Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2023-32696 Excessive permissions for ckan user — ckan-docker-base 8.8 High2023-05-30
CVE-2022-45853 Zyxel GS1900-8 安全漏洞 — GS1900-8HP firmware 6.7 Medium2023-05-30
CVE-2023-30601 Apache Cassandra: Privilege escalation when enabling FQL/Audit logs — Apache Cassandra 7.8 High2023-05-30
CVE-2023-31062 Apache InLong: Privilege escalation vulnerability for InLong — Apache InLong 8.8 -2023-05-22
CVE-2022-45452 Acronis Agent和Acronis Cyber Protect 安全漏洞 — Acronis Agent 7.8 -2023-05-18
CVE-2023-2679 Data leakage in Adobe connector for SPE edition of SLM — SPE SLM 4.1 Medium2023-05-17
CVE-2023-25834 BUG-000142922 Incomplete permission changes in specific cases. — Portal for ArcGIS 5.4 Medium2023-05-09
CVE-2023-22651 Rancher 安全漏洞 — Rancher 9.9 Critical2023-05-04
CVE-2022-3405 Acronis Cyber Backup和Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 15 8.8 -2023-05-03
CVE-2023-29056 Lenovo XClarity Controller 安全漏洞 — XClarity Controller 5.3 Medium2023-04-28
CVE-2023-30622 Clusternet has potential risk which can be leveraged to make a cluster-level privilege escalation — clusternet 6.6 Medium2023-04-24
CVE-2023-25133 Improper privilege management vulnerability in CyberPower PowerPanel Business — PowerPanel Business Local / Remote 9.1 Critical2023-04-24
CVE-2023-2240 Improper Privilege Management in microweber/microweber — microweber/microweber 8.1 -2023-04-22
CVE-2022-47505 SolarWinds Platform Local Privilege Escalation Vulnerability — SolarWinds Platform 7.8 High2023-04-21
CVE-2023-22645 kubewarden: Excessive permissions for kubewarden-controller-manager-cluster-role — kubewarden 8.0 High2023-04-19
CVE-2023-1548 Schneider Electric EcoStruxure Control Expert 安全漏洞 — EcoStruxure Control Expert 5.5 Medium2023-04-18
CVE-2023-22946 Apache Spark proxy-user privilege escalation from malicious configuration class — Apache Spark 6.4 Medium2023-04-17
CVE-2023-29018 OpenFeature Operator vulnerable to Cluster-level Privilege Escalation — open-feature-operator 8.1 High2023-04-14
CVE-2023-1326 local privilege escalation in apport-cli — Apport 7.7 High2023-04-13
CVE-2023-24509 On affected modular platforms running Arista EOS equipped with both redundant supervisor modules and having the redundancy protocol configured with RPR or SSO, an existing unprivileged user can login to the standby supervisor as a root user, leading t ... — Arista EOS 9.3 Critical2023-04-13
CVE-2022-27487 Fortinet FortiSandbox 安全漏洞 — FortiDeceptor 8.3 High2023-04-11
CVE-2023-28855 Fields GLPI plugin vulnerable to unauthorized write access to additional fields — fields 6.5 Medium2023-04-05
CVE-2023-28632 GLPI vulnerable to account takeover by authenticated user — glpi 8.1 High2023-04-05
CVE-2023-0192 NVIDIA GPU Display Driver for Windows 安全漏洞 — vGPU software (Virtual GPU Manager - Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM), NVIDIA Cloud Gaming (Virtual GPU Manager - Red Hat Enterprise Linux KVM) 4.7 Medium2023-04-01
CVE-2023-1762 Improper Privilege Management in thorsten/phpmyfaq — thorsten/phpmyfaq 8.8 -2023-03-31
CVE-2023-28640 Permissions bypass in Apiman could enable authenticated attacker to unpermitted API Key — apiman 6.4 Medium2023-03-27
CVE-2023-28436 Non-interactive Tailscale SSH sessions on FreeBSD may use the effective group ID of the tailscaled process — tailscale 5.7 Medium2023-03-23
CVE-2023-28434 MinIO is vulnerable to privilege escalation on Linux/MacOS — minio 8.8 High2023-03-22
CVE-2023-21458 SAMSUNG Mobile Devices 安全漏洞 — Samsung Mobile Devices 6.2 Medium2023-03-16
CVE-2023-27589 Minio vulnerable to denial of access by an admin privileged user for root credential — minio 6.5 Medium2023-03-14

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.