Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2021-1447 Cisco Content Security Management Appliance Privilege Escalation Vulnerability — Cisco Content Security Management Appliance (SMA) 6.7 Medium2021-05-06
CVE-2021-29452 Any logged in user could edit any other logged in user. — a12n-server 8.1 High2021-04-16
CVE-2021-27394 Siemens Mendix 安全漏洞 — Mendix Applications using Mendix 7 8.8 -2021-04-16
CVE-2021-23887 Privilege escalation in McAfee DLP Endpoint for Windows — McAfee Data Loss Prevention (DLP) Endpoint for Windows 7.8 High2021-04-15
CVE-2021-29449 Multiple Privilege Escalation Vulnerabilities Pihole — pi-hole 6.3 Medium2021-04-14
CVE-2021-20021 Sonicwall SonicWall Email Security Appliance 安全漏洞 — Email Security 9.8 -2021-04-09
CVE-2021-25365 Samsung SMR 安全漏洞 — Samsung Mobile Devices 5.9 Medium2021-04-09
CVE-2021-25363 Samsung SMR 安全漏洞 — Samsung Mobile Devices 6.8 Medium2021-04-09
CVE-2021-25362 Samsung SMR 安全漏洞 — Samsung Mobile Devices 6.8 Medium2021-04-09
CVE-2021-20334 Local privilege escalation in MongoDB Compass for Windows — MongoDB Compass 4.8 Medium2021-04-06
CVE-2021-24158 Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation — Orbit Fox by ThemeIsle 6.5 -2021-04-05
CVE-2021-1371 Cisco IOS XE SD-WAN Software Console Privilege Escalation Vulnerability — Cisco IOS XE Software 6.6 Medium2021-03-24
CVE-2021-25337 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 4.4 Medium2021-03-04
CVE-2021-25336 Samsung mobile devices 安全漏洞 — Samsung Mobile Devices 2.8 Low2021-03-04
CVE-2020-12527 Improper Access Validation in products of MB connect line and Helmholz — mymbCONNECT24 6.5 Medium2021-03-02
CVE-2020-12528 mymbCONNECT24 安全漏洞 — mymbCONNECT24 6.5 Medium2021-03-02
CVE-2021-1388 Cisco ACI Multi-Site Orchestrator Application Services Engine Deployment Authentication Bypass Vulnerability — Cisco ACI Multi-Site Orchestrator Software 10.0 Critical2021-02-24
CVE-2021-26697 Apache Airflow: Lineage API endpoint for Experimental API missed authentication check — Apache Airflow 5.3 -2021-02-17
CVE-2021-23885 Privilege escalation vulnerability in McAfee Web Gateway (MWG) UI — McAfee Web Gateway (MWG) 9.0 Critical2021-02-17
CVE-2021-23874 McAfee Total Protection (MTP) privilege escalation vulnerability — McAfee Total Protection (MTP) 8.2 High2021-02-10
CVE-2021-23876 McAfee Total Protection (MTP) Bypass Remote Procedure call vulnerability — McAfee Total Protection (MTP) 7.8 High2021-02-10
CVE-2021-23882 Improper Access Control in the ENS installer — Endpoint Security (ENS) for Windows 8.2 High2021-02-10
CVE-2021-23880 Improper Access Control in the ENS installer — Endpoint Security (ENS) for Windows 6.7 Medium2021-02-10
CVE-2020-26191 DELL EMC PowerScale 权限许可和访问控制问题漏洞 — PowerScale OneFS 7.8 High2021-02-09
CVE-2020-35517 QEMU 访问控制错误漏洞 — qemu 8.2 -2021-01-28
CVE-2020-26181 Dell EMC Isilon OneFS 和 Dell EMC PowerScale 安全漏洞 — PowerScale OneFS 7.0 High2021-01-05
CVE-2020-8290 Backblaze 权限许可和访问控制问题漏洞 — Backblaze 7.8 -2020-12-27
CVE-2020-25194 MOXA NPort IAW5000A-I/O Series — NPort IAW5000A-I/O 8.8 High2020-12-23
CVE-2020-24678 Potential Privilege Escalation in Symphony Plus — ABB Ability™ Symphony® Plus Operations 8.8 High2020-12-22
CVE-2020-13519 NZXT CAM 权限许可和访问控制问题漏洞 — NZXT" 8.8 -2020-12-18

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.