Common Weakness Enumeration

CWE-280

Allowed

Improper Handling of Insufficient Permissions or Privileges

Abstraction: Base · Status: Draft

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

256 vulnerabilities reference this CWE, most recent first.

GHSA-JHJM-5XJG-MPQP

Vulnerability from github – Published: 2023-03-21 21:30 – Updated: 2025-02-26 22:17
VLAI
Summary
Xuxueli xxl-job allows attacker to obtain sensitive information via the pageList parameter
Details

Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.xuxueli:xxl-job"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "last_affected": "2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-27087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-21T22:41:55Z",
    "nvd_published_at": "2023-03-21T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Permissions vulnerabiltiy found in Xuxueli xxl-job v2.2.0, v 2.3.0 and v.2.3.1 allows attacker to obtain sensitive information via the pageList parameter.",
  "id": "GHSA-jhjm-5xjg-mpqp",
  "modified": "2025-02-26T22:17:31Z",
  "published": "2023-03-21T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27087"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xuxueli/xxl-job/issues/3096"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xuxueli/xxl-job"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Xuxueli xxl-job allows attacker to obtain sensitive information via the pageList parameter"
}

GHSA-JPGH-F7HM-PWMF

Vulnerability from github – Published: 2024-03-26 15:30 – Updated: 2024-03-26 15:30
VLAI
Details

In some rare cases, there is a password type validation missing in Revert Password check and for some features it could be disabled. Fixed Version: Win ZApp 4.3.0.121 and later.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-26T15:15:48Z",
    "severity": "HIGH"
  },
  "details": "In some rare cases, there is a password type validation missing in Revert Password check and for some features it could be disabled. Fixed Version: Win ZApp 4.3.0.121 and later.",
  "id": "GHSA-jpgh-f7hm-pwmf",
  "modified": "2024-03-26T15:30:50Z",
  "published": "2024-03-26T15:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41972"
    },
    {
      "type": "WEB",
      "url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=Windows\u0026applicable_version=4.3.0.121\u0026deployment_date=2023-09-01\u0026id=1463196"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JVRP-C78H-QQVJ

Vulnerability from github – Published: 2025-06-27 18:30 – Updated: 2025-07-01 18:30
VLAI
Details

Software installed and running inside a Guest VM may conduct improper GPU system calls to prevent other Guests from running work on the GPU.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-27T17:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Software installed and running inside a Guest VM may conduct improper GPU system calls to prevent other Guests from running work on the GPU.",
  "id": "GHSA-jvrp-c78h-qqvj",
  "modified": "2025-07-01T18:30:35Z",
  "published": "2025-06-27T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46708"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M6F8-HJRV-MW5F

Vulnerability from github – Published: 2023-03-27 22:17 – Updated: 2023-03-27 22:17
VLAI
Summary
Apiman vulnerable to permissions bypass due to missing check on API key URL
Details

Impact

Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL. The URL includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource, and each of these can have arbitrary values.

While not trivial to exploit, it could be achieved by brute-forcing or guessing common names.

Access to the non-permitted API Keys could allow use of other users' resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security).

Patches

Apiman 3.1.0.Final and later resolves this issue.

Workarounds

Only provide Apiman Manager accounts to known users, do not allow anonymous/unknown users to create an Apiman Manager account.

Note that this does not affect the Apiman Gateway.

