Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-280 (不充分权限或特权的处理不恰当) — Vulnerability Class 108

108 vulnerabilities classified as CWE-280 (不充分权限或特权的处理不恰当). AI Chinese analysis included.

CWE-280 represents a critical logic flaw where software fails to adequately manage insufficient permissions or privileges during resource access. This weakness typically arises when applications assume elevated rights are always available, leading to unexpected code paths that may leave the system in an invalid or vulnerable state. Attackers exploit this by manipulating user contexts or environment variables to trigger privilege checks that fail silently or incorrectly, potentially bypassing security controls or causing denial of service. To mitigate this risk, developers must implement robust error handling that explicitly validates access rights before executing sensitive operations. By ensuring the application gracefully degrades or denies access when privileges are lacking, rather than proceeding with incomplete or unsafe actions, teams can prevent unauthorized data exposure and maintain system integrity against privilege-related attacks.

MITRE CWE Description
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Common Consequences (1)
OtherOther, Alter Execution Logic
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationAlways check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can …
CVE IDTitleCVSSSeverityPublished
CVE-2022-30725 Samsung mobile 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-06-07
CVE-2022-30724 Samsung mobile 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-06-07
CVE-2022-30723 Samsung mobile Bluetooth 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-06-07
CVE-2022-30716 Samsung mobile 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-06-07
CVE-2021-37851 Local Privilege Escalation in ESET product for Windows — ESET NOD32 Antivirus 7.3 High2022-05-11
CVE-2022-27167 Arbitrary File Deletion in ESET products for Windows — ESET NOD32 Antivirus 7.1 High2022-05-10
CVE-2022-22292 Samsung Telecom 安全漏洞 — Samsung Mobile Devices 7.1 High2022-02-11
CVE-2022-21814 Nvidia GPU Display Driver for Linux 安全漏洞 — NVIDIA GPU Display Driver 6.1 Medium2022-02-07
CVE-2021-37175 Siemens RUGGEDCOM 授权问题漏洞 — RUGGEDCOM ROX MX5000 7.5 -2021-09-14
CVE-2020-10072 Improper Handling of Insufficient Permissions or Privileges in zephyr — zephyr 5.9 Medium2021-05-24
CVE-2020-29031 Insecure Direct Object Reference in GateManager WebUI can cause privilege escalation — GateManager 7.1 High2021-02-15
CVE-2020-26195 DELL EMC PowerScale 安全漏洞 — PowerScale OneFS 5.3 Medium2021-02-09
CVE-2020-3427 Duo Authentication for Windows Logon and RDP Privilege Escalation Vulnerability — Duo Authentication for Windows Logon and RDP 6.6 Medium2020-10-14
CVE-2020-8219 Pulse Secure Pulse Connect Secure 安全漏洞 — Pulse Connect Secure 9.8 -2020-07-30
CVE-2020-8117 Nextcloud Server 安全漏洞 — Nextcloud Server 4.3 -2020-02-04
CVE-2019-17437 PAN-OS: Custom-role users may escalate privileges — PAN-OS 7.8 High2019-12-05
CVE-2019-13415 floragunn Search Guard 授权问题漏洞 — Search Guard 6.5 -2019-08-13
CVE-2019-6570 Siemens SINEMA Remote Connect Server 权限许可和访问控制问题漏洞 — SINEMA Remote Connect Server 8.1 -2019-04-17

Vulnerabilities classified as CWE-280 (不充分权限或特权的处理不恰当) represent 108 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.