CWE-277
AllowedInsecure Inherited Permissions
Abstraction: Variant · Status: Draft
A product defines a set of insecure permissions that are inherited by objects that are created by the program.
116 vulnerabilities reference this CWE, most recent first.
GHSA-838X-PRQR-QG3C
Vulnerability from github – Published: 2025-05-13 21:30 – Updated: 2025-05-13 21:30Insecure inherited permissions in the NVM Update Utility for some Intel(R) Ethernet Network Adapter E810 Series before version 4.60 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2025-20629"
],
"database_specific": {
"cwe_ids": [
"CWE-277"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T21:16:08Z",
"severity": "MODERATE"
},
"details": "Insecure inherited permissions in the NVM Update Utility for some Intel(R) Ethernet Network Adapter E810 Series before version 4.60 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-838x-prqr-qg3c",
"modified": "2025-05-13T21:30:56Z",
"published": "2025-05-13T21:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20629"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01295.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-89C4-JR3C-XMFX
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:59Insecure inherited permissions in the HotKey Services for some Intel(R) NUC P14E Laptop Element software for Windows 10 before version 1.1.44 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-41687"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-277"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:18Z",
"severity": "HIGH"
},
"details": "Insecure inherited permissions in the HotKey Services for some Intel(R) NUC P14E Laptop Element software for Windows 10 before version 1.1.44 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-89c4-jr3c-xmfx",
"modified": "2024-04-04T03:59:42Z",
"published": "2023-05-10T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41687"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00802.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9FRM-76C2-FQ2W
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-04-02 21:31A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to gain root privileges.
{
"affected": [],
"aliases": [
"CVE-2024-27822"
],
"database_specific": {
"cwe_ids": [
"CWE-277"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:13:05Z",
"severity": "HIGH"
},
"details": "A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to gain root privileges.",
"id": "GHSA-9frm-76c2-fq2w",
"modified": "2026-04-02T21:31:40Z",
"published": "2024-05-14T15:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27822"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120903"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214106"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214106"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/May/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9M5J-4XX9-44J9
Vulnerability from github – Published: 2024-08-07 18:30 – Updated: 2026-03-20 21:18A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pulpcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.56.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-7143"
],
"database_specific": {
"cwe_ids": [
"CWE-277"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-07T19:45:30Z",
"nvd_published_at": "2024-08-07T17:15:52Z",
"severity": "HIGH"
},
"details": "A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn\u0027t dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.",
"id": "GHSA-9m5j-4xx9-44j9",
"modified": "2026-03-20T21:18:09Z",
"published": "2024-08-07T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7143"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6765"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-7143"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2300125"
},
{
"type": "PACKAGE",
"url": "https://github.com/pulp/pulpcore"
},
{
"type": "WEB",
"url": "https://github.com/pulp/pulpcore/blob/93f241f34c503da0fbac94bdba739feda2636e12/pulpcore/tasking/_util.py#L108"
},
{
"type": "WEB",
"url": "https://github.com/pulp/pulpcore/blob/main/CHANGES.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Pulp incorrectly assigns RBAC permissions in tasks that create objects"
}
GHSA-9M7R-G8HG-X3VR
Vulnerability from github – Published: 2025-11-21 18:06 – Updated: 2026-05-14 20:54Impact
If your schema includes the following characteristics:
- You have a permission defined in terms of a union (
+) - That union references the same relation on both sides, but one side arrows to a different permission
Then you might have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly.
A small concrete example:
relation doer_of_things: user | group#member
permission do_the_thing = doer_of_things + doer_of_things->admin
A CheckPermission on do_the_thing will return the correct permissionship, but a LookupResources on do_the_thing may miss resources.
A Comprehensive Example
If you have a schema with a structure like this:
definition special_user {}
definition user {
relation special_user_mapping: special_user
permission special_user = special_user_mapping
}
definition group {
relation member: user
permission membership = member + member->special_user
}
definition system {
relation viewer: user | group#membership
// This is the problematic permission
permission view = viewer + viewer->special_user
}
And these relationships:
system:somesystem#viewer@group:somegroup#membership
group:somegroup#member@user:someuser1
user:someuser1#special_user_mapping@special_user:specialuser
And you call LookupResources with:
subject_type: user
subject_id: someuser1
permission: view
resource_type: system
You would expect to receive system:somesystem in the results, but you do not.
Note that this only applies to LookupResources; if you CheckPermission for that resource specifically, it will return HasPermission.
Patches
The issue is fixed in v1.47.1. Upgrading to this version will remediate this issue.
