Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2021-4200 Write access to the Catalog for any user when restricted-admin role is enabled — Rancher 5.4 Medium2022-05-02
CVE-2021-36784 Privilege escalation for users with create/update permissions in Global Roles — Rancher 7.2 High2022-05-02
CVE-2021-36207 Metasys privilege management — Metasys ADS/ADX/OAS server 8.8 High2022-04-29
CVE-2022-20739 Cisco SD-WAN vManage Software Privilege Escalation Vulnerability — Cisco SD-WAN vManage 7.3 High2022-04-15
CVE-2020-16238 B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus — SpaceCom 6.7 Medium2022-04-14
CVE-2022-22187 JIMS: Local Privilege Escalation vulnerability via repair functionality — Juniper Identity Management Service (JIMS) 7.8 High2022-04-14
CVE-2022-1256 Improper Privilege Management in McAfee Agent for Windows — McAfee Agent for Windows 7.8 High2022-04-14
CVE-2022-24842 Improper Privilege Management in MinIO — minio 8.8 High2022-04-12
CVE-2022-24812 FGAC API Key privilege escalation in Grafana — grafana 8.0 High2022-04-12
CVE-2022-27840 Samsung Recovery 安全漏洞 — Samsung Recovery 4.4 Medium2022-04-11
CVE-2022-0556 Zyxel AP Configurator 安全漏洞 — Zyxel AP Configurator (ZAC) 7.3 High2022-04-11
CVE-2022-26676 aEnrich a+HRD - Broken Access Control — a+HRD 9.8 Critical2022-04-07
CVE-2003-5001 ISS BlackICE PC Protection Cross Site Scripting Detection privileges management — BlackICE PC Protection 5.3 Medium2022-03-28
CVE-2022-24783 Sandbox bypass leading to arbitrary code execution in Deno — deno 10.0 Critical2022-03-25
CVE-2022-24072 Naver Whale Browser 安全漏洞 — NAVER Whale browser 6.1 -2022-03-17
CVE-2022-24750 Low privilege user is able to exploit the service and gain SYSTEM privileges in UltraVNC server — UltraVNC 8.8 High2022-03-10
CVE-2022-24931 Samsung ApkInstaller 安全漏洞 — Samsung Mobile Devices 7.9 High2022-03-08
CVE-2022-24408 Siemens SINUMERIK 安全漏洞 — SINUMERIK MC 7.8 -2022-03-08
CVE-2022-25311 Siemens SINEC NMS 安全漏洞 — SINEC NMS 7.3 High2022-03-08
CVE-2022-0441 MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation — MasterStudy LMS – WordPress LMS Plugin 9.8 -2022-03-07
CVE-2022-23921 ICSA-22-053-01 GE Proficy CIMPLICITY-IPM — Proficy CIMPLICITY 7.5 High2022-02-25
CVE-2022-23604 Privilege escalation in Defender — x26-Cogs 8.8 High2022-02-15
CVE-2021-22801 Schneider Electric ConneXium Network Manager Software 安全漏洞 — ConneXium Network Manager Software (All Versions) 9.8 -2022-02-11
CVE-2022-24927 Samsung Video Player 安全漏洞 — Samsung Video Player 4.2 Medium2022-02-11
CVE-2021-36302 Dell EMC Integrated System 安全漏洞 — Dell EMC Integrated System for Microsoft Azure Stack Hub 9.9 Critical2022-02-09
CVE-2021-3813 Improper Privilege Management in chatwoot/chatwoot — chatwoot/chatwoot 8.1 -2022-02-09
CVE-2021-45729 WordPress WP Google Map plugin <= 1.8.0 - Privilege Escalation vulnerability — WP Google Map (WordPress plugin) 5.4 Medium2022-01-25
CVE-2021-43860 Permissions granted to applications can be hidden from the user at install time — flatpak 8.2 High2022-01-12
CVE-2022-0144 Improper Privilege Management in shelljs/shelljs — shelljs/shelljs 7.8 -2022-01-11
CVE-2022-22263 Samsung SMR Jan-2022 Release 1 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-01-07

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.