Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2020-13514 NZXT CAM 权限许可和访问控制问题漏洞 — NZXT 8.8 -2020-12-18
CVE-2020-13513 NZXT CAM 权限许可和访问控制问题漏洞 — NZXT 8.8 -2020-12-18
CVE-2020-13512 NZXT CAM 安全漏洞 — NZXT 8.8 -2020-12-18
CVE-2020-13515 NZXT CAM 授权问题漏洞 — NZXT 8.8 -2020-12-18
CVE-2020-13516 NZXT CAM 信息泄露漏洞 — NZXT 6.5 -2020-12-17
CVE-2020-13517 NZXT CAM 信息泄露漏洞 — NZXT 6.5 -2020-12-17
CVE-2020-13518 NZXT CAM 信息泄露漏洞 — NZXT 6.5 -2020-12-17
CVE-2020-13511 NZXT CAM 信息泄露漏洞 — NZXT 6.5 -2020-12-17
CVE-2020-13510 NZXT CAM 信息泄露漏洞 — NZXT 6.5 -2020-12-17
CVE-2020-13509 NZXT CAM 信息泄露漏洞 — NZXT 6.5 -2020-12-17
CVE-2020-12519 Phoenix Contact PLCnext Control Devices versions before 2021.0 LTS: An attacker can use this vulnerability i.e. to open a reverse shell with root privileges. — AXC F 1152 (1151412) 8.8 High2020-12-17
CVE-2020-8258 Citrix Systems Gateway 安全漏洞 — Citrix Gateway Plug-in for Windows 6.5 -2020-12-14
CVE-2020-8283 Citrix Virtual Apps and Desktops 授权问题漏洞 — Citrix Virtual Apps and Desktops 8.8 -2020-12-14
CVE-2020-7335 Privilege Escalation vulnerability in McAfee Total Protection (MTP) — McAfee Total Protection (MTP) 7.5 High2020-12-01
CVE-2020-7544 Schneider Electric EcoStruxure Operator Terminal Expert 权限许可和访问控制问题漏洞 — EcoStruxureª Operator Terminal Expert runtime (Vijeo XD) 7.8 -2020-11-19
CVE-2020-12495 ENDRESS+HAUSER: Ecograph T utilizing Webserver firmware version 1.x has improper privilege management — RSG35 - Ecograph T 9.1 Critical2020-11-19
CVE-2020-8269 Citrix Systems Citrix Virtual Apps and Desktops 安全漏洞 — Citrix Virtual Apps and Desktops 8.8 -2020-11-16
CVE-2020-16126 accountsservice drops ruid, allows unprivileged users to send it signals — accountsservice 3.3 Low2020-11-11
CVE-2020-16122 Packagekit's apt backend lets user install untrusted local packages — packagekit 8.2 High2020-11-07
CVE-2020-3600 Cisco SD-WAN Software Privilege Escalation Vulnerability — Cisco SD-WAN Solution 7.8 High2020-11-06
CVE-2020-3595 Cisco SD-WAN Software Privilege Escalation Vulnerability — Cisco SD-WAN Solution 7.8 High2020-11-06
CVE-2020-3594 Cisco SD-WAN Software Privilege Escalation Vulnerability — Cisco SD-WAN Solution 7.8 High2020-11-06
CVE-2020-3593 Cisco SD-WAN Software Privilege Escalation Vulnerability — Cisco SD-WAN Solution 7.8 High2020-11-06
CVE-2020-27654 Synology Router Manager 访问控制错误漏洞 — Synology Router Manager (SRM) 9.8 Critical2020-10-29
CVE-2020-27655 Synology Router Manager 访问控制错误漏洞 — Synology Router Manager (SRM) 6.5 Medium2020-10-29
CVE-2020-7330 Privilege Escalation vulnerability in McAfee Total Protection (MTP) trial — McAfee Total Protection (MTP) Trial 7.5 High2020-10-14
CVE-2020-15797 Siemens DCA Vantage Analyzer 安全漏洞 — DCA Vantage Analyzer 6.8 -2020-10-13
CVE-2020-8223 Nextcloud 安全漏洞 — Nextcloud Server 7.3 -2020-10-05
CVE-2020-3393 Cisco IOS XE Software IOx Application Hosting Privilege Escalation Vulnerability — Cisco IOS XE Software 6.0 Medium2020-09-24
CVE-2020-8247 Citrix Systems 多款产品安全漏洞 — Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP 9.8 -2020-09-18

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.