VYPR

CWE-276

Incorrect Default Permissions

BaseDraftLikelihood: Medium

Description

During installation, installed file permissions are set to allow anyone to modify those files.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-127 · CAPEC-81

CVEs mapped to this weakness (474)

page 23 of 24
  • CVE-2020-13240May 20, 2020
    risk 0.00cvss epss 0.01

    The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.

  • CVE-2020-2183May 6, 2020
    risk 0.00cvss epss 0.01

    Jenkins Copy Artifact Plugin 1.43.1 and earlier performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access.

  • CVE-2020-12118Apr 23, 2020
    risk 0.00cvss epss 0.01

    The keygen protocol implementation in Binance tss-lib before 1.2.0 allows attackers to generate crafted h1 and h2 parameters in order to compromise a signing round or obtain sensitive information from other parties.

  • CVE-2020-9543Mar 12, 2020
    risk 0.00cvss epss 0.01

    OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares…

  • CVE-2019-19724Dec 18, 2019
    risk 0.00cvss epss 0.01

    Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.

  • CVE-2019-16559Dec 17, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows attackers with Overall/Read permission to perform connection tests and determine whether files with an attacker-specified path exist on the Jenkins master file system.

  • CVE-2019-16554Dec 17, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier allows attackers with Overall/Read permission to have Jenkins evaluate a computationally expensive regular expression.

  • CVE-2019-16552Dec 17, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on…

  • CVE-2019-19712Dec 17, 2019
    risk 0.00cvss epss 0.01

    Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.

  • CVE-2019-19118Dec 2, 2019
    risk 0.00cvss epss 0.02

    Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI,…

  • CVE-2012-5578Nov 25, 2019
    risk 0.00cvss epss 0.00

    Python keyring has insecure permissions on new databases allowing world-readable files to be created

  • CVE-2012-1157Nov 14, 2019
    risk 0.00cvss epss 0.01

    Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default

  • CVE-2012-5577Oct 28, 2019
    risk 0.00cvss epss 0.01

    Python keyring lib before 0.10 created keyring files with world-readable permissions.

  • CVE-2019-10474Oct 23, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Global Post Script Plugin in allowed users with Overall/Read access to list the scripts available to the plugin stored on the Jenkins master file system.

  • CVE-2019-10472Oct 23, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

  • CVE-2019-10473Oct 23, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2019-10470Oct 23, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

  • CVE-2019-10469Oct 23, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in…

  • CVE-2019-10465Oct 23, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins…

  • CVE-2019-10463Oct 23, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.