Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-281 (权限预留不恰当) — Vulnerability Class 91

91 vulnerabilities classified as CWE-281 (权限预留不恰当). AI Chinese analysis included.

CWE-281 represents a critical security weakness where software fails to maintain the intended access controls during file operations such as copying, restoring, or sharing. This flaw typically arises when developers rely on default system behaviors that reset permissions to more permissive states, inadvertently exposing sensitive data to unauthorized users. Attackers exploit this vulnerability by manipulating file transfer processes to gain elevated privileges or access restricted resources that should remain private. To mitigate this risk, developers must explicitly enforce permission preservation by using secure APIs that retain original access control lists during object manipulation. Implementing strict validation checks and avoiding generic file copy functions in favor of secure alternatives ensures that security boundaries remain intact. Regular code reviews focusing on file handling routines further help identify and correct these oversights before deployment.

MITRE CWE Description
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
CVE IDTitleCVSSSeverityPublished
CVE-2024-22114 System Information Widget in Global View Dashboard exposes information about Hosts to Users without Permission — Zabbix 4.3 Medium2024-08-09
CVE-2024-22121 Zabbix Agent MSI Installer Allows Non-Admin User to Access Change Option via msiexec.exe — Zabbix 6.1 Medium2024-08-09
CVE-2024-23464 Zscaler bypass with administrative privileges on Windows — Client Connector 7.2 High2024-08-06
CVE-2024-39902 Tuleap's recursive permissions to document manager folder are not properly applied — tuleap 4.8 Medium2024-07-22
CVE-2024-38361 Permissions processing error in spacedb — spicedb 3.7 Low2024-06-20
CVE-2023-25646 Permission and Access Control Vulnerability in ZTE H388X — ZXHN H388X 7.1 High2024-06-20
CVE-2024-3291 Privilege Escalation — Nessus Agent 7.8 High2024-05-17
CVE-2024-3289 Tenable Network Security Nessus 安全漏洞 — Nessus 7.8 High2024-05-17
CVE-2024-32020 Cloning local Git repository by untrusted user allows the untrusted user to modify objects in the cloned repository at will — git 3.9 Low2024-05-14
CVE-2024-22405 XADMaster may not apply quarantine attribute correctly to extracted files — XADMaster 5.5 Medium2024-04-30
CVE-2024-1726 Quarkus: security checks for some inherited endpoints performed after serialization in resteasy reactive may trigger a denial of service 5.3 Medium2024-04-25
CVE-2024-22177 Audio has an improper preservation of permissions vulnerability — OpenHarmony 3.3 Low2024-04-02
CVE-2024-29735 Apache Airflow: Potentially harmful permission changing by log task handler — Apache Airflow 8.1AIHighAI2024-03-26
CVE-2024-28746 Apache Airflow: Ignored Airflow Permissions — Apache Airflow 4.3AIMediumAI2024-03-14
CVE-2024-21816 Background task manager has an improper preservation of permissions vulnerability — OpenHarmony 4.0 Medium2024-03-04
CVE-2024-22402 Improper handling of request URLs in Nextcloud Guests app allows guest users to bypass app allowlist — security-advisories 5.4 Medium2024-01-18
CVE-2024-22401 All users can reset the allowed apps list for Nextcloud Guest App users — security-advisories 4.1 Medium2024-01-18
CVE-2024-22404 Permissions bypass in Nextcloud with the files zip app — security-advisories 4.1 Medium2024-01-18
CVE-2023-6239 Incorrect calculation of effective permissions — M-Files Server 5.4 Medium2023-11-28
CVE-2023-43612 Hiview has an improper preservation of permissions vulnerability — OpenHarmony 8.4 High2023-11-20
CVE-2023-4996 Local privilege escalation — Netskope Client 6.6 Medium2023-11-06
CVE-2023-45807 OpenSearch Issue with tenant read-only permissions — security 5.4 Medium2023-10-16
CVE-2023-31926 Arbitrary File Overwrite using less command — Fabric OS 7.1 High2023-08-02
CVE-2023-1386 Qemu: 9pfs: suid/sgid bits not dropped on file write — qemu 3.3 Low2023-07-24
CVE-2023-35938 User access not updated with privilege change in Tuleap — tuleap 4.1 Medium2023-06-29
CVE-2023-2818 ITM Windows Agent Insecure Filesystem Permissions — Insider Threat Management 5.5 Medium2023-06-27
CVE-2023-2993 Lenovo ThinkSystem 安全漏洞 — System Management Module (SMM) 5.4 Medium2023-06-26
CVE-2023-0975 Trellix Agent 安全漏洞 — Trellix Agent 8.2 High2023-04-03
CVE-2023-28647 App pin of the iOS app can be bypassed in Nextcloud iOS — security-advisories 4.4 Medium2023-03-30
CVE-2023-25809 rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc — runc 5.0 Medium2023-03-29

Vulnerabilities classified as CWE-281 (权限预留不恰当) represent 91 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.