CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-VXH2-R3FH-MQH4
Vulnerability from github – Published: 2023-11-30 06:33 – Updated: 2023-12-05 18:30Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the gl_nas_sys authentication function.
{
"affected": [],
"aliases": [
"CVE-2023-47463"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-30T05:15:08Z",
"severity": "CRITICAL"
},
"details": "Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 before 4.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the gl_nas_sys authentication function.",
"id": "GHSA-vxh2-r3fh-mqh4",
"modified": "2023-12-05T18:30:22Z",
"published": "2023-11-30T06:33:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47463"
},
{
"type": "WEB",
"url": "https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/an%20unauthenticated%20remote%20code%20execution.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W24G-6MF8-65CJ
Vulnerability from github – Published: 2026-01-26 21:30 – Updated: 2026-05-19 15:31A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.
{
"affected": [],
"aliases": [
"CVE-2025-9615"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-26T20:16:09Z",
"severity": "LOW"
},
"details": "A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system\u0027s network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.",
"id": "GHSA-w24g-6mf8-65cj",
"modified": "2026-05-19T15:31:19Z",
"published": "2026-01-26T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9615"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18142"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18597"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-9615"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391503"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2327"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W5G9-XVWM-4QF8
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2025-10-22 00:31Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka "Windows Search Remote Code Execution Vulnerability".
{
"affected": [],
"aliases": [
"CVE-2017-8543"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-15T01:29:00Z",
"severity": "CRITICAL"
},
"details": "Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka \"Windows Search Remote Code Execution Vulnerability\".",
"id": "GHSA-w5g9-xvwm-4qf8",
"modified": "2025-10-22T00:31:23Z",
"published": "2022-05-13T01:47:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8543"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8543"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-8543"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98824"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038667"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W643-WVHG-95X9
Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:08This issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5. Entitlements and privacy permissions granted to this app may be used by a malicious app
{
"affected": [],
"aliases": [
"CVE-2023-32400"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T18:15:12Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved checks. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, watchOS 9.5. Entitlements and privacy permissions granted to this app may be used by a malicious app",
"id": "GHSA-w643-wvhg-95x9",
"modified": "2024-04-04T05:08:02Z",
"published": "2023-06-23T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32400"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213757"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213758"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213764"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213761"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W6W8-XWP9-3VWQ
Vulnerability from github – Published: 2025-01-08 21:32 – Updated: 2025-01-31 18:31Certain Teradata account-handling code through 2024-11-04, used with SUSE Enterprise Linux Server, mismanages groups. Specifically, when there is an operating system move from SUSE Enterprise Linux Server (SLES) 12 Service Pack (SP) 2 or 3 to SLES 15 SP2 on Teradata Database systems, some service/system user accounts, and possibly systems administrator created user accounts, are incorrectly assigned to groups that allow higher system-level privileges than intended for those user accounts. Depending on the usage of these accounts, this may lead to full system compromise.
{
"affected": [],
"aliases": [
"CVE-2024-52869"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T21:15:12Z",
"severity": "MODERATE"
},
"details": "Certain Teradata account-handling code through 2024-11-04, used with SUSE Enterprise Linux Server, mismanages groups. Specifically, when there is an operating system move from SUSE Enterprise Linux Server (SLES) 12 Service Pack (SP) 2 or 3 to SLES 15 SP2 on Teradata Database systems, some service/system user accounts, and possibly systems administrator created user accounts, are incorrectly assigned to groups that allow higher system-level privileges than intended for those user accounts. Depending on the usage of these accounts, this may lead to full system compromise.",
"id": "GHSA-w6w8-xwp9-3vwq",
"modified": "2025-01-31T18:31:04Z",
"published": "2025-01-08T21:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52869"
},
{
"type": "WEB",
"url": "https://chrismanson.com/CVE/cve-2024-52869.html"
},
{
"type": "WEB",
"url": "https://www.teradata.com/trust-security-center/data-security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W8QP-HMH5-4V9V
Vulnerability from github – Published: 2022-04-29 16:22 – Updated: 2025-08-06 14:50Object state limitation is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontend is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezplatform-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-29T16:22:58Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Object state limitation is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontend is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.",
"id": "GHSA-w8qp-hmh5-4v9v",
"modified": "2025-08-06T14:50:29Z",
"published": "2022-04-29T16:22:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezplatform-kernel/security/advisories/GHSA-w8qp-hmh5-4v9v"
},
{
"type": "WEB",
"url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge"
},
{
"type": "PACKAGE",
"url": "https://github.com/ezsystems/ezplatform-kernel"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Object state limitation has no effect"
}
GHSA-WC8W-WRJJ-MVQ9
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-12 03:33An issue in Silicon Labs Z-Wave Series 500 v6.84.0 allows attackers to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2024-50930"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T19:15:30Z",
"severity": "HIGH"
},
"details": "An issue in Silicon Labs Z-Wave Series 500 v6.84.0 allows attackers to execute arbitrary code.",
"id": "GHSA-wc8w-wrjj-mvq9",
"modified": "2024-12-12T03:33:01Z",
"published": "2024-12-10T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50930"
},
{
"type": "WEB",
"url": "https://github.com/CNK2100/2024-CVE/blob/main/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WFQQ-7288-2HGF
Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access a user's Photos Library.
{
"affected": [],
"aliases": [
"CVE-2024-40831"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T00:15:48Z",
"severity": "MODERATE"
},
"details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access a user\u0027s Photos Library.",
"id": "GHSA-wfqq-7288-2hgf",
"modified": "2025-11-04T18:31:19Z",
"published": "2024-09-17T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40831"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121238"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Sep/33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WG3J-J4RH-6353
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-07-13 00:00In updateNotification of BeamTransferManager.java, there is a missing permission check. This could lead to local information disclosure of paired Bluetooth addresses with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-168712890
{
"affected": [],
"aliases": [
"CVE-2021-0542"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-22T12:15:00Z",
"severity": "MODERATE"
},
"details": "In updateNotification of BeamTransferManager.java, there is a missing permission check. This could lead to local information disclosure of paired Bluetooth addresses with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-168712890",
"id": "GHSA-wg3j-j4rh-6353",
"modified": "2022-07-13T00:00:59Z",
"published": "2022-05-24T19:05:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0542"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WP2P-82H9-R4VV
Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-03-11 18:32In wl_notify_gscan_event of wl_cfgscan.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-56192"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-10T21:15:40Z",
"severity": "HIGH"
},
"details": "In wl_notify_gscan_event of wl_cfgscan.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-wp2p-82h9-r4vv",
"modified": "2025-03-11T18:32:12Z",
"published": "2025-03-10T21:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56192"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/pixel-watch/2025/2025-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.