CVEbaza.plSłownik CWECWE-282
Common Weakness Enumeration

CWE-282

Improper Ownership Management

Kategoria: ClassCVE: 28
Opis

Produkt przypisuje błędne właścicielstwo lub nie weryfikuje prawidłowo właścicielstwa obiektu lub zasobu. Może to prowadzić do nieautoryzowanego dostępu lub modyfikacji chronionych elementów systemu.

Description (EN)

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

Podatności CVE z CWE-282 (28)
8.8
CVSS
HIGH
CVE-2026-23514

Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch.

pub. 2026-03-25
8.8
CVSS
HIGH
CVE-2020-10632

Inadequate folder security permissions in Emerson OpenEnterprise versions through 3.3.4 may allow modification of important configuration files, which could cause the system to fail or behave in an unpredictable manner.

pub. 2022-02-24
8.5
CVSS
HIGH
CVE-2024-37999

A vulnerability has been identified in Medicalis Workflow Orchestrator (All versions). The affected application executes as a trusted account with high privileges and network access. This could allow an authenticated local attacker to escalate privileges.

pub. 2024-07-08
8.0
CVSS
HIGH
CVE-2025-27254

CWE-282 "Improper Ownership Management" in GE Vernova EnerVista UR Setup allows Authentication Bypass.  The software's startup authentication can be disabled by altering a Windows registry setting that any user can modify.

pub. 2025-03-10
7.8
CVSS
HIGH
CVE-2024-39755

A privilege escalation vulnerability exists in the node update functionality of Veertu Anka Build 1.42.0. A specially crafted PKG file can lead to execute priviledged operation. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

pub. 2024-10-03
7.8
CVSS
HIGH
CVE-2023-0386

A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

pub. 2023-03-22🚩 CISA KEV⚡ EXPLOIT
7.8
CVSS
HIGH
CVE-2022-29187

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

pub. 2022-07-12
7.8
CVSS
HIGH
CVE-2017-12189

It was discovered that the jboss init script as used in Red Hat JBoss Enterprise Application Platform 7.0.7.GA performed unsafe file handling which could result in local privilege escalation. This issue is a result of an incomplete fix for CVE-2016-8656.

pub. 2018-01-10
7.5
CVSS
HIGH
CVE-2025-57732

In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership

pub. 2025-08-20
7.4
CVSS
HIGH
CVE-2024-3383

A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your existing Security Policy rules.

pub. 2024-04-10
6.7
CVSS
MEDIUM
CVE-2022-0026

A local privilege escalation (PE) vulnerability exists in Palo Alto Networks Cortex XDR agent software on Windows that enables an authenticated local user with file creation privilege in the Windows root directory (such as C:\) to execute a program with elevated privileges. This issue impacts all versions of Cortex XDR agent without content update 330 or a later content update version.

pub. 2022-05-11
6.4
CVSS
MEDIUM
CVE-2024-47816

ImportDump is a mediawiki extension designed to automate user import requests. A user's local actor ID is stored in the database to tell who made what requests. Therefore, if a user on another wiki happens to have the same actor ID as someone on the central wiki, the user on the other wiki can act as if they're the original wiki requester. This can be abused to create new comments, edit the request, and view the request if it's marked private. This issue has been addressed in commit `5c91dfc` and all users are advised to update. Users unable to update may disable the special page outside of their global wiki. See `miraheze/mw-config@e566499` for details on that.

pub. 2024-10-09
6.3
CVSS
MEDIUM
CVE-2026-40214

In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service.

pub. 2026-05-07
6.3
CVSS
MEDIUM
CVE-2024-45104

A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call.

pub. 2024-09-13
6.3
CVSS
MEDIUM
CVE-2023-7226

A vulnerability was found in meetyoucrop big-whale 1.1 and classified as critical. Affected by this issue is some unknown functionality of the file /auth/user/all.api of the component Admin Module. The manipulation of the argument id leads to improper ownership management. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250232.

pub. 2024-01-11
6.0
CVSS
MEDIUM
CVE-2026-3867

An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information. Exploitation is only possible under a specific condition — when the configuration file has been exported. This vulnerability does not impact the integrity or availability of the affected product, and no confidentiality, integrity, or availability impact to the subsequent system has been identified.

pub. 2026-04-27
5.4
CVSS
MEDIUM
CVE-2024-13249

Improper Ownership Management vulnerability in Drupal Node Access Rebuild Progressive allows Target Influence via Framing.This issue affects Node Access Rebuild Progressive: from 7.X-1.0 before 7.X-1.2.

pub. 2025-01-09
5.4
CVSS
MEDIUM
CVE-2024-43176

IBM OpenPages 9.0 could allow an authenticated user to obtain sensitive information such as configurations that should only be available to privileged users.

pub. 2025-01-09
5.3
CVSS
MEDIUM
CVE-2025-32946

This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.

pub. 2025-04-15
5.3
CVSS
MEDIUM
CVE-2024-13246

Improper Ownership Management vulnerability in Drupal Node Access Rebuild Progressive allows Target Influence via Framing.This issue affects Node Access Rebuild Progressive: from 0.0.0 before 2.0.2.

pub. 2025-01-09
Pokazano 20 z 28 podatności
Informacje
ID: CWE-282
Typ: Class
Podatności: 28
MITRE CWE ↗
← Słownik CWE