CWE-269— Improper Privilege Management
4,225 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-269page 36 of 85
- CVE-2021-1839HIGHCVSS 7.8EG 7.82021-09-08
The issue was addressed with improved permissions logic. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina, Security Update 2021-003 Mojave. A local attacker may be able to elevate their privileges.
- CVE-2021-1851HIGHCVSS 8.8EG 8.82021-09-08
A logic issue was addressed with improved state management. This issue is fixed in Security Update 2021-002 Catalina, Security Update 2021-003 Mojave, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5, macOS Big Sur 11.3. An application may…
- CVE-2021-1853HIGHCVSS 7.8EG 7.82021-09-08
A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3. A local attacker may be able to elevate their privileges.
- CVE-2021-1868HIGHCVSS 7.8EG 7.82021-09-08
A logic issue was addressed with improved state management. This issue is fixed in Security Update 2021-002 Catalina, Security Update 2021-003 Mojave, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5, macOS Big Sur 11.3. A local attacker m…
- CVE-2021-1942CRITICALCVSS 9.3EG 8.82022-04-01
Improper handling of permissions of a shared memory region can lead to memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voi…
- CVE-2021-20021CRITICALCVSS 9.8EG 9.8⚠ KEV2021-04-09
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
- CVE-2021-20034CRITICALCVSS 9.1EG 9.12021-09-27
An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
- CVE-2021-20072HIGHCVSS 7.2EG 7.22021-02-16
Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows attackers to arbitrarily access and delete files via an authenticated directory traveral.
- CVE-2021-20075HIGHCVSS 7.8EG 7.82021-02-16
Racom's MIDGE Firmware 4.4.40.105 contains an issue that allows for privilege escalation via configd.
- CVE-2021-20079MEDIUMCVSS 6.7EG 6.72021-06-29
Nessus versions 8.13.2 and earlier were found to contain a privilege escalation vulnerability which could allow a Nessus administrator user to upload a specially crafted file that could lead to gaining administrator privileges on the Nessu…
- CVE-2021-20099MEDIUMCVSS 6.7EG 6.72021-06-28
Nessus Agent 8.2.4 and earlier for Windows were found to contain multiple local privilege escalation vulnerabilities which could allow an authenticated, local administrator to run specific Windows executables as the Nessus host. This is di…
- CVE-2021-20100MEDIUMCVSS 6.7EG 6.72021-06-28
Nessus Agent 8.2.4 and earlier for Windows were found to contain multiple local privilege escalation vulnerabilities which could allow an authenticated, local administrator to run specific Windows executables as the Nessus host. This is di…
- CVE-2021-20106MEDIUMCVSS 6.5EG 6.52021-07-21
Nessus Agent versions 8.2.5 and earlier were found to contain a privilege escalation vulnerability which could allow a Nessus administrator user to upload a specially crafted file that could lead to gaining administrator privileges on the …
- CVE-2021-20117MEDIUMCVSS 6.7EG 6.72021-09-09
Nessus Agent 8.3.0 and earlier was found to contain a local privilege escalation vulnerability which could allow an authenticated, local administrator to run specific executables on the Nessus Agent host. This is different than CVE-2021-20…
- CVE-2021-20118MEDIUMCVSS 6.7EG 6.72021-09-09
Nessus Agent 8.3.0 and earlier was found to contain a local privilege escalation vulnerability which could allow an authenticated, local administrator to run specific executables on the Nessus Agent host. This is different than CVE-2021-20…
- CVE-2021-20135MEDIUMCVSS 6.7EG 6.72021-11-03
Nessus versions 8.15.2 and earlier were found to contain a local privilege escalation vulnerability which could allow an authenticated, local administrator to run specific executables on the Nessus Agent host. Tenable has included a fix fo…
- CVE-2021-20172HIGHCVSS 7.8EG 7.82021-12-30
All known versions of the Netgear Genie Installer for macOS contain a local privilege escalation vulnerability. The installer of the macOS version of Netgear Genie handles certain files in an insecure way. A malicious actor who has local a…
- CVE-2021-20208MEDIUMCVSS 6.1EG 6.12021-04-19
A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality an…
- CVE-2021-20264HIGHCVSS 7.8EG 7.82021-10-06
An insecure modification flaw in the /etc/passwd file was found in the openjdk-1.8 and openjdk-11 containers. This flaw allows an attacker with access to the container to modify the /etc/passwd and escalate their privileges. The highest th…
- CVE-2021-20334MEDIUMCVSS 4.8EG 4.82021-04-06
A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compa…
- CVE-2021-20617CRITICALCVSS 9.8EG 9.82021-01-14
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining …
- CVE-2021-20618CRITICALCVSS 9.8EG 9.82021-01-14
Privilege chaining vulnerability in acmailer ver. 4.0.2 and earlier, and acmailer DB ver. 1.1.4 and earlier allows remote attackers to bypass authentication and to gain an administrative privilege which may result in obtaining the sensitiv…
- CVE-2021-20695HIGHCVSS 8.8EG 8.82021-04-26
Improper following of a certificate's chain of trust vulnerability in DAP-1880AC firmware version 1.21 and earlier allows a remote authenticated attacker to gain root privileges via unspecified vectors.
