Common Weakness Enumeration
CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
CVE-2025-34298 (GCVE-0-2025-34298)
Vulnerability from cvelistv5 – Published: 2025-10-30 21:25 – Updated: 2025-11-17 21:36
VLAI
EPSS
VEX
Title
Nagios Log Server < 2024R1.3.2 Set Email Privilege Escalation
Summary
Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.nagios.com/changelog/nagios-log-serve… | release-notespatch |
| https://www.vulncheck.com/advisories/nagios-log-s… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Nagios | Log Server |
Affected:
0 , < 2024R1.3.2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34298",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T17:40:19.982180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T17:40:32.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Web UI \u2013 Account profile / email update workflow"
],
"product": "Log Server",
"vendor": "Nagios",
"versions": [
{
"lessThan": "2024R1.3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nagios:log_server:2024:*:*:*:*:*:*:*",
"versionEndExcluding": "r1.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls.\u003cbr\u003e"
}
],
"value": "Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T21:36:25.925Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.nagios.com/changelog/nagios-log-server-2024r1/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/nagios-log-server-set-email-privilege-escalation"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Nagios addresses this vulnerability as \"Fixed a privilege escalation issue where a user can edit their own email and put in an invalid address.\"\u003cbr\u003e"
}
],
"value": "Nagios addresses this vulnerability as \"Fixed a privilege escalation issue where a user can edit their own email and put in an invalid address.\""
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Nagios Log Server \u003c 2024R1.3.2 Set Email Privilege Escalation",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34298",
"datePublished": "2025-10-30T21:25:52.056Z",
"dateReserved": "2025-04-15T19:15:22.582Z",
"dateUpdated": "2025-11-17T21:36:25.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32697 (GCVE-0-2025-32697)
Vulnerability from cvelistv5 – Published: 2025-04-10 18:29 – Updated: 2025-04-10 19:05
VLAI
EPSS
VEX
Title
Cascading protection is not preventing file reversions
Summary
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php.
This issue affects MediaWiki: before 1.42.6, 1.43.1.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.42.6, 1.43.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:05:19.090332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:05:48.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/editpage/IntroMessageBuilder.php",
"includes/Permissions/PermissionManager.php",
"includes/Permissions/RestrictionStore.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/editpage/IntroMessageBuilder.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Permissions/PermissionManager.Php\u003c/tt\u003e, \u003ctt\u003eincludes/Permissions/RestrictionStore.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php.\n\nThis issue affects MediaWiki: before 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:29:17.482Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T140010"
},
{
"url": "https://phabricator.wikimedia.org/T62109"
},
{
"url": "https://phabricator.wikimedia.org/T24521"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T140010"
],
"discovery": "UNKNOWN"
},
"title": "Cascading protection is not preventing file reversions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32697",
"datePublished": "2025-04-10T18:29:17.482Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-04-10T19:05:48.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32696 (GCVE-0-2025-32696)
Vulnerability from cvelistv5 – Published: 2025-04-10 18:28 – Updated: 2025-11-03 19:53
VLAI
EPSS
VEX
Title
"reupload-own" restriction can be bypassed by reverting file
Summary
Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.
This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wikimedia Foundation | MediaWiki |
Affected:
0 , < 1.39.12, 1.42.6, 1.43.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:06:02.895680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:06:14.490Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:33.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaWiki",
"programFiles": [
"includes/actions/RevertAction.php",
"includes/api/ApiFileRevert.php"
],
"repo": "https://gerrit.wikimedia.org/g/mediawiki/core/+/refs/heads/master",
"vendor": "Wikimedia Foundation",
"versions": [
{
"lessThan": "1.39.12, 1.42.6, 1.43.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Porplemontage"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bartosz Dziewo\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eincludes/actions/RevertAction.Php\u003c/tt\u003e, \u003ctt\u003eincludes/api/ApiFileRevert.Php\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.\u003c/p\u003e"
}
],
"value": "Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.\n\nThis issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 0,
"baseSeverity": "NONE",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:28:48.161Z",
"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"shortName": "wikimedia-foundation"
},
"references": [
{
"url": "https://phabricator.wikimedia.org/T304474"
}
],
"source": {
"defect": [
"https://phabricator.wikimedia.org/T304474"
],
"discovery": "UNKNOWN"
},
"title": "\"reupload-own\" restriction can be bypassed by reverting file",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc",
"assignerShortName": "wikimedia-foundation",
"cveId": "CVE-2025-32696",
"datePublished": "2025-04-10T18:28:48.161Z",
"dateReserved": "2025-04-09T12:54:49.385Z",
"dateUpdated": "2025-11-03T19:53:33.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27563 (GCVE-0-2025-27563)
Vulnerability from cvelistv5 – Published: 2025-06-08 11:47 – Updated: 2025-06-09 15:04
VLAI
EPSS
VEX
Title
security_access_token has an improper preservation of permissions vulnerability
Summary
in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenHarmony | OpenHarmony |
Affected:
v5.0.1 , ≤ v5.0.3
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T15:04:29.239765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T15:04:35.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenHarmony",
"vendor": "OpenHarmony",
"versions": [
{
"lessThanOrEqual": "v5.0.3",
"status": "affected",
"version": "v5.0.1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission."
}
],
"value": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-08T11:47:13.415Z",
"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd",
"shortName": "OpenHarmony"
},
"references": [
{
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-06.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "security_access_token has an improper preservation of permissions vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd",
"assignerShortName": "OpenHarmony",
"cveId": "CVE-2025-27563",
"datePublished": "2025-06-08T11:47:13.415Z",
"dateReserved": "2025-03-02T07:18:52.700Z",
"dateUpdated": "2025-06-09T15:04:35.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27247 (GCVE-0-2025-27247)
Vulnerability from cvelistv5 – Published: 2025-06-08 11:47 – Updated: 2025-06-09 13:59
VLAI
EPSS
VEX
Title
Pasteboard has an improper preservation of permissions vulnerability
Summary
in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenHarmony | OpenHarmony |
Affected:
v5.0.1 , ≤ v5.0.3
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T13:57:52.799480Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T13:59:06.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenHarmony",
"vendor": "OpenHarmony",
"versions": [
{
"lessThanOrEqual": "v5.0.3",
"status": "affected",
"version": "v5.0.1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission."
}
],
"value": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-08T11:47:25.245Z",
"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd",
"shortName": "OpenHarmony"
},
"references": [
{
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-06.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Pasteboard has an improper preservation of permissions vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd",
"assignerShortName": "OpenHarmony",
"cveId": "CVE-2025-27247",
"datePublished": "2025-06-08T11:47:25.245Z",
"dateReserved": "2025-03-02T07:18:52.710Z",
"dateUpdated": "2025-06-09T13:59:06.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26693 (GCVE-0-2025-26693)
Vulnerability from cvelistv5 – Published: 2025-06-08 11:47 – Updated: 2025-06-09 03:29
VLAI
EPSS
VEX
Title
security_access_token has an improper preservation of permissions vulnerability
Summary
in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenHarmony | OpenHarmony |
Affected:
v5.0.1 , ≤ v5.0.3
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T03:29:47.500862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T03:29:57.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenHarmony",
"vendor": "OpenHarmony",
"versions": [
{
"lessThanOrEqual": "v5.0.3",
"status": "affected",
"version": "v5.0.1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission."
}
],
"value": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-08T11:47:09.091Z",
"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd",
"shortName": "OpenHarmony"
},
"references": [
{
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-06.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "security_access_token has an improper preservation of permissions vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd",
"assignerShortName": "OpenHarmony",
"cveId": "CVE-2025-26693",
"datePublished": "2025-06-08T11:47:09.091Z",
"dateReserved": "2025-03-02T07:18:52.692Z",
"dateUpdated": "2025-06-09T03:29:57.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26691 (GCVE-0-2025-26691)
Vulnerability from cvelistv5 – Published: 2025-06-08 11:47 – Updated: 2025-06-09 03:30
VLAI
EPSS
VEX
Title
telephony_call_manager has an improper preservation of permissions vulnerability
Summary
in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenHarmony | OpenHarmony |
Affected:
v5.0.1 , ≤ v5.0.3
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T03:30:12.671389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T03:30:20.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenHarmony",
"vendor": "OpenHarmony",
"versions": [
{
"lessThanOrEqual": "v5.0.3",
"status": "affected",
"version": "v5.0.1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission."
