Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CWE-280 (不充分权限或特权的处理不恰当) — Vulnerability Class 127

127 vulnerabilities classified as CWE-280 (不充分权限或特权的处理不恰当). AI Chinese analysis included.

CWE-280 represents a critical logic flaw where software fails to adequately manage insufficient permissions or privileges during resource access. This weakness typically arises when applications assume elevated rights are always available, leading to unexpected code paths that may leave the system in an invalid or vulnerable state. Attackers exploit this by manipulating user contexts or environment variables to trigger privilege checks that fail silently or incorrectly, potentially bypassing security controls or causing denial of service. To mitigate this risk, developers must implement robust error handling that explicitly validates access rights before executing sensitive operations. By ensuring the application gracefully degrades or denies access when privileges are lacking, rather than proceeding with incomplete or unsafe actions, teams can prevent unauthorized data exposure and maintain system integrity against privilege-related attacks.

MITRE CWE Description
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.
Common Consequences (1)
OtherOther, Alter Execution Logic
Mitigations (2)
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
ImplementationAlways check to see if you have successfully accessed a resource or system functionality, and use proper error handling if it is unsuccessful. Do this even when you are operating in a highly privileged mode, because errors or environmental conditions might still cause a failure. For example, environments with highly granular permissions/privilege models, such as Windows or Linux capabilities, can …
CVE IDTitleCVSSSeverityPublished
CVE-2023-6189 Improper Permission Handling in M-Files Server — M-Files Server 4.3 Medium2023-11-22
CVE-2023-43591 Zoom Rooms 安全漏洞 — Zoom Rooms for macOS 7.8 High2023-11-14
CVE-2023-43087 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 4.3 Medium2023-11-02
CVE-2023-32489 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.7 Medium2023-08-16
CVE-2023-2480 Elevation of Privilege in M-Files Desktop Client — M-Files Client 7.5 High2023-05-25
CVE-2023-2020 Unauthorized scheduling of downtimes via REST API — Checkmk 4.3 Medium2023-04-18
CVE-2023-0181 NVIDIA GPU Display Driver for Windows 安全漏洞 — vGPU software (guest driver - Windows), vGPU software (guest driver - Linux), vGPU software (Virtual GPU Manager - Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM), NVIDIA Cloud Gaming (guest driver - Windows), NVIDIA Cloud Gaming (guest driver - Linux), NVIDIA Cloud Gaming (Virtual GPU Manager - Red Hat Enterprise Linux KVM) 7.1 High2023-04-01
CVE-2023-28114 `cilium-cli` disables etcd authorization for clustermesh clusters — cilium-cli 4.8 Medium2023-03-22
CVE-2023-21421 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 5.9 Medium2023-02-09
CVE-2022-4863 Improper Handling of Insufficient Permissions or Privileges in usememos/memos — usememos/memos 8.1 -2022-12-30
CVE-2022-39912 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 6.2 Medium2022-12-08
CVE-2022-39885 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 5.9 Medium2022-11-09
CVE-2022-39886 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 5.9 Medium2022-11-09
CVE-2022-39872 SAMSUNG Mobile devices 安全漏洞 — ShareLive 5.9 Medium2022-10-07
CVE-2022-36874 SAMSUNG Mobile devices 安全漏洞 — Waterplugin 5.9 Medium2022-09-09
CVE-2022-34368 Dell EMC NetWorker 安全漏洞 — NetWorker Management Console 6.1 Medium2022-08-30
CVE-2022-2193 HYPR Server 安全漏洞 — HYPR Server 7.5 High2022-07-19
CVE-2022-30727 Samsung mobile 安全漏洞 — Samsung Mobile Devices 6.2 Medium2022-06-07
CVE-2022-30725 Samsung mobile 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-06-07
CVE-2022-30724 Samsung mobile 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-06-07
CVE-2022-30723 Samsung mobile Bluetooth 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-06-07
CVE-2022-30716 Samsung mobile 安全漏洞 — Samsung Mobile Devices 4.0 Medium2022-06-07
CVE-2021-37851 Local Privilege Escalation in ESET product for Windows — ESET NOD32 Antivirus 7.3 High2022-05-11
CVE-2022-27167 Arbitrary File Deletion in ESET products for Windows — ESET NOD32 Antivirus 7.1 High2022-05-10
CVE-2022-22292 Samsung Telecom 安全漏洞 — Samsung Mobile Devices 7.1 High2022-02-11
CVE-2022-21814 Nvidia GPU Display Driver for Linux 安全漏洞 — NVIDIA GPU Display Driver 6.1 Medium2022-02-07
CVE-2021-37175 Siemens RUGGEDCOM 授权问题漏洞 — RUGGEDCOM ROX MX5000 7.5 -2021-09-14
CVE-2020-10072 Improper Handling of Insufficient Permissions or Privileges in zephyr — zephyr 5.9 Medium2021-05-24
CVE-2020-29031 Insecure Direct Object Reference in GateManager WebUI can cause privilege escalation — GateManager 7.1 High2021-02-15
CVE-2020-26195 DELL EMC PowerScale 安全漏洞 — PowerScale OneFS 5.3 Medium2021-02-09

Vulnerabilities classified as CWE-280 (不充分权限或特权的处理不恰当) represent 127 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.