CWE-281
Improper Preservation of Permissions
BaseDraft
Description
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (82)
page 2 of 5| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-8466 | Hig | 0.51 | 7.8 | 0.01 | Jun 15, 2017 | Windows Cursor in Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows improper elevation of privilege, aka "Windows Cursor Elevation of Privilege Vulnerability". | |
| CVE-2017-8465 | Hig | 0.51 | 7.8 | 0.07 | Jun 15, 2017 | Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This CVE ID is unique from CVE-2017-8468. | |
| CVE-2001-0195 | Hig | 0.51 | 7.8 | 0.00 | Mar 26, 2001 | sash before 3.4-4 in Debian GNU/Linux does not properly clone /etc/shadow, which makes it world-readable and could allow local users to gain privileges via password cracking. | |
| CVE-2025-7346 | Hig | 0.50 | — | 0.01 | Jul 8, 2025 | Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages | |
| CVE-2024-53934 | Hig | 0.50 | 7.7 | 0.00 | Jan 6, 2025 | The com.windymob.callscreen.ringtone.callcolor.colorphone (aka Color Phone Call Screen Themes) application through 1.1.2 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.frovis.androidbase.call.DialerActivity component. | |
| CVE-2026-35385 | Hig | 0.49 | 7.5 | 0.00 | Apr 2, 2026 | In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). | |
| CVE-2024-12125 | Hig | 0.49 | 7.5 | 0.00 | Nov 6, 2025 | A flaw was found in the 3scale Developer Portal. When creating or updating an account in the Developer Portal UI it is possible to modify fields explicitly configured as read-only or hidden, allowing an attacker to modify restricted information. | |
| CVE-2025-43701 | Hig | 0.49 | 7.5 | 0.00 | Jun 10, 2025 | Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of Custom Settings data. This impacts OmniStudio: before version 254. | |
| CVE-2025-43700 | Hig | 0.49 | 7.5 | 0.00 | Jun 10, 2025 | Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (FlexCards) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025. | |
| CVE-2025-43697 | Hig | 0.49 | 7.5 | 0.00 | Jun 10, 2025 | Improper Preservation of Permissions vulnerability in Salesforce OmniStudio (DataMapper) allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025 | |
| CVE-2024-54557 | Hig | 0.49 | 7.5 | 0.00 | Jan 27, 2025 | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An attacker may gain access to protected parts of the file system. | |
| CVE-2024-56317 | Hig | 0.49 | 7.5 | 0.00 | Dec 18, 2024 | In Matter (aka connectedhomeip or Project CHIP) through 1.4.0.0, the WriteAcl function deletes all existing ACL entries first, and then attempts to recreate them based on user input. If input validation fails during decoding, the process stops, and no entries are restored by access-control-server.cpp, i.e., a denial of service. | |
| CVE-2024-37575 | Hig | 0.49 | 7.5 | 0.00 | Dec 4, 2024 | The Mister org.mistergroup.shouldianswer application 1.4.264 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the org.mistergroup.shouldianswer.ui.default_dialer.DefaultDialerActivity component. | |
| CVE-2005-1920 | Hig | 0.49 | 7.5 | 0.03 | Jul 26, 2005 | The (1) Kate and (2) Kwrite applications in KDE KDE 3.2.x through 3.4.0 do not properly set the same permissions on the backup file as were set on the original file, which could allow local users and possibly remote attackers to obtain sensitive information. | |
| CVE-2002-2323 | Hig | 0.49 | 7.5 | 0.00 | Dec 31, 2002 | Sun PC NetLink 1.0 through 1.2 does not properly set the access control list (ACL) for files and directories that use symbolic links and have been restored from backup, which could allow local or remote attackers to bypass intended access restrictions. | |
| CVE-2001-1515 | Hig | 0.49 | 7.5 | 0.01 | Dec 31, 2001 | Macintosh clients, when using NT file system volumes on Windows 2000 SP1, create subdirectories and automatically modify the inherited NTFS permissions, which may cause the directories to have less restrictive permissions than intended. | |
| CVE-2025-24337 | Hig | 0.48 | 8.4 | 0.00 | Jan 20, 2025 | WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini. | |
| CVE-2017-8494 | Hig | 0.47 | 7.3 | 0.01 | Jun 15, 2017 | Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow a locally-authenticated attacker to run a specially crafted application on a targeted system when Windows Secure Kernel Mode fails to properly handle objects in memory, aka "Windows Elevation of Privilege Vulnerability". | |
| CVE-2025-37735 | Hig | 0.46 | 7.0 | 0.00 | Nov 6, 2025 | Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. In some cases, this could result in local privilege escalation. | |
| CVE-2024-40821 | Hig | 0.46 | 7.1 | 0.00 | Jul 29, 2024 | An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. Third party app extensions may not receive the correct sandbox restrictions. |