VYPR

CWE-281

Improper Preservation of Permissions

BaseDraft

Description

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (135)

page 5 of 7
  • CVE-2026-34744MedMay 19, 2026
    risk 0.27cvss epss 0.00

    Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality…

  • CVE-2026-35351MedApr 22, 2026
    risk 0.27cvss 4.2epss 0.00

    The mv utility in uutils coreutils fails to preserve file ownership during moves across different filesystem boundaries. The utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than the source's metadata. This flaw…

  • CVE-2025-22620MedJan 20, 2025
    risk 0.26cvss 5.0epss 0.00

    gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject…

  • CVE-2024-36062MedNov 7, 2024
    risk 0.26cvss 4.0epss 0.00

    The com.callassistant.android (aka AI Call Assistant & Screener) application 1.174 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.callassistant.android.ui.call.incall.InCall…

  • CVE-2025-0914LowFeb 27, 2025
    risk 0.25cvss 3.8epss 0.00

    An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This…

  • CVE-2025-9615LowJan 26, 2026
    risk 0.21cvss 3.3epss 0.00

    A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from…

  • CVE-2023-32199MedOct 29, 2025
    risk 0.21cvss 4.3epss 0.00

    A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters. This only affects custom Global Roles that have a * on * in * rule…

  • CVE-2024-54516LowJan 27, 2025
    risk 0.21cvss 3.3epss 0.00

    A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2. An app may be able to approve a launch daemon without user consent.

  • CVE-2024-47270LowMay 27, 2026
    risk 0.18cvss 2.7epss 0.00

    Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors.

  • CVE-2026-35361LowApr 22, 2026
    risk 0.15cvss 3.4epss 0.00

    The mknod utility in uutils coreutils fails to handle security labels atomically by creating device nodes before setting the SELinux context. If labeling fails, the utility attempts cleanup using std::fs::remove_dir, which cannot remove device nodes or FIFOs. This leaves…

  • CVE-2024-32882LowMay 2, 2024
    risk 0.11cvss 2.7epss 0.00

    Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the `permission` argument on `FieldPanel` has been used to further…

  • CVE-2023-34034Jul 19, 2023
    risk 0.04cvss epss 0.03

    Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

  • CVE-2019-0233Sep 14, 2020
    risk 0.01cvss epss 0.70

    An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

  • CVE-2025-32697NonApr 10, 2025
    risk 0.00cvss epss 0.00

    Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/editpage/IntroMessageBuilder.Php, includes/Permissions/PermissionManager.Php, includes/Permissions/RestrictionStore.Php. This issue…

  • CVE-2025-32696NonApr 10, 2025
    risk 0.00cvss epss 0.00

    Improper Preservation of Permissions vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1.

  • CVE-2025-24791Jan 29, 2025
    risk 0.00cvss epss 0.00

    snowflake-connector-nodejs is a NodeJS driver for Snowflake. Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache…

  • CVE-2021-3978Jan 29, 2025
    risk 0.00cvss epss 0.00

    When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow…

  • CVE-2024-57439Jan 29, 2025
    risk 0.00cvss epss 0.01

    An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account.

  • CVE-2024-42681Aug 15, 2024
    risk 0.00cvss epss 0.01

    Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.

  • CVE-2024-38361Jun 20, 2024
    risk 0.00cvss epss 0.00

    Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. If the resource…