Workarounds
N/A
References
N/A
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/authzed/spicedb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.47.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-65111"
],
"database_specific": {
"cwe_ids": [
"CWE-277"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-21T18:06:00Z",
"nvd_published_at": "2025-11-21T22:16:33Z",
"severity": "LOW"
},
"details": "### Impact\n\nIf your schema includes the following characteristics:\n\n1. You have a permission defined in terms of a union (`+`)\n1. That union references the same relation on both sides, but one side arrows to a different permission\n\nThen you might have missing `LookupResources` results when checking the permission. This only affects `LookupResources`; other APIs calculate permissionship correctly.\n\nA small concrete example:\n\n```\nrelation doer_of_things: user | group#member\npermission do_the_thing = doer_of_things + doer_of_things-\u003eadmin\n```\n\nA CheckPermission on `do_the_thing` will return the correct permissionship, but a LookupResources on `do_the_thing` may miss resources.\n\n#### A Comprehensive Example\n\nIf you have a schema with a structure like this:\n\n```\ndefinition special_user {}\n\ndefinition user {\n relation special_user_mapping: special_user\n permission special_user = special_user_mapping\n}\ndefinition group {\n relation member: user\n permission membership = member + member-\u003especial_user\n}\n\ndefinition system {\n relation viewer: user | group#membership\n // This is the problematic permission\n permission view = viewer + viewer-\u003especial_user\n}\n```\n\nAnd these relationships:\n```\nsystem:somesystem#viewer@group:somegroup#membership\ngroup:somegroup#member@user:someuser1\nuser:someuser1#special_user_mapping@special_user:specialuser\n```\n\nAnd you call LookupResources with:\n```\nsubject_type: user\nsubject_id: someuser1\npermission: view\nresource_type: system\n```\n\nYou would expect to receive `system:somesystem` in the results, but you do not.\n\nNote that this only applies to `LookupResources`; if you `CheckPermission` for that resource specifically, it will return `HasPermission`.\n\n### Patches\n\nThe issue is fixed in v1.47.1. Upgrading to this version will remediate this issue.\n\n### Workarounds\nN/A\n\n### References\nN/A",
"id": "GHSA-9m7r-g8hg-x3vr",
"modified": "2026-05-14T20:54:49Z",
"published": "2025-11-21T18:06:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65111"
},
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/commit/8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2"
},
{
"type": "PACKAGE",
"url": "https://github.com/authzed/spicedb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results"
}
GHSA-9R4W-694R-FM3F
Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-16 19:00Incorrect default permissions in the installer software for some Intel(r) NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-36377"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-277"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-11T16:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect default permissions in the installer software for some Intel(r) NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-9r4w-694r-fm3f",
"modified": "2022-11-16T19:00:29Z",
"published": "2022-11-11T19:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36377"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00747.html"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00908.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CPFP-M5QW-C4R3
Vulnerability from github – Published: 2024-08-15 18:31 – Updated: 2025-05-22 20:00Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.4.1"
},
"package": {
"ecosystem": "Maven",
"name": "com.xuxueli:xxl-job-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-42681"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-277",
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-15T22:19:00Z",
"nvd_published_at": "2024-08-15T17:15:18Z",
"severity": "HIGH"
},
"details": "Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.",
"id": "GHSA-cpfp-m5qw-c4r3",
"modified": "2025-05-22T20:00:48Z",
"published": "2024-08-15T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42681"
},
{
"type": "WEB",
"url": "https://github.com/xuxueli/xxl-job/issues/3516"
},
{
"type": "WEB",
"url": "https://github.com/xuxueli/xxl-job/commit/a2dc9011310628f3e18c3a5095e7e6a946d017bd"
},
{
"type": "PACKAGE",
"url": "https://github.com/xuxueli/xxl-job"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Improper Preservation of Permissions in xxl-job"
}
GHSA-CPFV-MR66-74V6
Vulnerability from github – Published: 2024-07-09 15:30 – Updated: 2024-08-01 15:31Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects Firefox < 128.
{
"affected": [],
"aliases": [
"CVE-2024-6605"
],
"database_specific": {
"cwe_ids": [
"CWE-277"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T15:15:12Z",
"severity": "HIGH"
},
"details": "Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects Firefox \u003c 128.",
"id": "GHSA-cpfv-mr66-74v6",
"modified": "2024-08-01T15:31:53Z",
"published": "2024-07-09T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6605"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1836786"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-29"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F636-M6GC-99CH
Vulnerability from github – Published: 2024-04-03 18:30 – Updated: 2024-08-27 15:32Macro Expert through 4.9.4 allows BUILTIN\Users:(OI)(CI)(M) access to the "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" folder and thus an unprivileged user can escalate to SYSTEM by replacing the MacroService.exe binary.
{
"affected": [],
"aliases": [
"CVE-2024-27674"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-277"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T17:15:55Z",
"severity": "HIGH"
},
"details": "Macro Expert through 4.9.4 allows BUILTIN\\Users:(OI)(CI)(M) access to the \"%PROGRAMFILES(X86)%\\GrassSoft\\Macro Expert\" folder and thus an unprivileged user can escalate to SYSTEM by replacing the MacroService.exe binary.",
"id": "GHSA-f636-m6gc-99ch",
"modified": "2024-08-27T15:32:42Z",
"published": "2024-04-03T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27674"
},
{
"type": "WEB",
"url": "https://github.com/Alaatk/CVE-2024-27674/tree/main"
},
{
"type": "WEB",
"url": "https://www.macro-expert.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJ2M-7R3Q-J27X
Vulnerability from github – Published: 2023-07-11 03:30 – Updated: 2024-09-29 00:30SAP SQL Anywhere - version 17.0, allows an attacker to prevent legitimate users from accessing the service by crashing the service. An attacker with low privileged account and access to the local system can write into the shared memory objects. This can be leveraged by an attacker to perform a Denial of Service. Further, an attacker might be able to modify sensitive data in shared memory objects.This issue only affects SAP SQL Anywhere on Windows. Other platforms are not impacted.
{
"affected": [],
"aliases": [
"CVE-2023-33990"
],
"database_specific": {
"cwe_ids": [
"CWE-277",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-11T03:15:09Z",
"severity": "HIGH"
},
"details": "SAP SQL Anywhere\u00a0- version 17.0, allows an attacker to prevent legitimate users from accessing the service by crashing the service. An attacker with low privileged account and access to the local system can write into the shared memory objects. This can be leveraged by an attacker to perform a Denial of Service. Further, an attacker might be able to modify sensitive data in shared memory objects.This issue only affects SAP SQL Anywhere on Windows. Other platforms are not impacted.\n\n",
"id": "GHSA-fj2m-7r3q-j27x",
"modified": "2024-09-29T00:30:55Z",
"published": "2023-07-11T03:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33990"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3331029"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
No CAPEC attack patterns related to this CWE.