Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2022-22266 Samsung SMR 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-01-07
CVE-2021-31833 Mcafee McAfee Application and Change Control 安全漏洞 — McAfee Application and Change Control (MACC) 7.1 High2022-01-04
CVE-2021-43858 User privilege escalation in MinIO — minio 8.8 High2021-12-27
CVE-2021-27445 Mesa Labs AmegaView Improper Privilege Management — AmegaView 7.8 High2021-12-21
CVE-2021-36316 DELL Dell EMC Avamar Server 安全漏洞 — Avamar 6.7 Medium2021-12-21
CVE-2021-43835 Privilege escalation in the Sulu Admin panel — sulu 7.2 High2021-12-15
CVE-2021-43828 Improper Privilege Management in Patrowl — PatrowlManager 7.5 High2021-12-14
CVE-2021-37941 GE APM 安全漏洞 — APM Java Agent 7.8 -2021-12-08
CVE-2021-25515 Samsung SMR 安全漏洞 — Samsung Mobile Devices 4.0 Medium2021-12-08
CVE-2021-25513 Samsung SMR 安全漏洞 — Samsung Mobile Devices 2.4 Low2021-12-08
CVE-2021-43793 Bypass of Poll voting limits in Discourse — discourse 4.3 Medium2021-12-01
CVE-2021-36307 Dell Networking OS10 安全漏洞 — Networking OS 8.8 High2021-11-20
CVE-2021-37938 Elastic Stack Kibana 路径遍历漏洞 — Kibana 7.1 -2021-11-18
CVE-2021-25508 Samsung SmartThings 安全漏洞 — SmartThings 5.3 Medium2021-11-05
CVE-2021-25502 Samsung SMR 安全漏洞 — Samsung Mobile Devices 7.9 High2021-11-05
CVE-2021-23877 McAfee Total Protection (MTP) - Privilege Escalation vulnerability — McAfee Total Protection (MTP) 6.7 Medium2021-10-26
CVE-2021-31360 Junos OS and Junos OS Evolved: Denial of Service vulnerability in local file processing — Junos OS 7.1 High2021-10-19
CVE-2021-31359 Junos OS and Junos OS Evolved: Local Privilege Escalation vulnerability — Junos OS 7.8 High2021-10-19
CVE-2021-31350 Junos OS and Junos OS Evolved: Privilege escalation vulnerability in Juniper Extension Toolkit (JET) — Junos OS 7.5 High2021-10-19
CVE-2021-27664 exacqVision Web Service — exacqVision Web Service 9.8 Critical2021-10-11
CVE-2021-34766 Cisco Smart Software Manager Privilege Escalation Vulnerability — Cisco Smart Software Manager On-Prem 5.4 Medium2021-10-06
CVE-2021-23893 Privilege Escalation vulnerability in McAfee Drive Encryption (MDE) — McAfee Drive Encryption (MDE) 8.8 High2021-10-01
CVE-2021-31836 Improper Privilege Management in MA for Windows — McAfee Agent for Windows 5.6 Medium2021-09-22
CVE-2021-31847 Improper privilege management in repair process of MA for Windows — McAfee Agent for Windows 8.2 High2021-09-22
CVE-2021-37173 Siemens RUGGEDCOM 信息泄露漏洞 — RUGGEDCOM ROX MX5000 7.5 -2021-09-14
CVE-2021-38540 Apache Airflow: Variable Import endpoint missed authentication check — Apache Airflow 9.8 -2021-09-09
CVE-2021-30355 Amazon Kindle e-reader 安全漏洞 — Amazon Kindle e-reader 8.6 -2021-09-01
CVE-2021-37911 BenQ EH600安全漏洞 — EH600 OTA 8.8 High2021-08-30
CVE-2021-39167 TimelockController vulnerability in OpenZeppelin Contracts — openzeppelin-contracts 10.0 Critical2021-08-26
CVE-2021-39168 TimelockController vulnerability in OpenZeppelin Contracts — openzeppelin-contracts-upgradeable 10.0 Critical2021-08-26

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.