CWE-282
Improper Ownership Management
Description
The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-17 · CAPEC-35
CVEs mapped to this weakness (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-27254 | Hig | 0.52 | 8.0 | 0.00 | Mar 10, 2025 | CWE-282 "Improper Ownership Management" in GE Vernova EnerVista UR Setup allows Authentication Bypass. The software's startup authentication can be disabled by altering a Windows registry setting that any user can modify. | ||
| CVE-2017-12189 | Hig | 0.51 | 7.8 | 0.00 | Jan 10, 2018 | It was discovered that the jboss init script as used in Red Hat JBoss Enterprise Application Platform 7.0.7.GA performed unsafe file handling which could result in local privilege escalation. This issue is a result of an incomplete fix for CVE-2016-8656. | ||
| CVE-2026-40214 | — | Med | 0.41 | 6.3 | 0.00 | May 7, 2026 | In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential… | |
| CVE-2026-3867 | Med | 0.39 | — | 0.00 | Apr 27, 2026 | An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful… | ||
| CVE-2024-47816 | Med | 0.35 | 6.4 | 0.00 | Oct 9, 2024 | ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the… | ||
| CVE-2025-46416 | Low | 0.19 | 2.9 | 0.00 | Jun 27, 2025 | The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and… | ||
| CVE-2025-67642 | 0.00 | — | 0.00 | Dec 10, 2025 | Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to. |
- risk 0.52cvss 8.0epss 0.00
CWE-282 "Improper Ownership Management" in GE Vernova EnerVista UR Setup allows Authentication Bypass. The software's startup authentication can be disabled by altering a Windows registry setting that any user can modify.
- risk 0.51cvss 7.8epss 0.00
It was discovered that the jboss init script as used in Red Hat JBoss Enterprise Application Platform 7.0.7.GA performed unsafe file handling which could result in local privilege escalation. This issue is a result of an incomplete fix for CVE-2016-8656.
- risk 0.41cvss 6.3epss 0.00
In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential…
- risk 0.39cvss —epss 0.00
An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful…
- risk 0.35cvss 6.4epss 0.00
ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the…
- risk 0.19cvss 2.9epss 0.00
The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and…
- CVE-2025-67642Dec 10, 2025risk 0.00cvss —epss 0.00
Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to.