CWE-276
Incorrect Default Permissions
Description
During installation, installed file permissions are set to allow anyone to modify those files.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-127 · CAPEC-81
CVEs mapped to this weakness (474)
page 23 of 24| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13240 | — | 0.00 | — | 0.01 | May 20, 2020 | The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS. | ||
| CVE-2020-2183 | 0.00 | — | 0.01 | May 6, 2020 | Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access. | |||
| CVE-2020-12118 | — | 0.00 | — | 0.01 | Apr 23, 2020 | The keygen protocol implementation in Binance tss-lib before 1.2.0 allows attackers to generate crafted h1 and h2 parameters in order to compromise a signing round or obtain sensitive information from other parties. | ||
| CVE-2020-9543 | — | 0.00 | — | 0.01 | Mar 12, 2020 | OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares… | ||
| CVE-2019-19724 | — | 0.00 | — | 0.01 | Dec 18, 2019 | Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services. | ||
| CVE-2019-16559 | 0.00 | — | 0.01 | Dec 17, 2019 | A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system. | |||
| CVE-2019-16554 | 0.00 | — | 0.01 | Dec 17, 2019 | A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression. | |||
| CVE-2019-16552 | 0.00 | — | 0.01 | Dec 17, 2019 | A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on… | |||
| CVE-2019-19712 | — | 0.00 | — | 0.01 | Dec 17, 2019 | Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. | ||
| CVE-2019-19118 | — | 0.00 | — | 0.02 | Dec 2, 2019 | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI,… | ||
| CVE-2012-5578 | — | 0.00 | — | 0.00 | Nov 25, 2019 | Python keyring has insecure permissions on new databases allowing world-readable files to be created | ||
| CVE-2012-1157 | 0.00 | — | 0.01 | Nov 14, 2019 | Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default | |||
| CVE-2012-5577 | — | 0.00 | — | 0.01 | Oct 28, 2019 | Python keyring lib before 0.10 created keyring files with world-readable permissions. | ||
| CVE-2019-10474 | 0.00 | — | 0.01 | Oct 23, 2019 | A missing permission check in Jenkins Global Post Script Plugin in allowed users with Overall/Read access to list the scripts available to the plugin stored on the Jenkins master file system. | |||
| CVE-2019-10472 | 0.00 | — | 0.01 | Oct 23, 2019 | A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | |||
| CVE-2019-10473 | 0.00 | — | 0.01 | Oct 23, 2019 | A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||
| CVE-2019-10470 | 0.00 | — | 0.01 | Oct 23, 2019 | A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | |||
| CVE-2019-10469 | 0.00 | — | 0.01 | Oct 23, 2019 | A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in… | |||
| CVE-2019-10465 | 0.00 | — | 0.01 | Oct 23, 2019 | A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins… | |||
| CVE-2019-10463 | 0.00 | — | 0.01 | Oct 23, 2019 | A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. |
- CVE-2020-13240May 20, 2020risk 0.00cvss —epss 0.01
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
- CVE-2020-2183May 6, 2020risk 0.00cvss —epss 0.01
Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access.
- CVE-2020-12118Apr 23, 2020risk 0.00cvss —epss 0.01
The keygen protocol implementation in Binance tss-lib before 1.2.0 allows attackers to generate crafted h1 and h2 parameters in order to compromise a signing round or obtain sensitive information from other parties.
- CVE-2020-9543Mar 12, 2020risk 0.00cvss —epss 0.01
OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares…
- CVE-2019-19724Dec 18, 2019risk 0.00cvss —epss 0.01
Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.
- CVE-2019-16559Dec 17, 2019risk 0.00cvss —epss 0.01
A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.
- CVE-2019-16554Dec 17, 2019risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression.
- CVE-2019-16552Dec 17, 2019risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on…
- CVE-2019-19712Dec 17, 2019risk 0.00cvss —epss 0.01
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.
- CVE-2019-19118Dec 2, 2019risk 0.00cvss —epss 0.02
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI,…
- CVE-2012-5578Nov 25, 2019risk 0.00cvss —epss 0.00
Python keyring has insecure permissions on new databases allowing world-readable files to be created
- CVE-2012-1157Nov 14, 2019risk 0.00cvss —epss 0.01
Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default
- CVE-2012-5577Oct 28, 2019risk 0.00cvss —epss 0.01
Python keyring lib before 0.10 created keyring files with world-readable permissions.
- CVE-2019-10474Oct 23, 2019risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Global Post Script Plugin in allowed users with Overall/Read access to list the scripts available to the plugin stored on the Jenkins master file system.
- CVE-2019-10472Oct 23, 2019risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
- CVE-2019-10473Oct 23, 2019risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- CVE-2019-10470Oct 23, 2019risk 0.00cvss —epss 0.01
A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- CVE-2019-10469Oct 23, 2019risk 0.00cvss —epss 0.01
A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…
- CVE-2019-10465Oct 23, 2019risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins…
- CVE-2019-10463Oct 23, 2019risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.