Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2022-41923 Grails Spring Security Core plugin vulnerable to privilege escalation — grails-spring-security-core 9.1 Critical2022-11-23
CVE-2022-0222 Schneider Electric Modicon M340 安全漏洞 — Modicon M340 CPUs 7.5 High2022-11-22
CVE-2022-39395 Vela Insecure Defaults — server 9.6 Critical2022-11-10
CVE-2021-34579 PHOENIX CONTACT: FL MGUARD DM version 1.12.0 and 1.13.0 Improper Privilege Management — FL MGUARD DM (2981974) 7.5 High2022-11-09
CVE-2022-44733 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect Home Office 7.8 -2022-11-07
CVE-2022-44732 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect Home Office 7.8 -2022-11-07
CVE-2022-3369 Improper handling of registry symbolic links in Bitdefender Engines — Engines 8.6 High2022-11-01
CVE-2022-3419 Automatic User Roles Switcher < 1.1.2 - Subscriber+ Privilege Escalation — Automatic User Roles Switcher 6.5 -2022-10-31
CVE-2022-43749 Synology Presto File Server 安全漏洞 — Presto File Server 4.3 Medium2022-10-26
CVE-2022-39286 Execution with Unnecessary Privileges in JupyterApp — jupyter_core 8.8 High2022-10-26
CVE-2022-41835 F5OS vulnerability CVE-2022-41835 — F5OS-A 7.3 High2022-10-19
CVE-2022-2249 Avaya Aura Communication Manager Privilege Escalation Vulnerabilities — Avaya Aura Communication Manager 7.7 High2022-10-12
CVE-2022-3422 Improper Privilege Management in tooljet/tooljet — tooljet/tooljet 7.5 -2022-10-07
CVE-2022-2975 Avaya Aura Application Enablement Services weak permissions in web application — Avaya Aura Application Enablement Services 7.7 High2022-10-06
CVE-2022-39032 Smart eVision - Improper Privilege Management — Smart eVision 8.8 High2022-09-28
CVE-2022-3068 Improper Privilege Management in octoprint/octoprint — octoprint/octoprint 7.8 -2022-09-21
CVE-2022-3079 Festo: CPX-CEC-C1 and CMXX, Missing Authentication for Critical Webpage Function — Control block CPX-CEC-C1 (no. 567347) 7.5 High2022-09-20
CVE-2022-39203 Parsing issue in matrix-org/node-irc leading to room takeovers — matrix-appservice-irc 8.8 High2022-09-13
CVE-2022-39202 IRC mode parameter confusion in matrix-appservice-irc — matrix-appservice-irc 4.3 Medium2022-09-13
CVE-2022-36861 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 5.9 Medium2022-09-09
CVE-2022-31166 XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups — xwiki-platform 8.1 High2022-09-07
CVE-2021-25657 Avaya IP Office Privilege Escalation Vulnerability — IP Office 7.8 High2022-09-02
CVE-2022-36833 SAMSUNG Mobile devices 安全漏洞 — Game Optimizing Service 7.3 High2022-08-05
CVE-2022-35243 Authenticated iControl REST in Appliance mode vulnerability CVE-2022-35243 — BIG-IP 8.7 High2022-08-04
CVE-2022-33962 BIG-IP iRule vulnerability CVE-2022-33962 — BIG-IP 6.7 Medium2022-08-04
CVE-2022-35921 User preference to prevent private discussions not respected in fof/byobu — byobu 3.5 Low2022-08-01
CVE-2022-2317 Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation — Simple Membership 8.8 -2022-08-01
CVE-2022-2273 Simple Membership < 4.1.3 - Membership Privilege Escalation — Simple Membership 8.8 -2022-08-01
CVE-2022-35291 Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) — SAP SuccessFactors Mobile Application for Android & iOS devices 8.1 High2022-07-27
CVE-2022-30526 Zyxel USG FLEX 安全漏洞 — USG FLEX 100(W) firmware 7.8 High2022-07-19

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.