- CVE-2021-20713HIGHCVSS 7.8EG 7.82021-05-24
Privilege escalation vulnerability in QND Advance/Premium/Standard Ver.11.0.4i and earlier allows an attacker who can log in to the PC where the product's Windows client is installed to gain administrative privileges via unspecified vector…
- CVE-2021-20768MEDIUMCVSS 4.3EG 4.32021-08-18
Operational restrictions bypass vulnerability in Scheduler and MultiReport of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to delete the data of Scheduler and MultiReport without the appropriate privilege.
- CVE-2021-20773MEDIUMCVSS 4.3EG 4.32021-08-18
There is a vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.0, which may allow a remote authenticated attacker to delete the route information Workflow without the appropriate privilege.
- CVE-2021-20791CRITICALCVSS 9.3EG 9.32021-09-17
Improper access control vulnerability in RevoWorks Browser 2.1.230 and earlier allows an attacker to bypass access restriction and to exchange unauthorized files between the local environment and the isolated environment or settings of the…
- CVE-2021-21117HIGHCVSS 7.8EG 7.82021-02-09
Insufficient policy enforcement in Cryptohome in Google Chrome prior to 88.0.4324.96 allowed a local attacker to perform OS-level privilege escalation via a crafted file.
- CVE-2021-21428CRITICALCVSS 9.3EG 9.32021-05-10
Openapi generator is a java tool which allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. openapi-generator-online creates insecure temporary folde…
- CVE-2021-21430MEDIUMCVSS 6.2EG 6.22021-05-10
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure …
- CVE-2021-21502CRITICALCVSS 9.8EG 9.82021-02-09
Dell PowerScale OneFS versions 8.1.0 – 9.1.0 contain a "use of SSH key past account expiration" vulnerability. A user on the network with the ISI_PRIV_AUTH_SSH RBAC privilege that has an expired account may potentially exploit this vulne…
- CVE-2021-21567HIGHCVSS 7.8EG 7.82021-08-10
Dell PowerScale OneFS 9.1.0.x contains an improper privilege management vulnerability. It may allow an authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE to elevate privilege.
- CVE-2021-21568MEDIUMCVSS 4.3EG 4.32021-08-16
Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an insufficient logging vulnerability. An authenticated user with ISI_PRIV_LOGIN_PAPI could make un-audited and un-trackable configuration changes to settings that their roles have p…
- CVE-2021-21750HIGHCVSS 7.8EG 7.82021-12-27
ZTE BigVideo Analysis product has a privilege escalation vulnerability. Due to improper management of the timed task modification privilege, an attacker with ordinary user permissions could exploit this vulnerability to gain unauthorized a…
- CVE-2021-21786HIGHCVSS 7.8EG 7.82021-07-07
A privilege escalation vulnerability exists in the IOCTL 0x9c406144 handling of IOBit Advanced SystemCare Ultimate 14.2.0.220. A specially crafted I/O request packet (IRP) can lead to increased privileges. An attacker can send a malicious …
- CVE-2021-21910HIGHCVSS 7.8EG 7.82021-12-22
A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM au…
- CVE-2021-21911HIGHCVSS 7.8EG 7.82021-12-22
A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM au…
- CVE-2021-21912HIGHCVSS 7.8EG 7.82021-12-22
A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM au…
- CVE-2021-21972CRITICALCVSS 9.8EG 9.8⚠ KEV2021-02-24
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlyi…
- CVE-2021-21981HIGHCVSS 7.8EG 7.82021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges …
- CVE-2021-21991HIGHCVSS 7.8EG 7.82021-09-22
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to …
- CVE-2021-22000HIGHCVSS 7.8EG 7.82021-07-13
VMware Thinapp version 5.x prior to 5.2.10 contain a DLL hijacking vulnerability due to insecure loading of DLLs. A malicious actor with non-administrative privileges may exploit this vulnerability to elevate privileges to administrator le…
- CVE-2021-22015HIGHCVSS 7.8EG 7.82021-09-23
The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their p…
- CVE-2021-22048HIGHCVSS 8.8EG 8.82021-11-10
The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate …
- CVE-2021-22118HIGHCVSS 7.8EG 7.82021-05-27
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user c…
- CVE-2021-22159HIGHCVSS 7.8EG 7.82021-01-26
Insider Threat Management Windows Agent Local Privilege Escalation Vulnerability The Proofpoint Insider Threat Management (formerly ObserveIT) Agent for Windows before 7.4.3, 7.5.4, 7.6.5, 7.7.5, 7.8.4, 7.9.3, 7.10.2, and 7.11.0.25 as well…
- CVE-2021-22263MEDIUMCVSS 5.5EG 5.52021-10-11
An issue has been discovered in GitLab affecting all versions starting from 13.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. A user account with 'external' status which is gr…
- CVE-2021-22299HIGHCVSS 7.8EG 7.82021-02-06
There is a local privilege escalation vulnerability in some Huawei products. A local, authenticated attacker could craft specific commands to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher pri…
- CVE-2021-22314HIGHCVSS 7.8EG 7.82021-03-22
There is a local privilege escalation vulnerability in some versions of ManageOne. A local authenticated attacker could perform specific operations to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a h…
- CVE-2021-22326HIGHCVSS 7.1EG 7.12021-06-30
A component of the HarmonyOS has a Privilege Dropping / Lowering Errors vulnerability. Local attackers may exploit this vulnerability to obtain Kernel space read/write capability.
Map vulnerabilities like CWE-269 to your infrastructure
EchelonGraph correlates every CVE — across CWE-269 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →