Common Weakness Enumeration

CWE-281

Allowed

Improper Preservation of Permissions

Abstraction: Base · Status: Draft

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

432 vulnerabilities reference this CWE, most recent first.

GHSA-Q7Q3-4CWR-583J

Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31
VLAI
Details

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40859"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-17T00:15:49Z",
    "severity": "MODERATE"
  },
  "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access user-sensitive data.",
  "id": "GHSA-q7q3-4cwr-583j",
  "modified": "2025-11-04T18:31:20Z",
  "published": "2024-09-17T00:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40859"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121238"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q844-H75G-F78Q

Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-11-04 00:32
VLAI
Details

This issue was addressed with improved permissions checking. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may gain unauthorized access to Local Network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T23:15:28Z",
    "severity": "HIGH"
  },
  "details": "This issue was addressed with improved permissions checking. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may gain unauthorized access to Local Network.",
  "id": "GHSA-q844-h75g-f78q",
  "modified": "2025-11-04T00:32:25Z",
  "published": "2025-04-01T00:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31184"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122371"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122373"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122378"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122379"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/12"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/2"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/4"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q965-9JFQ-2H9G

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-30 18:32
VLAI
Details

A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.7.2, macOS Sequoia 15.2, macOS Ventura 13.7.2. An attacker may gain access to protected parts of the file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T22:15:14Z",
    "severity": "HIGH"
  },
  "details": "A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.7.2, macOS Sequoia 15.2, macOS Ventura 13.7.2. An attacker may gain access to protected parts of the file system.",
  "id": "GHSA-q965-9jfq-2h9g",
  "modified": "2025-01-30T18:32:05Z",
  "published": "2025-01-28T00:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54557"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121839"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121840"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121842"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QC43-PGWQ-3Q2Q

Vulnerability from github – Published: 2022-09-16 21:01 – Updated: 2022-09-16 21:01
VLAI
Summary
Shopware access control list bypassed via crafted specific URLs
Details

Impact

If backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do.

Patches

We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-15

For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html

References

https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.7.14"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/shopware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.7.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T21:01:29Z",
    "nvd_published_at": "2022-09-12T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIf backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do.\n\n### Patches\nWe recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-15\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022",
  "id": "GHSA-qc43-pgwq-3q2q",
  "modified": "2022-09-16T21:01:29Z",
  "published": "2022-09-16T21:01:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36102"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6"
    },
    {
      "type": "WEB",
      "url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/shopware"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/shopware/shopware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Shopware access control list bypassed via crafted specific URLs"
}

GHSA-QCCJ-XJ7J-4C25

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8578, CVE-2017-8580, CVE-2017-8581, and CVE-2017-8467.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-11T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8578, CVE-2017-8580, CVE-2017-8581, and CVE-2017-8467.",
  "id": "GHSA-qccj-xj7j-4c25",
  "modified": "2022-05-13T01:47:37Z",
  "published": "2022-05-13T01:47:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8577"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8577"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99416"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038853"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QCF6-6WF2-XMXG

Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2021-12-21 00:01
VLAI
Details

In setOnClickActivityIntent of SearchWidgetProvider.java, there is a possible way to access contacts and history bookmarks without permission due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-184046278

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "In setOnClickActivityIntent of SearchWidgetProvider.java, there is a possible way to access contacts and history bookmarks without permission due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-184046278",
  "id": "GHSA-qcf6-6wf2-xmxg",
  "modified": "2021-12-21T00:01:23Z",
  "published": "2021-12-16T00:01:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0953"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QCP2-2XF6-HW26

Vulnerability from github – Published: 2026-07-09 18:31 – Updated: 2026-07-09 18:31
VLAI
Details

When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked.

When the domain ID is eventually reused, the new domain can create fewer nodes before beeing deemed to be over quota.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T16:16:38Z",
    "severity": "CRITICAL"
  },
  "details": "When oxenstored is tearing a domain down, the node data is cleaned up\nbut the usage counts are leaked.\n\nWhen the domain ID is eventually reused, the new domain can create fewer\nnodes before beeing deemed to be over quota.",
  "id": "GHSA-qcp2-2xf6-hw26",
  "modified": "2026-07-09T18:31:50Z",
  "published": "2026-07-09T18:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23556"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xen.org/xsa/advisory-483.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/28/10"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-483.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QG38-9F8P-H2HP

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28
VLAI
Details

In Settings, there is a possible permissions bypass. This could lead to local information disclosure of the device's IMEI with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-147309310

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0331"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-18T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Settings, there is a possible permissions bypass. This could lead to local information disclosure of the device\u0027s IMEI with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-147309310",
  "id": "GHSA-qg38-9f8p-h2hp",
  "modified": "2022-05-24T17:28:39Z",
  "published": "2022-05-24T17:28:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0331"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QM8F-GCV9-R92V

Vulnerability from github – Published: 2024-04-02 09:30 – Updated: 2024-04-02 09:30
VLAI
Details

in OpenHarmony v3.2.4 and prior versions allow a local attacker cause apps crash through get permission.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-02T07:15:42Z",
    "severity": "LOW"
  },
  "details": "in OpenHarmony v3.2.4 and prior versions allow a local attacker cause apps crash through get permission.",
  "id": "GHSA-qm8f-gcv9-r92v",
  "modified": "2024-04-02T09:30:40Z",
  "published": "2024-04-02T09:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22177"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-04.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ5H-RJJ9-Q9QG

Vulnerability from github – Published: 2025-01-29 15:31 – Updated: 2025-01-29 19:20
VLAI
Summary
RuoYi vulnerable to Denial of Service by attackers with admin privileges
Details

An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.ruoyi:ruoyi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-57439"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-29T19:20:35Z",
    "nvd_published_at": "2025-01-29T15:15:17Z",
    "severity": "MODERATE"
  },
  "details": "An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account.",
  "id": "GHSA-qq5h-rjj9-q9qg",
  "modified": "2025-01-29T19:20:35Z",
  "published": "2025-01-29T15:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57439"
    },
    {
      "type": "PACKAGE",
      "url": "https://gitee.com/y_project/RuoYi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/peccc/restful_vul/blob/main/ruoyi_dos/ruoyi_dos.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yangzongzhuan/RuoYi"
    },
    {
      "type": "WEB",
      "url": "https://ruoyi.vip"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RuoYi vulnerable to Denial of Service by attackers with admin privileges"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.