Common Weakness Enumeration

CWE-281

Allowed

Improper Preservation of Permissions

Abstraction: Base · Status: Draft

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

432 vulnerabilities reference this CWE, most recent first.

GHSA-GQMW-JRGV-446Q

Vulnerability from github – Published: 2025-06-10 12:30 – Updated: 2025-06-11 15:30
VLAI
Details

Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for Salesforce objects. This impacts OmniStudio: before Spring 2025

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-10T12:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of field level security controls for Salesforce objects. \nThis impacts OmniStudio: before Spring 2025",
  "id": "GHSA-gqmw-jrgv-446q",
  "modified": "2025-06-11T15:30:26Z",
  "published": "2025-06-10T12:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43698"
    },
    {
      "type": "WEB",
      "url": "https://help.salesforce.com/s/articleView?id=004980323\u0026type=1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRJV-GJGR-66G2

Vulnerability from github – Published: 2024-06-20 16:24 – Updated: 2024-11-18 16:26
VLAI
Summary
SpiceDB exclusions can result in no permission returned when permission expected
Details

Background

Use of an exclusion under an arrow that has multiple resources may resolve to NO_PERMISSION when permission is expected.

For example, given this schema:

definition user {}

definition folder {
  relation member: user
  relation banned: user
  permission view = member - banned
}

definition resource {
  relation folder: folder
  permission view = folder->view
}

If the resource exists under multiple folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that all the folders in which the user is a member be returned

Impact

Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API.

Workarounds

None

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/authzed/spicedb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.33.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-20T16:24:01Z",
    "nvd_published_at": "2024-06-20T23:15:52Z",
    "severity": "MODERATE"
  },
  "details": "### Background\n\nUse of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected.\n\nFor example, given this schema:\n\n```zed\ndefinition user {}\n\ndefinition folder {\n  relation member: user\n  relation banned: user\n  permission view = member - banned\n}\n\ndefinition resource {\n  relation folder: folder\n  permission view = folder-\u003eview\n}\n```\n\nIf the resource exists under *multiple* folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that *all* the folders in which the user is a member be returned\n\n### Impact\n\nPermission is returned as `NO_PERMISSION` when `PERMISSION` is expected on the `CheckPermission` API.\n\n### Workarounds\n\nNone\n",
  "id": "GHSA-grjv-gjgr-66g2",
  "modified": "2024-11-18T16:26:46Z",
  "published": "2024-06-20T16:24:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-grjv-gjgr-66g2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38361"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/commit/ecef31d2b266fde17eb2c3415e2ec4ceff96fbeb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authzed/spicedb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SpiceDB exclusions can result in no permission returned when permission expected"
}

GHSA-GVJ8-4CJ4-H776

Vulnerability from github – Published: 2022-04-29 15:40 – Updated: 2022-04-29 15:40
VLAI
Summary
Object state limitation has no effect
Details

Object state limitation is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontent is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ibexa/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ibexa/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-29T15:40:48Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Object state limitation is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontent is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.",
  "id": "GHSA-gvj8-4cj4-h776",
  "modified": "2022-04-29T15:40:48Z",
  "published": "2022-04-29T15:40:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ibexa/core/security/advisories/GHSA-gvj8-4cj4-h776"
    },
    {
      "type": "WEB",
      "url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-004-ineffective-object-state-limitation-and-unauthenticated-fastly-purge"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ibexa/core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Object state limitation has no effect"
}

GHSA-GW2V-WGMH-28V4

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:54
VLAI
Details

An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Users are able to comment on locked project issues.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Users are able to comment on locked project issues.",
  "id": "GHSA-gw2v-wgmh-28v4",
  "modified": "2024-04-04T01:54:45Z",
  "published": "2022-05-24T16:55:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6995"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab-ce/issues/55537"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GXJ5-6FW2-663J

Vulnerability from github – Published: 2021-12-08 00:01 – Updated: 2021-12-10 00:01
VLAI
Details

There is a Improper Preservation of Permissions vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to attackers which can isolate and read synchronization files of other applications across the UID sandbox.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-07T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is a Improper Preservation of Permissions vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to attackers which can isolate and read synchronization files of other applications across the UID sandbox.",
  "id": "GHSA-gxj5-6fw2-663j",
  "modified": "2021-12-10T00:01:23Z",
  "published": "2021-12-08T00:01:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37086"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H574-6646-VFXX

Vulnerability from github – Published: 2024-03-14 09:31 – Updated: 2024-05-02 19:01
VLAI
Summary
Apache Airflow: Ignored Airflow Permission
Details

Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. 

Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.3rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-15T14:19:23Z",
    "nvd_published_at": "2024-03-14T09:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.\u00a0\n\nUsers of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability\n",
  "id": "GHSA-h574-6646-vfxx",
  "modified": "2024-05-02T19:01:54Z",
  "published": "2024-03-14T09:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28746"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/37881"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/89e7f3e7bdf2126bbbcd959dc10d65ef92773cca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-46.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/b4pffc7w7do6qgk4jjbyxvdz5odrvny7"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/13/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Apache Airflow: Ignored Airflow Permission"
}

GHSA-H735-Q6RM-HJCJ

Vulnerability from github – Published: 2025-01-03 18:30 – Updated: 2025-01-03 21:30
VLAI
Details

An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-55507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-03T16:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component.",
  "id": "GHSA-h735-q6rm-hjcj",
  "modified": "2025-01-03T21:30:40Z",
  "published": "2025-01-03T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55507"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CV1523/CVEs/blob/main/CVE-2024-55507.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H74R-XH5R-H54X

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28
VLAI
Details

In Telephony, there are possible leaks of sensitive data due to missing permission checks. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150155839

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-18T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Telephony, there are possible leaks of sensitive data due to missing permission checks. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150155839",
  "id": "GHSA-h74r-xh5r-h54x",
  "modified": "2022-05-24T17:28:32Z",
  "published": "2022-05-24T17:28:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0265"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H74V-56JH-P3H3

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Microsoft Graphics Component Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8574 and CVE-2017-8556.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-11T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Microsoft Graphics Component Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8574 and CVE-2017-8556.",
  "id": "GHSA-h74v-56jh-p3h3",
  "modified": "2022-05-13T01:47:36Z",
  "published": "2022-05-13T01:47:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8573"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8573"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99431"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038856"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H836-VCX3-FF7V

Vulnerability from github – Published: 2025-09-04 21:31 – Updated: 2025-09-04 21:31
VLAI
Details

In multiple functions of GrantPermissionsActivity.java , there is a possible way to trick the user into granting the incorrect permission due to permission overload. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26420"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T18:15:39Z",
    "severity": "MODERATE"
  },
  "details": "In multiple functions of GrantPermissionsActivity.java , there is a possible way to trick the user into granting the incorrect permission due to permission overload. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-h836-vcx3-ff7v",
  "modified": "2025-09-04T21:31:37Z",
  "published": "2025-09-04T21:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26420"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/packages/modules/Permission/+/6bed47f63ec0600b3c57388449db37405c68dc58"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2025-05-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.