Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-281 (权限预留不恰当) — Vulnerability Class 91

91 vulnerabilities classified as CWE-281 (权限预留不恰当). AI Chinese analysis included.

CWE-281 represents a critical security weakness where software fails to maintain the intended access controls during file operations such as copying, restoring, or sharing. This flaw typically arises when developers rely on default system behaviors that reset permissions to more permissive states, inadvertently exposing sensitive data to unauthorized users. Attackers exploit this vulnerability by manipulating file transfer processes to gain elevated privileges or access restricted resources that should remain private. To mitigate this risk, developers must explicitly enforce permission preservation by using secure APIs that retain original access control lists during object manipulation. Implementing strict validation checks and avoiding generic file copy functions in favor of secure alternatives ensures that security boundaries remain intact. Regular code reviews focusing on file handling routines further help identify and correct these oversights before deployment.

MITRE CWE Description
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
CVE IDTitleCVSSSeverityPublished
CVE-2023-28642 AppArmor bypass with symlinked /proc in runc — runc 6.1 Medium2023-03-29
CVE-2023-25817 Delete permissions are not saved when creating public share in Nextcloud server — security-advisories 3.5 Low2023-03-27
CVE-2023-21464 SAMSUNG Mobile Devices 安全漏洞 — Samsung Calendar 4.0 Medium2023-03-16
CVE-2023-22738 Improper Preservation of Permissions in vantage6 — vantage6 6.3 Medium2023-03-01
CVE-2023-25812 Allowed DELETE on resources on object locked buckets under Governance mode in Minio — minio 6.5 Medium2023-02-21
CVE-2022-4139 Linux kernel 安全漏洞 — kernel 7.8 -2023-01-27
CVE-2022-42260 NVIDIA vGPU Display Driver 安全漏洞 — vGPU software (guest driver) - Linux, NVIDIA Cloud Gaming (guest driver) 7.8 High2022-12-30
CVE-2022-4326 Trellix xAgent permission bypass vulnerability — xAgent 5.5 Medium2022-12-16
CVE-2022-41963 BigBlueButton contains Improper Preservation of Permissions for whiteboard — bigbluebutton 2.7 Low2022-12-16
CVE-2022-31608 NVIDIA graphics driver 安全漏洞 — GeForce, Workstation, Compute 7.8 High2022-11-18
CVE-2019-14841 Red Hat Decision Manager 安全漏洞 — Business-central 8.8 -2022-10-17
CVE-2022-36062 Grafana folders admin only permission privilege escalation — grafana 7.6 High2022-09-22
CVE-2022-36102 Acess control list bypassed via crafted specific URLs — shopware 6.3 Medium2022-09-12
CVE-2021-3414 Red Hat Satellite 安全漏洞 — satellite 4.3 -2022-08-26
CVE-2022-31237 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 3.3 Low2022-08-22
CVE-2022-31096 Invites restricted to an email or invite links restricted to an email domain may be bypassed by a under certain conditions in Discourse — discourse 5.7 Medium2022-06-27
CVE-2022-1227 Podman 权限许可和访问控制问题漏洞 — psgo 8.1 -2022-04-29
CVE-2021-3523 Red Hat 3scale 安全漏洞 — apicast 9.1 -2022-04-27
CVE-2022-24428 Dell Technologies Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.3 Medium2022-04-08
CVE-2021-3847 Linux kernel 安全漏洞 — kernel 7.8 -2022-04-01
CVE-2022-0330 Linux kernel 缓冲区错误漏洞 — kernel 7.8 -2022-03-25
CVE-2021-43816 Improper Preservation of Permissions in containerd — containerd 8.0 High2022-01-05
CVE-2021-41089 `docker cp` allows unexpected chmod of host files — moby 2.8 Low2021-10-04
CVE-2021-41091 Insufficiently restricted permissions on data directory in Docker Engine — moby 6.3 Medium2021-10-04
CVE-2021-3495 Kiali-operator 安全漏洞 — kiali/kiali-operator 8.8 -2021-06-01
CVE-2021-3418 grub2 安全漏洞 — grub2 6.4 -2021-03-15
CVE-2021-21379 It's possible to execute anything with the rights of the author of a macro which uses the {{wikimacrocontent}} macro — xwiki-platform 7.7 High2021-03-12
CVE-2021-20263 QEMU 安全漏洞 — QEMU 7.1 -2021-03-09
CVE-2020-8913 Local arbitrary code execution in splitinstall in Android's Play Core — Android Play Core 8.8 High2020-08-12
CVE-2020-15113 Improper Preservation of Permissions in etcd — etcd 5.7 Medium2020-08-05

Vulnerabilities classified as CWE-281 (权限预留不恰当) represent 91 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.