}
],
"value": "in OpenHarmony v5.0.3 and prior versions allow a local attacker cause information leak through get permission."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-08T11:47:04.449Z",
"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd",
"shortName": "OpenHarmony"
},
"references": [
{
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-06.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "telephony_call_manager has an improper preservation of permissions vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd",
"assignerShortName": "OpenHarmony",
"cveId": "CVE-2025-26691",
"datePublished": "2025-06-08T11:47:04.449Z",
"dateReserved": "2025-03-02T07:18:04.330Z",
"dateUpdated": "2025-06-09T03:30:20.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24791 (GCVE-0-2025-24791)
Vulnerability from cvelistv5 – Published: 2025-01-29 16:59 – Updated: 2025-01-29 17:08
VLAI
EPSS
VEX
Title
snowflake-connector-nodejs has incorrect validation of temporary credential cache file permissions
Summary
snowflake-connector-nodejs is a NodeJS driver for Snowflake. Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This vulnerability affects versions 1.12.0 through 2.0.1 on Linux. Snowflake fixed the issue in version 2.0.2.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/snowflakedb/snowflake-connecto… | x_refsource_CONFIRM |
| https://github.com/snowflakedb/snowflake-connecto… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| snowflakedb | snowflake-connector-nodejs |
Affected:
>= 1.12.0, < 2.0.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24791",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T17:08:41.667104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T17:08:51.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "snowflake-connector-nodejs",
"vendor": "snowflakedb",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.12.0, \u003c 2.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snowflake-connector-nodejs is a NodeJS driver for Snowflake. Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This vulnerability affects versions 1.12.0 through 2.0.1 on Linux. Snowflake fixed the issue in version 2.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T16:59:24.627Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-xfhv-wqj6-rx99",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-xfhv-wqj6-rx99"
},
{
"name": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/89731b3a4d61a75b721d13d4e47a7a3712ffa45f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snowflakedb/snowflake-connector-nodejs/commit/89731b3a4d61a75b721d13d4e47a7a3712ffa45f"
}
],
"source": {
"advisory": "GHSA-xfhv-wqj6-rx99",
"discovery": "UNKNOWN"
},
"title": "snowflake-connector-nodejs has incorrect validation of temporary credential cache file permissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24791",
"datePublished": "2025-01-29T16:59:24.627Z",
"dateReserved": "2025-01-23T17:11:35.837Z",
"dateUpdated": "2025-01-29T17:08:51.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24337 (GCVE-0-2025-24337)
Vulnerability from cvelistv5 – Published: 2025-01-20 00:00 – Updated: 2025-01-21 20:25
VLAI
EPSS
VEX
Summary
WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini.
Severity
8.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Musing Studio | WriteFreely |
Affected:
0 , ≤ 0.15.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24337",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T20:25:16.460797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T20:25:39.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WriteFreely",
"vendor": "Musing Studio",
"versions": [
{
"lessThanOrEqual": "0.15.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-20T13:59:02.002Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://raphus.social/@TV4Fun/113846757112643161"
},
{
"url": "https://github.com/writefreely/writefreely/releases/tag/v0.15.1"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/01/18/1"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-24337",
"datePublished": "2025-01-20T00:00:00.000Z",
"dateReserved": "2025-01-20T00:00:00.000Z",
"dateUpdated": "2025-01-21T20:25:39.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22620 (GCVE-0-2025-22620)
Vulnerability from cvelistv5 – Published: 2025-01-20 15:38 – Updated: 2025-01-21 14:54
VLAI
EPSS
VEX
Title
gix-worktree-state nonexclusive checkout sets executable files world-writable
Summary
gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0.
Severity
5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/GitoxideLabs/gitoxide/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GitoxideLabs | gitoxide |
Affected:
< 0.17.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22620",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T14:54:20.971258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T14:54:25.544Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gitoxide",
"vendor": "GitoxideLabs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations. This vulnerability is fixed in 0.17.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-687",
"description": "CWE-687: Function Call With Incorrectly Specified Argument Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-20T15:38:32.388Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-fqmf-w4xh-33rh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-fqmf-w4xh-33rh"
}
],
"source": {
"advisory": "GHSA-fqmf-w4xh-33rh",
"discovery": "UNKNOWN"
},
"title": "gix-worktree-state nonexclusive checkout sets executable files world-writable"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-22620",
"datePublished": "2025-01-20T15:38:32.388Z",
"dateReserved": "2025-01-07T15:07:26.777Z",
"dateUpdated": "2025-01-21T14:54:25.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.