Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-26247 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability — Microsoft Edge (Chromium-based) 4.7 Medium2024-03-22
CVE-2024-2228 IdentityIQ Authorization of QuickLink Target Identities Vulnerability — IdentityIQ 7.1 High2024-03-22
CVE-2023-47715 IBM Storage Protect Plus Server improper access control — Storage Protect Plus Server 4.3 Medium2024-03-21
CVE-2024-2390 Local Privilege Escalation — Nessus Agent 7.8 High2024-03-18
CVE-2024-28851 Elevation of privilege in Snowflake Hive MetaStore Connector Helper script — snowflake-hive-metastore-connector 4.0 Medium2024-03-15
CVE-2024-27301 Privilege Escalation Abusing installer in SupportApp — SupportApp 7.3 High2024-03-14
CVE-2023-50726 Users with `create` but not `override` privileges can perform local sync in argo-cd — argo-cd 6.4 Medium2024-03-13
CVE-2024-2433 PAN-OS: Improper Privilege Management Vulnerability in Panorama Software Leads to Availability Loss — PAN-OS 4.3 Medium2024-03-13
CVE-2024-2432 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability — GlobalProtect App 4.5 Medium2024-03-13
CVE-2024-2431 GlobalProtect App: Local User Can Disable GlobalProtect — GlobalProtect App 5.5 Medium2024-03-13
CVE-2024-20262 Cisco IOS XR 安全漏洞 — Cisco IOS XR Software 6.5 Medium2024-03-13
CVE-2024-1505 Academy LMS – eLearning and online course solution for WordPress <= 1.9.19 - Authenticated (Subscriber+) Privilege Escalation — Academy LMS – WordPress LMS Plugin for Complete eLearning Solution 8.8 High2024-03-13
CVE-2024-26169 Windows Error Reporting Service Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2024-03-12
CVE-2024-28197 Account Takeover via Session Fixation in Zitadel [Bypassing MFA] — zitadel 7.5 High2024-03-11
CVE-2024-1442 User with permissions to create a data source can CRUD all data sources — Grafana 6.0 Medium2024-03-07
CVE-2024-1764 Devolutions Server 安全漏洞 — Server 8.8AIHighAI2024-03-05
CVE-2024-2005 SAML implementation allows privilege escalation — Inventory (BPI) 9.0 Critical2024-03-05
CVE-2024-1908 Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed Privilege Escalation — Enterprise Server 6.3 Medium2024-02-29
CVE-2024-0819 Incomplete protection of personal password settings — Remote Full Client 7.3 High2024-02-27
CVE-2024-0197 Privilege Escalation in Thales SafeNet Sentinel HASP LDK — Sentinel HASP LDK 7.8 High2024-02-27
CVE-2023-7016 Privilege Escalation in SafeNet Authentication Client — SafeNet Authentication Client 7.8 High2024-02-27
CVE-2023-5993 Privilege Escalation in SafeNet Authentication Client Installer — SafeNet Authentication Client 7.8 High2024-02-27
CVE-2024-0439 User can manually send request at manager permission to modify system configurations — mintplex-labs/anything-llm 4.3 -2024-02-25
CVE-2024-0622 Local privilege escalation vulnerability could affect OpenText Operations Agent on Non-Windows platforms. — Operations Agent 8.8 High2024-02-15
CVE-2023-45581 Fortinet FortiClient EMS 安全漏洞 — FortiClientEMS 7.9 High2024-02-15
CVE-2024-0353 Local privilege escalation in Windows products — ESET NOD32 Antivirus 7.8 High2024-02-15
CVE-2023-25535 Dell SupportAssist for Home PCs 安全漏洞 — SupportAssist Client Consumer 7.2 High2024-02-14
CVE-2024-24830 OpenObserve Privilege Escalation Vulnerability in Users API — openobserve 10.0 Critical2024-02-08
CVE-2023-31005 IBM Security Access Manager Container privilege escalation — Security Verify Access Appliance 6.2 Medium2024-02-03
CVE-2023-36496 Delegated Admin Virtual Attribute Provider Privilege Escalation — PingDirectory 7.7 High2024-02-01

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.