Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-12786 X1a0He Adobe Downloader XPC Service com.x1a0he.macOS.Adobe-Downloader.helper shouldAcceptNewConnection privileges management — Adobe Downloader 7.8 High2024-12-19
CVE-2020-15934 Fortinet FortiClient 安全漏洞 — FortiClientLinux 8.6 High2024-12-19
CVE-2024-38499 Improper Privilege Management Vulnerability in CA Client Automation 14.5 — CA Client Automation (ITCM) 6.5 -2024-12-17
CVE-2024-55949 Privilege escalation in IAM import API in MinIO — minio 8.8 -2024-12-16
CVE-2024-11721 Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Privilege Escalation — Frontend Admin by DynamiApps 8.1 High2024-12-14
CVE-2024-49035 Partner.Microsoft.Com Elevation of Privilege Vulnerability — Microsoft Partner Center 8.7 High2024-11-26
CVE-2024-52336 Tuned: `script_pre` and `script_post` options allow to pass arbitrary scripts executed by root 7.8 High2024-11-26
CVE-2024-9941 WPGYM <= 67.1.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation — WPGYM - Wordpress Gym Management System 8.8 High2024-11-23
CVE-2020-26063 Cisco Integrated Management Controller Software Authorization Bypass Vulnerability — Cisco Unified Computing System (Managed) 5.4 Medium2024-11-18
CVE-2024-52926 Delinea Privilege Manager 安全漏洞 — Privilege Manager 6.5 Medium2024-11-18
CVE-2024-9192 WP Video Robot <= 1.20.0 - Authenticated (Subscriber+) Privilege Escalation via User Meta Update — WordPress Video Robot - The Ultimate Video Importer 8.8 High2024-11-16
CVE-2024-52516 Nextcloud Server's shares are not removed when user is limited to share with in their groups and being removed from one of them — security-advisories 3.0 Low2024-11-15
CVE-2024-8068 Privilege escalation to NetworkService Account access — Citrix Session Recording 8.8AIHighAI2024-11-12
CVE-2024-49558 Dell SmartFabric OS10 安全漏洞 — SmartFabric OS10 Software 7.8 High2024-11-12
CVE-2024-24409 Privilege Escalation — ADManager Plus 8.8 High2024-11-08
CVE-2024-8424 WatchGuard Endpoint Protection Privilege Escalation in PSANHost Enables Arbitrary File Delete as SYSTEM — EPDR 7.8 High2024-11-07
CVE-2024-8810 Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed GitHub Apps to grant themselves write access — Enterprise Server 6.5AIMediumAI2024-11-07
CVE-2024-10203 Agent Arbitrary File Deletion — EndPoint Central 7.0 High2024-11-07
CVE-2024-51521 Huawei HarmonyOS 安全漏洞 — HarmonyOS 5.7 Medium2024-11-05
CVE-2024-20374 Cisco Secure Firewall Management Center 安全漏洞 — Cisco Firepower Management Center 6.5 Medium2024-10-23
CVE-2023-32196 Rancher's External RoleTemplates can lead to privilege escalation — rancher 6.6 Medium2024-10-16
CVE-2023-32194 Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' — rancher 7.2 High2024-10-16
CVE-2024-9002 Schneider Electric Easergy Studio 安全漏洞 — Easergy Studio 7.8 High2024-10-11
CVE-2024-22068 Weak Password Vulnerability in ZTE ZSR V2 Intelligent Multi Service Router — ZXR10 1800-2S series ,ZXR10 2800-4,ZXR10 3800-8,ZXR10 160 series 6.0 Medium2024-10-10
CVE-2024-9518 UserPlus <= 2.0 - Unauthenticated Privilege Escalation — User registration & user profile – UserPlus 9.8 Critical2024-10-10
CVE-2024-38818 VMware NSX 安全漏洞 — VMware NSX, VMware Cloud Foundation 6.7 Medium2024-10-09
CVE-2024-9471 PAN-OS: Privilege Escalation (PE) Vulnerability in XML API — PAN-OS 7.2AIHighAI2024-10-09
CVE-2024-3057 Pure Storage FlashArray Purity 安全漏洞 — FlashArray 9.8 Critical2024-10-08
CVE-2024-45297 Prevent topic list filtering by hidden tags for unauthorized users in Discourse — discourse 5.3 Medium2024-10-07
CVE-2024-44097 Google Nest 安全漏洞 — Android 9.1 -2024-10-02

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.