CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-CRM9-RR9P-QWR6
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-30 18:32A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.7.2, macOS Sequoia 15.2. An app may be able to approve a launch daemon without user consent.
{
"affected": [],
"aliases": [
"CVE-2024-54516"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:13Z",
"severity": "LOW"
},
"details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.7.2, macOS Sequoia 15.2. An app may be able to approve a launch daemon without user consent.",
"id": "GHSA-crm9-rr9p-qwr6",
"modified": "2025-01-30T18:32:05Z",
"published": "2025-01-28T00:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54516"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121840"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CXMV-3HC7-9RH3
Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-06 18:32Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls.
{
"affected": [],
"aliases": [
"CVE-2025-34298"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T22:15:49Z",
"severity": "HIGH"
},
"details": "Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls.",
"id": "GHSA-cxmv-3hc7-9rh3",
"modified": "2025-11-06T18:32:49Z",
"published": "2025-10-31T00:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34298"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/nagios-log-server-2024r1"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nagios-log-server-set-email-privilege-escalation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F5WC-C3C7-36MC
Vulnerability from github – Published: 2026-06-25 22:14 – Updated: 2026-07-16 12:32When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.52.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39832"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T22:14:00Z",
"nvd_published_at": "2026-05-22T04:16:22Z",
"severity": "CRITICAL"
},
"details": "When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.",
"id": "GHSA-f5wc-c3c7-36mc",
"modified": "2026-07-16T12:32:19Z",
"published": "2026-06-25T22:14:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39832"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39832.json"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-5006"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/a082jnz-LvI"
},
{
"type": "WEB",
"url": "https://go.dev/issue/79435"
},
{
"type": "WEB",
"url": "https://go.dev/cl/778642"
},
{
"type": "PACKAGE",
"url": "https://cs.opensource.google/go/x/crypto"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480685"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-39832"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40262"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40118"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37410"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37387"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37271"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37123"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37072"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36797"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36796"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36651"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36648"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36625"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36319"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36199"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35833"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/crypto doesn\u0027t drop invoking agent constraints when forwarding keys"
}
GHSA-F626-W254-W424
Vulnerability from github – Published: 2025-04-10 21:31 – Updated: 2025-04-10 21:31Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php.
This issue affects MediaWiki: before 1.42.6, 1.43.1.
{
"affected": [],
"aliases": [
"CVE-2025-32697"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-10T19:16:01Z",
"severity": "LOW"
},
"details": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php.\n\nThis issue affects MediaWiki: before 1.42.6, 1.43.1.",
"id": "GHSA-f626-w254-w424",
"modified": "2025-04-10T21:31:09Z",
"published": "2025-04-10T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32697"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T140010"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T24521"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T62109"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-FC8M-X59C-5F6R
Vulnerability from github – Published: 2024-07-30 00:34 – Updated: 2026-04-02 21:31An input validation issue was addressed with improved input validation. This issue is fixed in macOS Sonoma 14.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. An app may be able to modify protected parts of the file system.
{
"affected": [],
"aliases": [
"CVE-2024-40800"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-29T23:15:12Z",
"severity": "HIGH"
},
"details": "An input validation issue was addressed with improved input validation. This issue is fixed in macOS Sonoma 14.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. An app may be able to modify protected parts of the file system.",
"id": "GHSA-fc8m-x59c-5f6r",
"modified": "2026-04-02T21:31:50Z",
"published": "2024-07-30T00:34:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40800"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120910"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120911"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120912"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214118"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214119"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214120"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214118"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214119"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214120"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2010"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/18"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/19"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FF7W-225P-JFC7
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8578, CVE-2017-8580, CVE-2017-8577, and CVE-2017-8467.
{
"affected": [],
"aliases": [
"CVE-2017-8581"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T21:29:00Z",
"severity": "HIGH"
},
"details": "Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8578, CVE-2017-8580, CVE-2017-8577, and CVE-2017-8467.",
"id": "GHSA-ff7w-225p-jfc7",
"modified": "2022-05-13T01:47:38Z",
"published": "2022-05-13T01:47:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8581"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8581"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99423"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038853"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FG56-PQV7-FM98
Vulnerability from github – Published: 2021-11-18 00:00 – Updated: 2022-05-04 00:01Insecure inherited permissions in the Intel(R) PROSet/Wireless WiFi software installer for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2021-0064"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-17T20:15:00Z",
"severity": "HIGH"
},
"details": "Insecure inherited permissions in the Intel(R) PROSet/Wireless WiFi software installer for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-fg56-pqv7-fm98",
"modified": "2022-05-04T00:01:02Z",
"published": "2021-11-18T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0064"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00509.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FG57-CQ37-V9F2
Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:07A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in watchOS 9.5, iOS 15.7.6 and iPadOS 15.7.6, macOS Ventura 13.4, iOS 16.5 and iPadOS 16.5, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. An app may be able to bypass Privacy preferences
{
"affected": [],
"aliases": [
"CVE-2023-32388"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T18:15:12Z",
"severity": "MODERATE"
},
"details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in watchOS 9.5, iOS 15.7.6 and iPadOS 15.7.6, macOS Ventura 13.4, iOS 16.5 and iPadOS 16.5, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. An app may be able to bypass Privacy preferences",
"id": "GHSA-fg57-cq37-v9f2",
"modified": "2024-04-04T05:07:49Z",
"published": "2023-06-23T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32388"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213757"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213758"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213759"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213760"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213764"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213765"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FJ76-6R22-QFGV
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2024-04-04 02:46Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners.
{
"affected": [],
"aliases": [
"CVE-2019-20384"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-21T00:15:00Z",
"severity": "MODERATE"
},
"details": "Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners.",
"id": "GHSA-fj76-6r22-qfgv",
"modified": "2024-04-04T02:46:43Z",
"published": "2022-05-24T17:07:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20384"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/692492"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/01/21/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FMV9-2X57-JQMV
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33Improper permissions in the installer for the Intel(R) Processor Identification Utility before version 6.4.0603 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-12335"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T19:15:00Z",
"severity": "HIGH"
},
"details": "Improper permissions in the installer for the Intel(R) Processor Identification Utility before version 6.4.0603 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-fmv9-2x57-jqmv",
"modified": "2022-05-24T17:33:35Z",
"published": "2022-05-24T17:33:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12335"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00419"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.