Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1017

1017 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2017-20073 Hindu Matrimonial Script cms.php privileges management — Hindu Matrimonial Script 6.3 Medium2022-06-21
CVE-2017-20072 Hindu Matrimonial Script generalsettings.php privileges management — Hindu Matrimonial Script 6.3 Medium2022-06-21
CVE-2017-20071 Hindu Matrimonial Script renewaldue.php privileges management — Hindu Matrimonial Script 6.3 Medium2022-06-21
CVE-2017-20070 Hindu Matrimonial Script communitymanagement.php privileges management — Hindu Matrimonial Script 6.3 Medium2022-06-21
CVE-2017-20069 Hindu Matrimonial Script countrymanagement.php privileges management — Hindu Matrimonial Script 6.3 Medium2022-06-21
CVE-2017-20068 Hindu Matrimonial Script usermanagement.php privileges management — Hindu Matrimonial Script 6.3 Medium2022-06-21
CVE-2022-1823 McAfee MCPR privilege escalation — McAfee Consumer Product Removal Tool 7.9 High2022-06-20
CVE-2022-26668 ASUS Control Center - Broken Access Control — Control Center 7.3 High2022-06-20
CVE-2017-20063 Elefant CMS File Upload drop privileges management — CMS 6.3 Medium2022-06-20
CVE-2020-36549 GE Voluson S8 Windows Operating System Patches privileges management — Voluson S8 8.8 High2022-06-17
CVE-2018-25044 uTorrent Guest Account privileges management — uTorrent 6.3 Medium2022-06-17
CVE-2018-25041 uTorrent JSON RPC Server privileges management — uTorrent 6.3 Medium2022-06-17
CVE-2018-25040 uTorrent Web HTTP RPC Server privileges management — Web 6.3 Medium2022-06-17
CVE-2022-26057 Mint WorkBench Link Following Local Privilege Escalation Vulnerability — Mint WorkBench 6.7 Medium2022-06-15
CVE-2022-31594 SAP Adaptive Server Enterprise 安全漏洞 — SAP Adaptive Server Enterprise (ASE) 6.7 -2022-06-14
CVE-2022-29614 SAP NetWeaver Application Server 安全漏洞 — SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database 8.6 -2022-06-14
CVE-2022-24077 Naver Cloud Explorer 代码问题漏洞 — NAVER Cloud Explorer Beta 8.4 -2022-06-13
CVE-2022-1654 Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 - Authenticated Privilege Escalation — Jupiter X Core 8.8 High2022-06-13
CVE-2022-2063 Improper Privilege Management in nocodb/nocodb — nocodb/nocodb 8.8 -2022-06-13
CVE-2017-20038 SICUNET Access Controller card_scan_decoder.php privileges management — Access Controller 6.3 Medium2022-06-11
CVE-2017-20037 SICUNET Access Controller privileges management — Access Controller 6.3 Medium2022-06-11
CVE-2017-20028 HumHub privileges management — HumHub 5.6 Medium2022-06-09
CVE-2017-20025 Solare Solar-Log Flash Memory privileges management — Solar-Log 7.3 High2022-06-09
CVE-2017-20023 Solare Solar-Log Network Config privileges management — Solar-Log 6.3 Medium2022-06-09
CVE-2017-20021 Solare Solar-Log File Upload privileges management — Solar-Log 6.5 Medium2022-06-09
CVE-2019-25068 Axios Italia Axios RE Connection REDefault.aspx privileges management — Axios RE 6.3 Medium2022-06-09
CVE-2019-25066 ajenti API privileges management — ajenti 6.3 Medium2022-06-09
CVE-2016-15002 MONyog Ultimate Cookie privileges management — MONyog Ultimate 7.3 High2022-06-09
CVE-2022-30739 Samsung Account 安全漏洞 — Samsung Account 4.0 Medium2022-06-07
CVE-2020-36542 Demokratian install3.php privileges management — Demokratian 7.3 High2022-06-03

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1017 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.