Common Weakness Enumeration

CWE-281

Allowed

Improper Preservation of Permissions

Abstraction: Base · Status: Draft

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

432 vulnerabilities reference this CWE, most recent first.

GHSA-V994-F8VW-G7J4

Vulnerability from github – Published: 2024-06-10 18:38 – Updated: 2024-07-03 20:27
VLAI
Summary
`docker cp` allows unexpected chmod of host files in Moby Docker Engine
Details

Impact

A bug was found in Moby (Docker Engine) where attempting to copy files using docker cp into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.

Patches

This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.

Workarounds

Ensure you only run trusted containers.

Credits

The Moby project would like to thank Lei Wang and Ruizhi Xiao for responsibly disclosing this issue in accordance with the Moby security policy.

For more information

If you have any questions or comments about this advisory:

  • Open an issue
  • Email us at  security@docker.com  if you think you’ve found a security bug
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/docker/docker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.10.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-10T18:38:43Z",
    "nvd_published_at": "2021-10-04T21:15:00Z",
    "severity": "LOW"
  },
  "details": "## Impact\nA bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host\u2019s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.\n\n## Patches\nThis bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.\n\n## Workarounds\nEnsure you only run trusted containers.\n\n## Credits\nThe Moby project would like to thank Lei Wang and Ruizhi Xiao for responsibly disclosing this issue in accordance with the \ufeff[Moby security policy](https://github.com/moby/moby/blob/master/SECURITY.md).\n\n## For more information\nIf you have any questions or comments about this advisory:\n\n* [Open an issue](https://github.com/moby/moby/issues/new)\n* Email us at \ufeff security@docker.com \ufeff if you think you\u2019ve found a security bug",
  "id": "GHSA-v994-f8vw-g7j4",
  "modified": "2024-07-03T20:27:20Z",
  "published": "2024-06-10T18:38:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41089"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moby/moby"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-2913"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "`docker cp` allows unexpected chmod of host files in Moby Docker Engine"
}

GHSA-VC3J-RGMP-WGV7

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:07
VLAI
Details

JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-02T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project names.",
  "id": "GHSA-vc3j-rgmp-wgv7",
  "modified": "2024-04-04T02:07:53Z",
  "published": "2022-05-24T16:57:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14956"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2019/09/26/jetbrains-security-bulletin-q2-2019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VF4Q-WM36-X79F

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-8577, CVE-2017-8578, CVE-2017-8581, and CVE-2017-8467.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-11T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability when it fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability\". This CVE ID is unique from CVE-2017-8577, CVE-2017-8578, CVE-2017-8581, and CVE-2017-8467.",
  "id": "GHSA-vf4q-wm36-x79f",
  "modified": "2022-05-13T01:47:37Z",
  "published": "2022-05-13T01:47:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8580"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8580"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99421"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038853"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VG48-6574-PX53

Vulnerability from github – Published: 2026-05-19 06:30 – Updated: 2026-05-19 06:30
VLAI
Details

in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-19T04:16:28Z",
    "severity": "MODERATE"
  },
  "details": "in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak",
  "id": "GHSA-vg48-6574-px53",
  "modified": "2026-05-19T06:30:29Z",
  "published": "2026-05-19T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25850"
    },
    {
      "type": "WEB",
      "url": "https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VH3J-H3X7-5QFQ

Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-07-13 00:01
VLAI
Details

IBM Spectrum Protect Plus Container Backup and Restore (10.1.5 through 10.1.10.2 for Kubernetes and 10.1.7 through 10.1.10.2 for Red Hat OpenShift) could allow a remote attacker to bypass IBM Spectrum Protect Plus role based access control restrictions, caused by improper disclosure of session information. By retrieving the logs of a container an attacker could exploit this vulnerability to bypass login security of the IBM Spectrum Protect Plus server and gain unauthorized access based on the permissions of the IBM Spectrum Protect Plus user to the vulnerable Spectrum Protect Plus server software. IBM X-Force ID: 225340.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-30T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Spectrum Protect Plus Container Backup and Restore (10.1.5 through 10.1.10.2 for Kubernetes and 10.1.7 through 10.1.10.2 for Red Hat OpenShift) could allow a remote attacker to bypass IBM Spectrum Protect Plus role based access control restrictions, caused by improper disclosure of session information. By retrieving the logs of a container an attacker could exploit this vulnerability to bypass login security of the IBM Spectrum Protect Plus server and gain unauthorized access based on the permissions of the IBM Spectrum Protect Plus user to the vulnerable Spectrum Protect Plus server software. IBM X-Force ID: 225340.",
  "id": "GHSA-vh3j-h3x7-5qfq",
  "modified": "2022-07-13T00:01:56Z",
  "published": "2022-07-01T00:01:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22472"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/225340"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6596907"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VM96-HFHP-3PVP

Vulnerability from github – Published: 2024-07-30 00:34 – Updated: 2026-04-02 21:31
VLAI
Details

