Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-269 (特权管理不恰当) — Vulnerability Class 1004

1004 vulnerabilities classified as CWE-269 (特权管理不恰当). AI Chinese analysis included.

CWE-269 represents a critical access control weakness where software fails to properly assign, modify, track, or verify privileges for users or processes. This flaw allows actors to operate outside their intended security boundaries, effectively granting them an unintended sphere of control. Attackers typically exploit this vulnerability by manipulating session tokens, bypassing authentication checks, or leveraging insufficient authorization logic to escalate privileges from a standard user to an administrator. Such exploitation can lead to unauthorized data access, system modification, or complete compromise. To prevent this, developers must implement robust identity and access management frameworks that enforce strict least-privilege principles. Regularly auditing permission assignments, utilizing role-based access control, and rigorously validating user rights at every critical application checkpoint are essential strategies to ensure actors only possess the minimum necessary privileges for their specific tasks.

MITRE CWE Description
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (3)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (2)
This code temporarily raises the program's privileges to allow creation of a new user folder.
def makeNewUserDir(username): if invalidUsername(username): #avoid CWE-22 and CWE-78 print('Usernames cannot contain invalid characters') return False try: raisePrivileges() os.mkdir('/home/' + username) lowerPrivileges() except OSError: print('Unable to create new user directory for user:' + username) return False return True
Bad · Python
The following example demonstrates the weakness.
seteuid(0); /* do some stuff */ seteuid(getuid());
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2020-7311 Privilege Escalation vulnerability in MA for Windows — MA for Windows 7.8 High2020-09-10
CVE-2020-7324 Improper Access Control vulnerability in MVISION Endpoint — MVISION Endpoint 6.1 Medium2020-09-09
CVE-2020-7523 Schneider Electric Modbus Serial Driver 安全漏洞 — Schneider Electric Modbus Serial Driver (64 bits) versions prior to V3.20 IE 30, Schneider Electric Modbus Serial Driver (32 bits) versions prior to V2.20 IE 30, and Schneider Electric Modbus Driver Suite versions prior to V14.15.0.0 8.8 -2020-08-31
CVE-2020-7310 Privilege Escalation vulnerability in McAfee Total Protection (MTP) trial installer — McAfee Total Protection (MTP) Trial 6.9 Medium2020-08-21
CVE-2020-15149 Account takeover in NodeBB — NodeBB 9.9 Critical2020-08-19
CVE-2020-7305 DLP ePO extension - Privilege escalation — DLP ePO extension 6.7 Medium2020-08-13
CVE-2020-13522 SoftPerfect RAM Disk 输入验证错误漏洞 — SoftPerfect 7.1 -2020-08-04
CVE-2020-7281 Privilege Escalation vulnerability in McAfee Total Protection (MTP) — McAfee Total Protection (MTP) 7.5 High2020-07-03
CVE-2020-7509 Schneider Electric Easergy T300 安全漏洞 — Easergy T300 (Firmware version 1.5.2 and older) 7.2 -2020-06-16
CVE-2020-7280 Symbolic Link vulnerability during DAT update — McAfee VirusScan Enterprise (VSE) 7.8 High2020-06-10
CVE-2019-3588 Using VSE to bypass Windows Credentials on Lock screen — McAfee VirusScan Enterprise (VSE) 6.3 Medium2020-06-10
CVE-2019-3585 VSE Escalation of Privileges through Alert pop-up window — McAfee VirusScan Enterprise (VSE) 7.0 High2020-06-10
CVE-2020-8021 unauthorized read access to files where sourceaccess is disabled via a crafted _service file in Open Build Service — Open Build Service 5.3 Medium2020-05-19
CVE-2020-6992 GE CIMPLICITY 安全漏洞 — GE Digital CIMPLICITY 6.7 -2020-04-15
CVE-2020-7273 Autorun registry bypass — McAfee Endpoint Security (ENS) 6.7 Medium2020-04-15
CVE-2020-7274 ENS elevated permissions vulnerability — McAfee Endpoint Security (ENS) 6.6 Medium2020-04-15
CVE-2019-15789 Microk8s Privilege Escalation Vulnerability — MicroK8s 8.8 High2020-04-08
CVE-2018-17954 crowbar provision leaks admin password to all nodes in cleartext — SUSE OpenStack Cloud 7 9.3 Critical2020-04-03
CVE-2020-6968 Honeywell INNCOM INNControl 3 安全漏洞 — INNCOM INNControl 3 7.8 -2020-02-20
CVE-2019-11288 tcServer JMX Socket Listener Registry Rebinding Local Privilege Escalation — Pivotal tc Server 4.x 7.1 -2020-01-27
CVE-2019-18899 apt-cacher-ng insecure use of /run/apt-cacher-ng — Leap 15.1 6.2 Medium2020-01-23
CVE-2019-11280 Privilege escalation through the invitations service — Pivotal Application Service (PAS) 8.8 -2019-09-20
CVE-2019-11270 UAA clients.write vulnerability — UAA Release (OSS) 7.5 -2019-08-05
CVE-2019-7394 CA Risk Authentication和CA Strong Authentication 权限许可和访问控制问题漏洞 — CA Strong Authentication 8.8 -2019-05-28
CVE-2019-3786 BBR could run arbitrary scripts on deployment VMs — BOSH Backup and Restore 7.1 -2019-04-24
CVE-2018-19012 多款Drager产品安全漏洞 — Dräger Infinity Delta 9.9 -2019-01-28
CVE-2018-19635 CA Service Desk Manager 权限许可和访问控制问题漏洞 — CA Service Desk Manager 9.8 -2019-01-22
CVE-2018-14828 Advantech WebAccess 安全漏洞 — Advantech WebAccess 8.4 -2018-10-23
CVE-2018-14808 Emerson Electric AMS Device Manager 安全漏洞 — AMS Device Manager 6.5 -2018-10-01
CVE-2018-10502 Samsung Galaxy Apps 权限许可和访问控制漏洞 — Samsung Galaxy Apps 7.8 -2018-09-24

Vulnerabilities classified as CWE-269 (特权管理不恰当) represent 1004 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.