Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2023-23412 Windows Accounts Picture Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2023-03-14
CVE-2022-39953 Fortinet FortiNAC 安全漏洞 — FortiNAC 7.8 High2023-03-07
CVE-2022-38378 Fortinet FortiOS 安全漏洞 — FortiOS 4.0 Medium2023-02-16
CVE-2023-24483 Privilege Escalation to NT AUTHORITY\SYSTEM on the vulnerable VDA — Citrix Virtual Apps and Desktops 7.8 -2023-02-16
CVE-2022-42735 Apache ShenYu Admin ultra vires — Apache ShenYu 8.8 -2023-02-15
CVE-2022-38777 Elastic Endpoint Security 安全漏洞 — Elastic Endpoint Security 7.8 -2023-02-08
CVE-2022-43759 Rancher: Privilege escalation via promoted roles — Rancher 7.2 High2023-02-07
CVE-2023-23610 glpi vulnerable to Unauthorized access to data export — glpi 6.5 Medium2023-01-25
CVE-2022-38774 Elastic Endpoint Security 安全漏洞 — Elastic Endpoint Security and Elastic Endgame Security 7.8 -2023-01-24
CVE-2022-38775 Elastic Endpoint Security 安全漏洞 — Elastic Endpoint Security 7.8 -2023-01-24
CVE-2023-0242 Insufficient permission check in the VQL copy() function — Velociraptor 8.8 -2023-01-18
CVE-2021-4314 API Mediation Layer 授权问题漏洞 — Zowe 5.3 -2023-01-18
CVE-2023-0221 Trellix Application and Change Control 安全漏洞 — Application and Change Control 4.4 Medium2023-01-13
CVE-2022-4294 Norton, Avira, Avast and AVG Antivirus for Windows Privilege Escalation — Norton Antivirus Windows Eraser Engine 7.1 High2023-01-10
CVE-2022-46172 authentik allows existing authenticated users to create arbitrary accounts — authentik 6.4 Medium2022-12-28
CVE-2022-4808 Improper Privilege Management in usememos/memos — usememos/memos 8.1 -2022-12-28
CVE-2022-38757 CVE-2022-38757 ZENworks — ZENworks Configuration Management (ZCM) 7.2 High2022-12-23
CVE-2022-38060 OpenStack 代码问题漏洞 — OpenStack 8.8 High2022-12-21
CVE-2022-38065 OpenStack 安全漏洞 — OpenStack 8.8 -2022-12-21
CVE-2022-46334 Proofpoint Enterprise Protection Local Privilege Escalation — enterprise_protection 7.8 High2022-12-21
CVE-2022-41268 多款产品安全漏洞 — Business Planning and Consolidation 8.5 High2022-12-13
CVE-2022-23485 Invite code reuse via cookie manipulation in sentry — sentry 6.4 Medium2022-12-10
CVE-2022-4264 Incorrect privilege assignment in M-Files Web Server — M-Files Web 6.5 Medium2022-12-09
CVE-2022-41948 Privilege Chaining with the user admin role in dhis2-core — dhis2-core 6.7 Medium2022-12-08
CVE-2022-42888 WordPress ARMember Plugin <= 5.5.1 is vulnerable to Privilege Escalation — ARMember 9.8 Critical2022-12-06
CVE-2022-4314 Improper Privilege Management in ikus060/rdiffweb — ikus060/rdiffweb 9.8 -2022-12-06
CVE-2022-4173 Avast and AVG Antivirus for Windows vulnerable to Privilege Escalation — Avast and AVG Antivirus 7.3 High2022-12-05
CVE-2022-4270 Incorrect privilege assignment in M-Files Web Server — M-Files Web 2.0 Low2022-12-02
CVE-2022-23737 Improper Privilege Management in GitHub Enterprise Server leading to page creation and deletion — GitHub Enterprise Server 6.5 -2022-12-01
CVE-2022-1606 Incorrect privilege assignment in M-Files Server — M-Files Server 2.4 Low2022-11-30

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.