References

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.0.0.Final"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.apiman:apiman-manager-api-rest-impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-280",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-27T22:17:57Z",
    "nvd_published_at": "2023-03-27T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nDue to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL. The URL includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource, and each of these can have arbitrary values.\n\nWhile not trivial to exploit, it could be achieved by brute-forcing or guessing common names.\n\nAccess to the non-permitted API Keys could allow use of other users\u0027 resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security).\n\n### Patches\n\nApiman 3.1.0.Final and later resolves this issue. \n\n### Workarounds\n\nOnly provide Apiman Manager accounts to known users, do not allow anonymous/unknown users to create an Apiman Manager account.\n\nNote that this does **not** affect the Apiman Gateway.\n\n### References\n\n* [Blog post disclosing issue](https://www.apiman.io/blog/potential-permissions-bypass-disclosure/)\n",
  "id": "GHSA-m6f8-hjrv-mw5f",
  "modified": "2023-03-27T22:17:57Z",
  "published": "2023-03-27T22:17:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apiman/apiman/security/advisories/GHSA-m6f8-hjrv-mw5f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28640"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apiman/apiman"
    },
    {
      "type": "WEB",
      "url": "https://www.apiman.io/blog/potential-permissions-bypass-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apiman vulnerable to permissions bypass due to missing check on API key URL"
}

GHSA-M6HC-99RM-C9WC

Vulnerability from github – Published: 2026-06-09 15:32 – Updated: 2026-06-09 15:32
VLAI
Details

When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T13:16:35Z",
    "severity": "LOW"
  },
  "details": "When creating an export of all reusable media, the secrets of connected \ngift cards were included in the export even if the user creating the \nexport does not have permission to view gift cards. This is inconsistent\n with the UI and API where only the first letters of the gift card \nsecret are shown. Therefore, it allows circumventing a permission \nboundary.",
  "id": "GHSA-m6hc-99rm-c9wc",
  "modified": "2026-06-09T15:32:17Z",
  "published": "2026-06-09T15:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11764"
    },
    {
      "type": "WEB",
      "url": "https://pretix.eu/about/en/blog/20260609-release-2026-5-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M6W2-P258-GXQP

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-07-02 21:32
VLAI
Details

A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:16:44Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Samba\u2019s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file.",
  "id": "GHSA-m6w2-p258-gxqp",
  "modified": "2026-07-02T21:32:03Z",
  "published": "2026-05-27T15:33:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2340"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:22644"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:22963"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25049"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25979"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:28053"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:28054"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:28055"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:28056"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:28057"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:29863"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-2340"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447318"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.samba.org/show_bug.cgi?id=15997"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M8CJ-M32X-WPWV

Vulnerability from github – Published: 2022-02-08 00:00 – Updated: 2022-05-10 00:00
VLAI
Details

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280",
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-07T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.",
  "id": "GHSA-m8cj-m32x-wpwv",
  "modified": "2022-05-10T00:00:49Z",
  "published": "2022-02-08T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21814"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5312"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5321"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202310-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXG4-3MFG-79GM

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2024-01-13 06:30
VLAI
Details

An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8219"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-30T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insufficient permission check vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an attacker to change the password of a full administrator.",
  "id": "GHSA-mxg4-3mfg-79gm",
  "modified": "2024-01-13T06:30:22Z",
  "published": "2022-05-24T17:24:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8219"
    },
    {
      "type": "WEB",
      "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3PH-4R57-HH5X

Vulnerability from github – Published: 2026-05-07 12:31 – Updated: 2026-05-11 18:31
VLAI
Details

Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6805"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-07T10:16:06Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link.",
  "id": "GHSA-p3ph-4r57-hh5x",
  "modified": "2026-05-11T18:31:36Z",
  "published": "2026-05-07T12:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6805"
    },
    {
      "type": "WEB",
      "url": "https://info.cryptobox.com/doc/v4.40/4.40.en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P4QH-CJ7J-R785

Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-05-26 21:31
VLAI
Details

Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T18:16:08Z",
    "severity": "HIGH"
  },
  "details": "Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-p4qh-cj7j-r785",
  "modified": "2026-05-26T21:31:35Z",
  "published": "2026-01-13T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20817"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20817"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2026-20817-detection-script-eop-vulnerabilit-in-windows-error-reporting"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2026-20817-mitigation-script-eop-vulnerability-in-windows-error-reporting"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Implementation

Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures.

No CAPEC attack patterns related to this CWE.