A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in macOS Sonoma 14.4. An app may be able to modify protected parts of the file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T23:15:11Z",
    "severity": "HIGH"
  },
  "details": "A permissions issue was addressed by removing vulnerable code and adding additional checks. This issue is fixed in macOS Sonoma 14.4. An app may be able to modify protected parts of the file system.",
  "id": "GHSA-vm96-hfhp-3pvp",
  "modified": "2026-04-02T21:31:47Z",
  "published": "2024-07-30T00:34:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27888"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120895"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214084"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VR9C-MCXV-87CW

Vulnerability from github – Published: 2022-08-23 00:00 – Updated: 2022-08-25 00:00
VLAI
Details

Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-22T17:15:00Z",
    "severity": "LOW"
  },
  "details": "Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure.",
  "id": "GHSA-vr9c-mcxv-87cw",
  "modified": "2022-08-25T00:00:28Z",
  "published": "2022-08-23T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31237"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000201094/dsa-2022-149-dell-emc-powerscale-onefs-security-update?lang=en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VV7X-7W4M-Q72F

Vulnerability from github – Published: 2022-09-21 20:36 – Updated: 2022-09-27 06:12
VLAI
Summary
fhir-works-on-aws-authz-smart handles permissions improperly
Details

Impact

This issue allows a client of the API to retrieve more information than the client’s OAuth scope permits when making “search-type” requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access.

Patches

We recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected.

Workarounds

There is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher.

References

https://github.com/awslabs/fhir-works-on-aws-deployment https://github.com/awslabs/fhir-works-on-aws-authz-smart

For more information

If you have any questions or comments about this advisory:

Email us at fhir-works-on-aws-dev@amazon.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fhir-works-on-aws-authz-smart"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.1"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39230"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-21T20:36:50Z",
    "nvd_published_at": "2022-09-23T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThis issue allows a client of the API to retrieve more information than the client\u2019s OAuth scope permits when making \u201csearch-type\u201d requests. This issue would not allow a client to retrieve information about individuals other than those the client was already authorized to access.\n\n### Patches\n\nWe recommend that users of fhir-works-on-aws-authz-smart 3.1.1 or 3.1.2 upgrade to version 3.1.3 or higher immediately. Versions 3.1.0 and below are unaffected.\n\n### Workarounds\n\nThere is no workaround for this issue. Please upgrade fhir-works-on-aws-authz-smart to version 3.1.3 or higher.\n\n### References\n\nhttps://github.com/awslabs/fhir-works-on-aws-deployment\nhttps://github.com/awslabs/fhir-works-on-aws-authz-smart\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [fhir-works-on-aws-dev@amazon.com](mailto:fhir-works-on-aws-dev@amazon.com)\n",
  "id": "GHSA-vv7x-7w4m-q72f",
  "modified": "2022-09-27T06:12:12Z",
  "published": "2022-09-21T20:36:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/awslabs/fhir-works-on-aws-authz-smart/security/advisories/GHSA-vv7x-7w4m-q72f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39230"
    },
    {
      "type": "WEB",
      "url": "https://github.com/awslabs/fhir-works-on-aws-authz-smart/commit/203bbc0dd17de748c36b33c68b866ed2dfd613d3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/awslabs/fhir-works-on-aws-authz-smart"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fhir-works-on-aws-authz-smart handles permissions improperly"
}

GHSA-VVJV-97J8-94XH

Vulnerability from github – Published: 2023-02-28 23:19 – Updated: 2024-11-18 23:09
VLAI
Summary
vantage6 vulnerable to Improper Preservation of Permissions
Details

Impact

Assigning existing users to a different organization is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access.

Patches

Update to 3.8.0

Workarounds

None

References

None

For more information

If you have any questions or comments about this advisory: * Email us at vantage6@iknl.nl

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-22738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-28T23:19:24Z",
    "nvd_published_at": "2023-03-01T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAssigning existing users to a different organization is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain their permissions and therefore might be able to access stuff they should not be allowed to access.\n\n### Patches\nUpdate to 3.8.0\n\n### Workarounds\nNone\n\n### References\nNone\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [vantage6@iknl.nl](mailto:vantage6@iknl.nl)\n",
  "id": "GHSA-vvjv-97j8-94xh",
  "modified": "2024-11-18T23:09:56Z",
  "published": "2023-02-28T23:19:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-vvjv-97j8-94xh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22738"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/commit/798aca1de142a4eca175ef51112e2235642f4f24"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vantage6/PYSEC-2023-53.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vantage6/vantage6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "vantage6 vulnerable to Improper Preservation of Permissions"
}

GHSA-VW24-GW6X-F64V

Vulnerability from github – Published: 2025-01-06 18:31 – Updated: 2025-01-07 21:30
VLAI
Details

SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-06T18:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely.",
  "id": "GHSA-vw24-gw6x-f64v",
  "modified": "2025-01-07T21:30:55Z",
  "published": "2025-01-06T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54879"
    },
    {
      "type": "WEB",
      "url": "https://blog.csdn.net/weixin_46686336/article/details/144797242"
    },
    {
      "type": "WEB",
      "url": "http://seacms.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.