CWE-281
AllowedImproper Preservation of Permissions
Abstraction: Base · Status: Draft
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
432 vulnerabilities reference this CWE, most recent first.
GHSA-Q7Q3-4CWR-583J
Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2024-40859"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-17T00:15:49Z",
"severity": "MODERATE"
},
"details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access user-sensitive data.",
"id": "GHSA-q7q3-4cwr-583j",
"modified": "2025-11-04T18:31:20Z",
"published": "2024-09-17T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40859"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121238"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Sep/33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q844-H75G-F78Q
Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-11-04 00:32This issue was addressed with improved permissions checking. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may gain unauthorized access to Local Network.
{
"affected": [],
"aliases": [
"CVE-2025-31184"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T23:15:28Z",
"severity": "HIGH"
},
"details": "This issue was addressed with improved permissions checking. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may gain unauthorized access to Local Network.",
"id": "GHSA-q844-h75g-f78q",
"modified": "2025-11-04T00:32:25Z",
"published": "2025-04-01T00:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31184"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122371"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122373"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122378"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122379"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/2"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/4"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q965-9JFQ-2H9G
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-30 18:32A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.7.2, macOS Sequoia 15.2, macOS Ventura 13.7.2. An attacker may gain access to protected parts of the file system.
{
"affected": [],
"aliases": [
"CVE-2024-54557"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:14Z",
"severity": "HIGH"
},
"details": "A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.7.2, macOS Sequoia 15.2, macOS Ventura 13.7.2. An attacker may gain access to protected parts of the file system.",
"id": "GHSA-q965-9jfq-2h9g",
"modified": "2025-01-30T18:32:05Z",
"published": "2025-01-28T00:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54557"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121840"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QC43-PGWQ-3Q2Q
Vulnerability from github – Published: 2022-09-16 21:01 – Updated: 2022-09-16 21:01Impact
If backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do.
Patches
We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-15
For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html
References
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.7.14"
},
"package": {
"ecosystem": "Packagist",
"name": "shopware/shopware"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.7.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36102"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T21:01:29Z",
"nvd_published_at": "2022-09-12T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nIf backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do.\n\n### Patches\nWe recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-15\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022",
"id": "GHSA-qc43-pgwq-3q2q",
"modified": "2022-09-16T21:01:29Z",
"published": "2022-09-16T21:01:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36102"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6"
},
{
"type": "WEB",
"url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/shopware"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/shopware/shopware"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Shopware access control list bypassed via crafted specific URLs"
}
GHSA-QCCJ-XJ7J-4C25
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8578, CVE-2017-8580, CVE-2017-8581, and CVE-2017-8467.
{
"affected": [],
"aliases": [
"CVE-2017-8577"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-11T21:29:00Z",
"severity": "HIGH"
},
"details": "Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8578, CVE-2017-8580, CVE-2017-8581, and CVE-2017-8467.",
"id": "GHSA-qccj-xj7j-4c25",
"modified": "2022-05-13T01:47:37Z",
"published": "2022-05-13T01:47:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8577"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8577"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99416"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038853"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCF6-6WF2-XMXG
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2021-12-21 00:01In setOnClickActivityIntent of SearchWidgetProvider.java, there is a possible way to access contacts and history bookmarks without permission due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-184046278
{
"affected": [],
"aliases": [
"CVE-2021-0953"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "HIGH"
},
"details": "In setOnClickActivityIntent of SearchWidgetProvider.java, there is a possible way to access contacts and history bookmarks without permission due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-184046278",
"id": "GHSA-qcf6-6wf2-xmxg",
"modified": "2021-12-21T00:01:23Z",
"published": "2021-12-16T00:01:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0953"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-12-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QCP2-2XF6-HW26
Vulnerability from github – Published: 2026-07-09 18:31 – Updated: 2026-07-09 18:31When oxenstored is tearing a domain down, the node data is cleaned up but the usage counts are leaked.
When the domain ID is eventually reused, the new domain can create fewer nodes before beeing deemed to be over quota.
{
"affected": [],
"aliases": [
"CVE-2026-23556"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T16:16:38Z",
"severity": "CRITICAL"
},
"details": "When oxenstored is tearing a domain down, the node data is cleaned up\nbut the usage counts are leaked.\n\nWhen the domain ID is eventually reused, the new domain can create fewer\nnodes before beeing deemed to be over quota.",
"id": "GHSA-qcp2-2xf6-hw26",
"modified": "2026-07-09T18:31:50Z",
"published": "2026-07-09T18:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23556"
},
{
"type": "WEB",
"url": "https://xenbits.xen.org/xsa/advisory-483.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/10"
},
{
"type": "WEB",
"url": "http://xenbits.xen.org/xsa/advisory-483.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QG38-9F8P-H2HP
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28In Settings, there is a possible permissions bypass. This could lead to local information disclosure of the device's IMEI with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-147309310
{
"affected": [],
"aliases": [
"CVE-2020-0331"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-18T16:15:00Z",
"severity": "MODERATE"
},
"details": "In Settings, there is a possible permissions bypass. This could lead to local information disclosure of the device\u0027s IMEI with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-147309310",
"id": "GHSA-qg38-9f8p-h2hp",
"modified": "2022-05-24T17:28:39Z",
"published": "2022-05-24T17:28:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0331"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-11"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QM8F-GCV9-R92V
Vulnerability from github – Published: 2024-04-02 09:30 – Updated: 2024-04-02 09:30in OpenHarmony v3.2.4 and prior versions allow a local attacker cause apps crash through get permission.
{
"affected": [],
"aliases": [
"CVE-2024-22177"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T07:15:42Z",
"severity": "LOW"
},
"details": "in OpenHarmony v3.2.4 and prior versions allow a local attacker cause apps crash through get permission.",
"id": "GHSA-qm8f-gcv9-r92v",
"modified": "2024-04-02T09:30:40Z",
"published": "2024-04-02T09:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22177"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-04.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QQ5H-RJJ9-Q9QG
Vulnerability from github – Published: 2025-01-29 15:31 – Updated: 2025-01-29 19:20An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.ruoyi:ruoyi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-57439"
],
"database_specific": {
"cwe_ids": [
"CWE-281"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-29T19:20:35Z",
"nvd_published_at": "2025-01-29T15:15:17Z",
"severity": "MODERATE"
},
"details": "An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account.",
"id": "GHSA-qq5h-rjj9-q9qg",
"modified": "2025-01-29T19:20:35Z",
"published": "2025-01-29T15:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57439"
},
{
"type": "PACKAGE",
"url": "https://gitee.com/y_project/RuoYi"
},
{
"type": "WEB",
"url": "https://github.com/peccc/restful_vul/blob/main/ruoyi_dos/ruoyi_dos.md"
},
{
"type": "WEB",
"url": "https://github.com/yangzongzhuan/RuoYi"
},
{
"type": "WEB",
"url": "https://ruoyi.vip"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "RuoYi vulnerable to Denial of Service by attackers with admin privileges"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.