CWE-276
Incorrect Default Permissions
Description
During installation, installed file permissions are set to allow anyone to modify those files.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-127 · CAPEC-81
CVEs mapped to this weakness (474)
page 20 of 24| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-26280 | 0.00 | — | 0.02 | Mar 1, 2024 | Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log… | |||
| CVE-2024-25605 | 0.00 | — | 0.00 | Feb 20, 2024 | The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which… | |||
| CVE-2024-24828 | 0.00 | — | 0.00 | Feb 9, 2024 | pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to… | |||
| CVE-2023-42501 | 0.00 | — | 0.01 | Nov 27, 2023 | Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma… | |||
| CVE-2023-42261 | — | 0.00 | — | 0.01 | Sep 21, 2023 | Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication… | ||
| CVE-2023-43496 | 0.00 | — | 0.01 | Sep 20, 2023 | Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to… | |||
| CVE-2023-33966 | 0.00 | — | 0.01 | May 31, 2023 | Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies… | |||
| CVE-2023-32698 | — | 0.00 | — | 0.00 | May 30, 2023 | nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for… | ||
| CVE-2023-32999 | 0.00 | — | 0.01 | May 16, 2023 | A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. | |||
| CVE-2023-32996 | 0.00 | — | 0.00 | May 16, 2023 | A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails. | |||
| CVE-2023-22651 | 0.00 | — | 0.01 | May 4, 2023 | Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources… | |||
| CVE-2020-21514 | — | 0.00 | — | 0.01 | Apr 4, 2023 | An issue was discovered in Fluent-ui v.1.2.2 allows attackers to gain escalated privileges and execute arbitrary code due to a default password. | ||
| CVE-2022-3146 | — | 0.00 | — | 0.00 | Mar 23, 2023 | A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to… | ||
| CVE-2022-3101 | — | 0.00 | — | 0.00 | Mar 23, 2023 | A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to… | ||
| CVE-2023-27593 | 0.00 | — | 0.00 | Mar 17, 2023 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By… | |||
| CVE-2021-36400 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions. | |||
| CVE-2021-36397 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, insufficient capability checks meant message deletions were not limited to the current user. | |||
| CVE-2023-23850 | 0.00 | — | 0.01 | Feb 15, 2023 | A missing permission check in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||
| CVE-2023-23848 | 0.00 | — | 0.01 | Feb 15, 2023 | Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in… | |||
| CVE-2022-42130 | 0.00 | — | 0.01 | Nov 15, 2022 | The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access… |
- CVE-2024-26280Mar 1, 2024risk 0.00cvss —epss 0.02
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log…
- CVE-2024-25605Feb 20, 2024risk 0.00cvss —epss 0.00
The Journal module in Liferay Portal 7.2.0 through 7.4.3.4, and older unsupported versions, and Liferay DXP 7.4.13, 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions grants guest users view permission to web content templates by default, which…
- CVE-2024-24828Feb 9, 2024risk 0.00cvss —epss 0.00
pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to…
- CVE-2023-42501Nov 27, 2023risk 0.00cvss —epss 0.01
Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma…
- CVE-2023-42261Sep 21, 2023risk 0.00cvss —epss 0.01
Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication…
- CVE-2023-43496Sep 20, 2023risk 0.00cvss —epss 0.01
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to…
- CVE-2023-33966May 31, 2023risk 0.00cvss —epss 0.01
Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies…
- CVE-2023-32698May 30, 2023risk 0.00cvss —epss 0.00
nFPM is an alternative to fpm. The file permissions on the checked-in files were not maintained. Hence, when nfpm packaged the files (without extra config for enforcing it’s own permissions) files could go out with bad permissions (chmod 666 or 777). Anyone using nfpm for…
- CVE-2023-32999May 16, 2023risk 0.00cvss —epss 0.01
A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.
- CVE-2023-32996May 16, 2023risk 0.00cvss —epss 0.00
A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails.
- CVE-2023-22651May 4, 2023risk 0.00cvss —epss 0.01
Improper Privilege Management vulnerability in SUSE Rancher allows Privilege Escalation. A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources…
- CVE-2020-21514Apr 4, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Fluent-ui v.1.2.2 allows attackers to gain escalated privileges and execute arbitrary code due to a default password.
- CVE-2022-3146Mar 23, 2023risk 0.00cvss —epss 0.00
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to…
- CVE-2022-3101Mar 23, 2023risk 0.00cvss —epss 0.00
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to…
- CVE-2023-27593Mar 17, 2023risk 0.00cvss —epss 0.00
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By…
- CVE-2021-36400Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
- CVE-2021-36397Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, insufficient capability checks meant message deletions were not limited to the current user.
- CVE-2023-23850Feb 15, 2023risk 0.00cvss —epss 0.01
A missing permission check in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
- CVE-2023-23848Feb 15, 2023risk 0.00cvss —epss 0.01
Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…
- CVE-2022-42130Nov 15, 2022risk 0.00cvss —epss 0.01
The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 19, 7.3 before update 4, and 7.4 GA does not properly check permission of form entries, which allows remote authenticated users to view and access…