker must first obtain the ability to execute low-privileged code on the target in order to exploit this vulnerability.",
"id": "GHSA-p6fr-7234-rw5g",
"modified": "2022-05-24T17:29:43Z",
"published": "2022-05-24T17:29:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24563"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000271974"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1218"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P6G3-6G2V-FWVR
Vulnerability from github – Published: 2021-12-10 00:00 – Updated: 2022-07-13 00:01IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to gain privileges due to allowing modification of columns of existing tasks. IBM X-Force ID: 210321.
{
"affected": [],
"aliases": [
"CVE-2021-38926"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-09T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to gain privileges due to allowing modification of columns of existing tasks. IBM X-Force ID: 210321.",
"id": "GHSA-p6g3-6g2v-fwvr",
"modified": "2022-07-13T00:01:35Z",
"published": "2021-12-10T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38926"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/210321"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220114-0002"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6523808"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P6GW-24QR-9GFC
Vulnerability from github – Published: 2021-12-28 00:00 – Updated: 2022-01-13 00:01ZTE BigVideo Analysis product has a privilege escalation vulnerability. Due to improper management of the timed task modification privilege, an attacker with ordinary user permissions could exploit this vulnerability to gain unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2021-21750"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-27T19:15:00Z",
"severity": "HIGH"
},
"details": "ZTE BigVideo Analysis product has a privilege escalation vulnerability. Due to improper management of the timed task modification privilege, an attacker with ordinary user permissions could exploit this vulnerability to gain unauthorized access.",
"id": "GHSA-p6gw-24qr-9gfc",
"modified": "2022-01-13T00:01:59Z",
"published": "2021-12-28T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21750"
},
{
"type": "WEB",
"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1021884"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P6H3-H8G8-59FX
Vulnerability from github – Published: 2023-03-07 18:30 – Updated: 2023-03-14 18:30A improper privilege management in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.6, FortiNAC version 9.1.0 through 9.1.8, FortiNAC all versions 8.8, FortiNAC all versions 8.7, FortiNAC all versions 8.6, FortiNAC all versions 8.5, FortiNAC version 8.3.7 allows attacker to escalation of privilege via specially crafted commands.
{
"affected": [],
"aliases": [
"CVE-2022-39953"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-07T17:15:00Z",
"severity": "HIGH"
},
"details": "A improper privilege management in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.6, FortiNAC version 9.1.0 through 9.1.8, FortiNAC all versions 8.8, FortiNAC all versions 8.7, FortiNAC all versions 8.6, FortiNAC all versions 8.5, FortiNAC version 8.3.7 allows attacker to escalation of privilege via specially crafted commands.",
"id": "GHSA-p6h3-h8g8-59fx",
"modified": "2023-03-14T18:30:26Z",
"published": "2023-03-07T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39953"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-309"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P6JH-36MX-HRG4
Vulnerability from github – Published: 2024-06-13 21:30 – Updated: 2024-08-16 18:30Permission Bypass allowing attackers to disable HDCP 2.2 encryption by not completing the HDCP Key Exchange initialization steps
{
"affected": [],
"aliases": [
"CVE-2024-32918"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T21:15:55Z",
"severity": "MODERATE"
},
"details": "Permission Bypass allowing attackers to disable HDCP 2.2 encryption by not completing the HDCP Key Exchange initialization steps",
"id": "GHSA-p6jh-36mx-hrg4",
"modified": "2024-08-16T18:30:56Z",
"published": "2024-06-13T21:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32918"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2024-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P6JW-CFP7-35P2
Vulnerability from github – Published: 2022-05-01 23:48 – Updated: 2022-05-01 23:48The Site Documentation Drupal module 5.x before 5.x-1.8 and 6.x before 6.x-1.1 allows remote authenticated users to gain privileges of other users by leveraging the "access content" permission to list tables and obtain session IDs from the database.
{
"affected": [],
"aliases": [
"CVE-2008-2271"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-05-16T12:54:00Z",
"severity": "MODERATE"
},
"details": "The Site Documentation Drupal module 5.x before 5.x-1.8 and 6.x before 6.x-1.1 allows remote authenticated users to gain privileges of other users by leveraging the \"access content\" permission to list tables and obtain session IDs from the database.",
"id": "GHSA-p6jw-cfp7-35p2",
"modified": "2022-05-01T23:48:20Z",
"published": "2022-05-01T23:48:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2271"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42453"
},
{
"type": "WEB",
"url": "http://drupal.org/node/258547"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/30257"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/29242"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/1541/references"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P6X5-52J3-6VFR
Vulnerability from github – Published: 2022-07-14 00:00 – Updated: 2022-07-22 00:00In PermissionController, there is a possible way to get and retain permissions without user's consent due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-223907044
{
"affected": [],
"aliases": [
"CVE-2022-20218"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-13T19:15:00Z",
"severity": "HIGH"
},
"details": "In PermissionController, there is a possible way to get and retain permissions without user\u0027s consent due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-223907044",
"id": "GHSA-p6x5-52j3-6vfr",
"modified": "2022-07-22T00:00:33Z",
"published": "2022-07-14T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20218"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-07-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P743-H3F6-5F74
Vulnerability from github – Published: 2026-02-25 21:31 – Updated: 2026-03-04 18:31VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations. To remediate CVE-2026-22721, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found in VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 .
{
"affected": [],
"aliases": [
"CVE-2026-22721"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-25T21:16:40Z",
"severity": "MODERATE"
},
"details": "VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative access in VMware Aria Operations. To remediate CVE-2026-22721, apply the patches listed in the \u0027Fixed Version\u0027 column of the \u0027Response Matrix\u0027 found in\u00a0 VMSA-2026-0001 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 .",
"id": "GHSA-p743-h3f6-5f74",
"modified": "2026-03-04T18:31:47Z",
"published": "2026-02-25T21:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22721"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947"
},
{
"type": "WEB",
"url": "https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P782-XGP4-8HR8
Vulnerability from github – Published: 2022-06-24 00:00 – Updated: 2024-05-20 21:27Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Reporting in syscall. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
Specific Go Packages Affected
golang.org/x/sys/unix
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/sys"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220412211240-33da011f77ad"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29526"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T00:30:54Z",
"nvd_published_at": "2022-06-23T17:15:00Z",
"severity": "MODERATE"
},
"details": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Reporting in syscall. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.\n\n### Specific Go Packages Affected\ngolang.org/x/sys/unix",
"id": "GHSA-p782-xgp4-8hr8",
"modified": "2024-05-20T21:27:32Z",
"published": "2022-06-24T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526"
},
{
"type": "WEB",
"url": "https://github.com/golang/go/issues/52313"
},
{
"type": "PACKAGE",
"url": "https://github.com/golang/go"
},
{
"type": "WEB",
"url": "https://go.dev/cl/399539"
},
{
"type": "WEB",
"url": "https://go.dev/cl/400074"
},
{
"type": "WEB",
"url": "https://go.dev/issue/52313"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6GE5EQGE4L2KRVGW4T75QVIYAXCLO5X"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0493"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-02"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220729-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/sys/unix has Incorrect privilege reporting in syscall"
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-48
Strategy: Separation of Privilege
Follow the principle of least privilege when assigning access rights to entities in a software system.
Mitigation MIT-49
Strategy: Separation of Privilege
Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.