Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-21966 AMD Ryzen Master 安全漏洞 — AMD Ryzen™ Master Utility 7.3 High2025-02-11
CVE-2025-25202 Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install` — ash_authentication 8.2 -2025-02-11
CVE-2025-0180 WP Foodbakery <= 4.7 - Unauthenticated Privilege Escalation in foodbakery_registration_validation — WP Foodbakery 9.8 Critical2025-02-11
CVE-2025-24805 Local Privilege Escalation in MobSF — Mobile-Security-Framework-MobSF 6.1 -2025-02-05
CVE-2024-47770 Ability to view Agent list with no privilege access in wazuh-dashboard — wazuh 4.6 Medium2025-02-03
CVE-2024-13343 WooCommerce Customers Manager <= 31.3 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation — WooCommerce Customers Manager 8.8 High2025-02-01
CVE-2025-23007 SonicWALL NetExtender 安全漏洞 — NetExtender 8.8 -2025-01-30
CVE-2025-0834 Wondershare Dr.Fone Privilege Scalation Vulnerability — Dr.Fone 7.8 High2025-01-30
CVE-2021-3978 Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki — octorpki 7.5 High2025-01-29
CVE-2024-43446 Improper check of permissions in Generic Interface — OTRS 3.5 Low2025-01-27
CVE-2025-24353 Directus privilege escalation vulnerability using Share feature — directus 5.0 Medium2025-01-23
CVE-2025-0651 File symlink abuse might lead to deleting files belonging to SYSTEM user — WARP 7.1 -2025-01-22
CVE-2024-11218 Podman: buildah: container breakout by using --jobs=2 and a race condition when building a malicious containerfile 8.6 High2025-01-22
CVE-2025-23208 IdP group membership revocation ignored in zot — zot 7.3 High2025-01-17
CVE-2024-55954 OpenObserve Improper Authorization Allows Admin User to Remove Root User — openobserve 8.7 High2025-01-16
CVE-2024-9636 Post Grid and Gutenberg Blocks 2.2.85 - 2.3.3 - Unauthenticated Privilege Escalation — Post Grid and Gutenberg Blocks – ComboBlocks 9.8 Critical2025-01-15
CVE-2025-21360 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability — Microsoft AutoUpdate for Mac 7.8 High2025-01-14
CVE-2025-21343 Windows Web Threat Defense User Service Information Disclosure Vulnerability — Windows 11 version 22H2 7.5 High2025-01-14
CVE-2025-21287 Windows Installer Elevation of Privilege Vulnerability — Windows 10 Version 1507 7.8 High2025-01-14
CVE-2024-12398 Zyxel WBE530 安全漏洞 — WBE530 firmware 8.8 High2025-01-14
CVE-2024-11128 Insufficient Hardened Runtime or Library Validation signing in Bitdefender Virus Scanner for macOS — Virus Scanner 7.8 -2025-01-13
CVE-2024-53706 SonicWALL Gen7 SonicOS Cloud platform NSv 安全漏洞 — SonicOS 8.8 -2025-01-09
CVE-2024-56447 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.8 High2025-01-08
CVE-2025-22621 Privilege escalation for users who hold the “splunk_app_soar“ role in the Splunk App for SOAR — Splunk App for SOAR 6.4 Medium2025-01-07
CVE-2024-55632 Trend Micro Apex One 安全漏洞 — Trend Micro Apex One 7.8 High2024-12-31
CVE-2024-55631 Trend Micro Apex One 安全漏洞 — Trend Micro Apex One 7.8 High2024-12-31
CVE-2024-13058 Authenticated, non-admin users can create storage pools via the sifi API — HyperCloud 6.5 -2024-12-30
CVE-2020-9222 华为 FusionCompute 安全漏洞 — FusionCompute 7.0 High2024-12-27
CVE-2020-9080 华为产品安全漏洞 — HUAWEI Mate 20 Pro 7.8 High2024-12-27
CVE-2024-56335 Privilege escalation allows organization groups to be updated/deleted if their UUID is known in vaultwarden — vaultwarden 7.6 High2024-12-20

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.