VYPR

CWE-282

Improper Ownership Management

ClassDraft

Description

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-17 · CAPEC-35

CVEs mapped to this weakness (7)

  • CVE-2025-27254HigMar 10, 2025
    risk 0.52cvss 8.0epss 0.00

    CWE-282 "Improper Ownership Management" in GE Vernova EnerVista UR Setup allows Authentication Bypass.  The software's startup authentication can be disabled by altering a Windows registry setting that any user can modify.

  • CVE-2017-12189HigJan 10, 2018
    risk 0.51cvss 7.8epss 0.00

    It was discovered that the jboss init script as used in Red Hat JBoss Enterprise Application Platform 7.0.7.GA performed unsafe file handling which could result in local privilege escalation. This issue is a result of an incomplete fix for CVE-2016-8656.

  • CVE-2026-40214MedMay 7, 2026
    risk 0.41cvss 6.3epss 0.00

    In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential…

  • CVE-2026-3867MedApr 27, 2026
    risk 0.39cvss epss 0.00

    An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful…

  • CVE-2024-47816MedOct 9, 2024
    risk 0.35cvss 6.4epss 0.00

    ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the…

  • CVE-2025-46416LowJun 27, 2025
    risk 0.19cvss 2.9epss 0.00

    The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and…

  • CVE-2025-67642Dec 10, 2025
    risk 0.00cvss epss 0.00

    Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to.