Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-3828 Spectra Pro <= 1.1.5 - Authenticated (Author+) Privilege Escalation — Spectra Pro 8.8 High2024-05-10
CVE-2024-0097 CVE — ChatRTX 7.5 High2024-05-09
CVE-2024-0096 CVE — ChatRTX 7.5 High2024-05-09
CVE-2024-4545 EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr — EDB Postgres Advanced Server 7.7 High2024-05-09
CVE-2024-3507 Privilege escalation vulnerability in Lunar — Lunar 7.7 High2024-05-08
CVE-2024-20021 MediaTek 芯片 安全漏洞 — MT6768, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6885, MT6893, MT8168, MT8183, MT8188, MT8188T, MT8195, MT8195Z, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8666A, MT8666B, MT8667, MT8673, MT8675, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766Z, MT8768, MT8768A, MT8768B, MT8768T, MT8768Z, MT8781, MT8781, MT8786, MT8788, MT8788T, MT8788, MT8788X, MT8788Z, MT8792, MT8795T, MT8796, MT8798 6.7AIMediumAI2024-05-06
CVE-2023-7241 Webroot Antivirus COM-Hijacking LPE — Webroot AntiVirus (Consumer) and Webroot Endpoint Protection (Business) 7.9 High2024-05-01
CVE-2024-23457 Anti-tampering can be disabled with uninstall password enforced — Client Connector 7.8 High2024-05-01
CVE-2024-33522 Privilege escalation in Calico CNI install binary — Calico 6.7 Medium2024-04-29
CVE-2024-28241 GlPI-Agent MSI package installation doesn't update folder security profile when using non default installation folder — glpi-agent 7.3 High2024-04-25
CVE-2023-51425 WordPress Rencontre plugin <= 3.10.1 - Unauthenticated Account Takeover vulnerability — Rencontre – Dating Site 9.8 Critical2024-04-24
CVE-2024-4017 Privilege Escalation in U-Series Appliance — U-Series Appliance 8.8 High2024-04-19
CVE-2024-4018 Privilege Escalation in U-Series Appliance — U-Series Appliance 8.8 High2024-04-19
CVE-2024-3470 Repository administrator can bypass organization's ruleset using deploy keys — Enterprise Server 5.9 Medium2024-04-19
CVE-2024-21989 Privilege Escalation Vulnerability in ONTAP Select Deploy administration utility — ONTAP Select Deploy administration utility 8.1 High2024-04-17
CVE-2024-32003 Dusk plugin may allow unfettered user authentication in misconfigured installs — wn-dusk-plugin 8.8 High2024-04-12
CVE-2024-3388 PAN-OS: User Impersonation in GlobalProtect SSL VPN — PAN-OS 4.1 Medium2024-04-10
CVE-2024-29052 Windows Storage Elevation of Privilege Vulnerability — Windows Server 2022 7.8 High2024-04-09
CVE-2024-28904 Microsoft Brokering File System Elevation of Privilege Vulnerability — Windows Server 2022, 23H2 Edition (Server Core installation) 7.8 High2024-04-09
CVE-2024-21324 Microsoft Defender for IoT Elevation of Privilege Vulnerability — Microsoft Defender for IoT 7.2 High2024-04-09
CVE-2024-28905 Microsoft Brokering File System Elevation of Privilege Vulnerability — Windows Server 2022, 23H2 Edition (Server Core installation) 7.8 High2024-04-09
CVE-2024-0082 CVE — ChatRTX 8.2 High2024-04-08
CVE-2023-52543 Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.2AIMediumAI2024-04-08
CVE-2023-52716 Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.5AIMediumAI2024-04-07
CVE-2024-20282 Cisco Nexus Dashboard 安全漏洞 — Cisco Nexus Dashboard 6.0 Medium2024-04-03
CVE-2024-0172 Dell PowerEdge Server BIOS 和 Dell Precision Rack BIOS 安全漏洞 — PowerEdge Platform 7.9 High2024-04-03
CVE-2024-3137 Improper Privilege Management in uvdesk/community-skeleton — uvdesk/community-skeleton 8.8AIHighAI2024-04-02
CVE-2024-23537 Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role. — Apache Fineract 8.4 High2024-03-29
CVE-2024-25961 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.0 Medium2024-03-28
CVE-2024-1973 Elevation of privileges vulnerability — Secure Content Manager 8.5 High2024-03-25

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.