CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-J6WM-C7Q8-JCX7
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboot mode and will implement lockdown, yet it could have been tampered. This flaw is a reintroduction of CVE-2020-15705 and only affects grbu2 versions prior to 2.06 and upstream and distributions using the shim_lock mechanism.
{
"affected": [],
"aliases": [
"CVE-2021-3418"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-15T22:15:00Z",
"severity": "MODERATE"
},
"details": "If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboot mode and will implement lockdown, yet it could have been tampered. This flaw is a reintroduction of CVE-2020-15705 and only affects grbu2 versions prior to 2.06 and upstream and distributions using the shim_lock mechanism.",
"id": "GHSA-j6wm-c7q8-jcx7",
"modified": "2022-05-24T17:44:39Z",
"published": "2022-05-24T17:44:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3418"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1933757"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J9C4-M6G4-VJV3
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2024-10-21 15:32A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.
{
"affected": [],
"aliases": [
"CVE-2022-38473"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "HIGH"
},
"details": "A cross-origin iframe referencing an XSLT document would inherit the parent domain\u0027s permissions (such as microphone or camera access). This vulnerability affects Thunderbird \u003c 102.2, Thunderbird \u003c 91.13, Firefox ESR \u003c 91.13, Firefox ESR \u003c 102.2, and Firefox \u003c 104.",
"id": "GHSA-j9c4-m6g4-vjv3",
"modified": "2024-10-21T15:32:26Z",
"published": "2022-12-22T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38473"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1771685"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-34"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-35"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-36"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-37"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JGQ3-JQGW-X4VW
Vulnerability from github – Published: 2023-10-04 06:30 – Updated: 2024-04-04 08:15Improper Preservation of Permissions vulnerability in SAssistant prior to version 8.7 allows local attackers to access backup data in SAssistant.
{
"affected": [],
"aliases": [
"CVE-2023-30735"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-04T04:15:13Z",
"severity": "LOW"
},
"details": "Improper Preservation of Permissions vulnerability in SAssistant prior to version 8.7 allows local attackers to access backup data in SAssistant.",
"id": "GHSA-jgq3-jqgw-x4vw",
"modified": "2024-04-04T08:15:38Z",
"published": "2023-10-04T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30735"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JGQR-738J-43CG
Vulnerability from github – Published: 2026-04-02 18:31 – Updated: 2026-07-10 12:31In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
{
"affected": [],
"aliases": [
"CVE-2026-35385"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-02T17:16:27Z",
"severity": "HIGH"
},
"details": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users\u0027 expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).",
"id": "GHSA-jgqr-738j-43cg",
"modified": "2026-07-10T12:31:27Z",
"published": "2026-04-02T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35385"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25096"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25181"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26528"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28962"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30078"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30087"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30089"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34098"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-35385"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454469"
},
{
"type": "WEB",
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=177513443901484\u0026w=2"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35385.json"
},
{
"type": "WEB",
"url": "https://www.openssh.org/releasenotes.html#10.3p1"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/04/02/3"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:12389"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13380"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13381"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13383"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:14937"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16059"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19069"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19219"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20040"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21275"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21298"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21398"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22329"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22468"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22564"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22648"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25044"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25063"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JGWP-H4GX-XM93
Vulnerability from github – Published: 2022-11-02 19:00 – Updated: 2022-11-04 19:01A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located inside the directory.
{
"affected": [],
"aliases": [
"CVE-2021-45446"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-548",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-02T15:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located inside the directory.",
"id": "GHSA-jgwp-h4gx-xm93",
"modified": "2022-11-04T19:01:17Z",
"published": "2022-11-02T19:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45446"
},
{
"type": "WEB",
"url": "https://support.pentaho.com/hc/en-us/articles/6744813983501"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJ4F-734P-H3C3
Vulnerability from github – Published: 2024-12-20 06:30 – Updated: 2025-11-04 00:32This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.1. An attacker with physical access to a Mac may be able to view protected content from the Login Window.
{
"affected": [],
"aliases": [
"CVE-2024-44223"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-20T04:15:05Z",
"severity": "MODERATE"
},
"details": "This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.1. An attacker with physical access to a Mac may be able to view protected content from the Login Window.",
"id": "GHSA-jj4f-734p-h3c3",
"modified": "2025-11-04T00:32:15Z",
"published": "2024-12-20T06:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44223"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121564"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JR9F-28F6-F8CF
Vulnerability from github – Published: 2022-04-30 18:18 – Updated: 2024-01-25 21:32Macintosh clients, when using NT file system volumes on Windows 2000 SP1, create subdirectories and automatically modify the inherited NTFS permissions, which may cause the directories to have less restrictive permissions than intended.
{
"affected": [],
"aliases": [
"CVE-2001-1515"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "Macintosh clients, when using NT file system volumes on Windows 2000 SP1, create subdirectories and automatically modify the inherited NTFS permissions, which may cause the directories to have less restrictive permissions than intended.",
"id": "GHSA-jr9f-28f6-f8cf",
"modified": "2024-01-25T21:32:09Z",
"published": "2022-04-30T18:18:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1515"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1002626"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/3479"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXRW-5FGG-2485
Vulnerability from github – Published: 2025-03-04 21:30 – Updated: 2025-03-05 18:32Insecure permissions in TSplus Remote Access v17.30 allow attackers to retrieve a list of all domain accounts currently connected to the application.
{
"affected": [],
"aliases": [
"CVE-2025-26318"
],
"database_specific": {
"cwe_ids": [
"CWE-201",
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-04T21:15:13Z",
"severity": "CRITICAL"
},
"details": "Insecure permissions in TSplus Remote Access v17.30 allow attackers to retrieve a list of all domain accounts currently connected to the application.",
"id": "GHSA-jxrw-5fgg-2485",
"modified": "2025-03-05T18:32:05Z",
"published": "2025-03-04T21:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26318"
},
{
"type": "WEB",
"url": "https://github.com/Frozenka/CVE-2025-26318"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-M26G-PFVJ-G9MG
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47The DirectX component in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to run arbitrary code in kernel mode via a specially crafted application, aka "DirectX Elevation of Privilege Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2017-8579"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-29T13:29:00Z",
"severity": "HIGH"
},
"details": "The DirectX component in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to run arbitrary code in kernel mode via a specially crafted application, aka \"DirectX Elevation of Privilege Vulnerability.\"",
"id": "GHSA-m26g-pfvj-g9mg",
"modified": "2022-05-13T01:47:38Z",
"published": "2022-05-13T01:47:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8579"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8579"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99212"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4RM-X2RR-357W
Vulnerability from github – Published: 2024-03-06 18:30 – Updated: 2024-11-07 19:18In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 871.v28d74e8b4226"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "871.v28d74e8b_4226"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28152"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-06T19:20:57Z",
"nvd_published_at": "2024-03-06T17:15:10Z",
"severity": "MODERATE"
},
"details": "In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy \"Forks in the same account\" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.",
"id": "GHSA-m4rm-x2rr-357w",
"modified": "2024-11-07T19:18:16Z",
"published": "2024-03-06T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28152"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/bitbucket-branch-source-plugin/commit/28d74e8b4226bfc7524b412e34f7090784cc1a08"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/bitbucket-branch-source-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.