Common Weakness Enumeration

CWE-280

Allowed

Improper Handling of Insufficient Permissions or Privileges

Abstraction: Base · Status: Draft

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

256 vulnerabilities reference this CWE, most recent first.

GHSA-R9X8-R5R4-MQ7C

Vulnerability from github – Published: 2024-03-28 18:30 – Updated: 2025-11-04 21:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.3, macOS Sonoma 14.2, macOS Monterey 12.7.2. A process may gain admin privileges without proper authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-28T16:15:08Z",
    "severity": "HIGH"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.3, macOS Sonoma 14.2, macOS Monterey 12.7.2. A process may gain admin privileges without proper authentication.",
  "id": "GHSA-r9x8-r5r4-mq7c",
  "modified": "2025-11-04T21:31:23Z",
  "published": "2024-03-28T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42931"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214036"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214037"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214038"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214036"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214037"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214038"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RPG2-JVHP-H354

Vulnerability from github – Published: 2025-05-14 12:31 – Updated: 2025-07-28 13:04
VLAI
Summary
Yggdrasil Vulnerable to Local Privilege Escalation
Details

A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages.

This flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/redhatinsights/yggdrasil"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-3931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-15T16:06:17Z",
    "nvd_published_at": "2025-05-14T12:15:19Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children\u0027s \"worker\" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. \n\nThis flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data.",
  "id": "GHSA-rpg2-jvhp-h354",
  "modified": "2025-07-28T13:04:18Z",
  "published": "2025-05-14T12:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3931"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RedHatInsights/yggdrasil/pull/336"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RedHatInsights/yggdrasil/commit/196d0cbea42f72e6dfecaa563681a99e9fdb4a38"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:7592"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3931"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362345"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RedHatInsights/yggdrasil"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Yggdrasil Vulnerable to Local Privilege Escalation"
}

GHSA-RQ49-J5JP-7MR4

Vulnerability from github – Published: 2024-04-07 09:30 – Updated: 2024-08-22 18:31
VLAI
Details

Vulnerability of insufficient permission verification in the app management module. Impact: Successful exploitation of this vulnerability will affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-07T09:15:08Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability of insufficient permission verification in the app management module.\nImpact: Successful exploitation of this vulnerability will affect availability.",
  "id": "GHSA-rq49-j5jp-7mr4",
  "modified": "2024-08-22T18:31:18Z",
  "published": "2024-04-07T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30418"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2024/4"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202404-0000001880501689"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RQHX-7554-JMG8

Vulnerability from github – Published: 2026-02-12 03:31 – Updated: 2026-02-12 03:31
VLAI
Details

Dell Update Package (DUP) Framework, versions 23.12.00 through 24.12.00, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-12T03:15:47Z",
    "severity": "HIGH"
  },
  "details": "Dell Update Package (DUP) Framework, versions 23.12.00 through 24.12.00, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.",
  "id": "GHSA-rqhx-7554-jmg8",
  "modified": "2026-02-12T03:31:01Z",
  "published": "2026-02-12T03:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23857"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000426781/dsa-2026-081-security-update-for-dell-update-package-dup-framework-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RRQ7-CH89-92VR

Vulnerability from github – Published: 2024-12-28 06:30 – Updated: 2024-12-28 18:30
VLAI
Details

Software installed and run as a non-privileged user can trigger the GPU kernel driver to write to arbitrary read-only system files that have been mapped into application memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-28T05:15:07Z",
    "severity": "HIGH"
  },
  "details": "Software installed and run as a non-privileged user can trigger the GPU kernel driver to write to arbitrary read-only system files that have been mapped into application memory.",
  "id": "GHSA-rrq7-ch89-92vr",
  "modified": "2024-12-28T18:30:47Z",
  "published": "2024-12-28T06:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43705"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RV23-6FX7-9R87

Vulnerability from github – Published: 2026-01-12 18:30 – Updated: 2026-01-12 18:30
VLAI
Details

An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-12T17:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges",
  "id": "GHSA-rv23-6fx7-9r87",
  "modified": "2026-01-12T18:30:30Z",
  "published": "2026-01-12T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46066"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ZeroBreach-GmbH/4e325d09d08e16efb506076da2184f42"
    },
    {
      "type": "WEB",
      "url": "https://www.automai.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3XM-8FCM-8J8Q

Vulnerability from github – Published: 2023-11-22 12:30 – Updated: 2026-02-23 09:31
VLAI
Details

Missing access permissions checks

in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export

jobs using the M-Files API methods.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-22T10:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Missing access permissions checks\n\n in\u00a0the M-Files server\u00a0before 23.11.13156.0 allow attackers to perform data write and export\n\njobs using the\u00a0M-Files API methods.",
  "id": "GHSA-v3xm-8fcm-8j8q",
  "modified": "2026-02-23T09:31:18Z",
  "published": "2023-11-22T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6189"
    },
    {
      "type": "WEB",
      "url": "https://empower.m-files.com/security-advisories/CVE-2023-6189"
    },
    {
      "type": "WEB",
      "url": "https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6189"
    },
    {
      "type": "WEB",
      "url": "https://product.m-files.com/security-advisories/cve-2023-6189"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6VR-V3VV-J4R9

Vulnerability from github – Published: 2025-09-29 21:30 – Updated: 2025-09-29 21:30
VLAI
Details

Dell Repository Manager (DRM), versions 3.4.7 and 3.4.8, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-45376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T21:15:37Z",
    "severity": "HIGH"
  },
  "details": "Dell Repository Manager (DRM), versions 3.4.7 and 3.4.8, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.",
  "id": "GHSA-v6vr-v3vv-j4r9",
  "modified": "2025-09-29T21:30:27Z",
  "published": "2025-09-29T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45376"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000375461/dsa-2025-373-security-update-for-dell-repository-manager-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJRG-FWQX-82JX

Vulnerability from github – Published: 2026-03-09 15:30 – Updated: 2026-03-09 18:31
VLAI
Details

Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory.

This is caused by improper handling of the memory protections for the user-mode wrapped memory resource.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-09T13:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory.\n\nThis is caused by improper handling of the memory\u00a0protections\u00a0for the user-mode wrapped memory resource.",
  "id": "GHSA-vjrg-fwqx-82jx",
  "modified": "2026-03-09T18:31:43Z",
  "published": "2026-03-09T15:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21736"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP3X-FQ4P-VF29

Vulnerability from github – Published: 2025-02-20 00:32 – Updated: 2025-02-20 00:32
VLAI
Details

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)

Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.

An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-20T00:15:20Z",
    "severity": "MODERATE"
  },
  "details": "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)\n\n\n\n\u00a0\n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.\n\n\n\n\u00a0\n\n\n\nAn adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.",
  "id": "GHSA-vp3x-fq4p-vf29",
  "modified": "2025-02-20T00:32:06Z",
  "published": "2025-02-20T00:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6697"
    },
    {
      "type": "WEB",
      "url": "https://support.pentaho.com/hc/en-us/articles/34296654642701--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Handling-of-Insufficient-Permissions-or-Privileges-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Implementation

Always check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can cause unexpected failures.

No CAPEC attack patterns related to this CWE.