Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-24747 MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation — minio 8.8 High2024-01-31
CVE-2024-0833 Privilege Elevation via Telerik Test Studio — Telerik Test Studio 7.8 High2024-01-31
CVE-2024-0832 Privilege Elevation via Telerik Reporting Installer — Telerik Reporting 7.8 High2024-01-31
CVE-2024-0219 Privilege Elevation via Telerik JustDecompile Installer — Telerik JustDecompile 7.8 High2024-01-31
CVE-2024-0674 Privilege escalation vulnerability in Lamassu Bitcoin ATM Douro machines — Bitcoin ATM Douro machines 6.3 Medium2024-01-30
CVE-2024-21985 Privilege Escalation Vulnerability in ONTAP 9 — ONTAP 9 7.6 High2024-01-26
CVE-2024-23620 IBM Merge Healthcare eFilm Workstation SYSTEM Privilege Escalation — eFilm Workstation 8.8 High2024-01-25
CVE-2023-52107 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.5AIHighAI2024-01-16
CVE-2023-52116 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.5AIHighAI2024-01-16
CVE-2024-21638 Azure IPAM solution Elevation of Privilege Vulnerability — ipam 9.1 Critical2024-01-10
CVE-2023-44250 Fortinet FortiOS 安全漏洞 — FortiOS 8.3 High2024-01-10
CVE-2023-41784 Permissions and Access Control Vulnerability in ZTE Red Magic 8 Pro — Red Magic 8 Pro 6.6 Medium2024-01-04
CVE-2024-21622 Craft CMS Privilege Escalation — cms 5.4 Medium2024-01-03
CVE-2023-48418 User Build misconfiguration resulting in local escalation of privilege — Pixel Watch 10.0 Critical2024-01-02
CVE-2023-48419 An attacker in the wifi vicinity of a target Google Home can spy on the victim, resulting in EoP — Google Nest Mini 10.0 Critical2024-01-02
CVE-2023-7080 Arbitrary remote code execution within wrangler dev Workers sandbox — wrangler 8.5 High2023-12-29
CVE-2023-23430 Honor AI Space 安全漏洞 — com.hihonor.magichome 3.3 Low2023-12-29
CVE-2023-23429 Honor Magic Ui 安全漏洞 — Magic OS 4.0 Medium2023-12-29
CVE-2023-23428 Honor Magic Ui 安全漏洞 — Magic OS 3.3 Low2023-12-29
CVE-2023-23427 Honor Magic Ui 安全漏洞 — Magic OS 4.0 Medium2023-12-29
CVE-2023-50267 MeterSphere horizontal privilege escalation vulnerability of resources in project scope. — metersphere 4.3 Medium2023-12-28
CVE-2023-7090 Sudo: improper handling of ipa_hostname leads to privilege mismanagement — sudo 6.6 Medium2023-12-23
CVE-2023-51386 Sandbox Accounts for Events vulnerable to privilege escalation to read running events data — sandbox-accounts-for-events 7.8 High2023-12-22
CVE-2023-6804 Improper Privilege Management allows for arbitrary workflows to be run — Enterprise Server 6.5 Medium2023-12-21
CVE-2023-46647 Improper Privilege Management in GitHub Enterprise Server management console leads to privilege escalation — Enterprise Server 8.0 High2023-12-21
CVE-2023-6793 PAN-OS: XML API Keys Revoked by Read-Only PAN-OS Administrator — PAN-OS 2.7 Low2023-12-13
CVE-2023-6507 Groups not dropped before running subprocess when using empty 'extra_groups' parameter — CPython 6.1 Medium2023-12-08
CVE-2023-45083 HyperCloud: "admin" and "serveradmin" users can be deleted — HyperCloud 4.2 Medium2023-12-05
CVE-2023-6218 MOVEit Transfer Group Admin Privilege Escalation — MOVEit Transfer 7.2 High2023-11-29
CVE-2023-5960 Zyxel USG FLEX 安全漏洞 — USG FLEX series firmware 5.5 Medium2023-11-28

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.