CWE-277
Insecure Inherited Permissions
Description
A product defines a set of insecure permissions that are inherited by objects that are created by the program.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (32)
page 1 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-7891 | Cri | 0.60 | — | 0.00 | May 7, 2026 | The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though… | ||
| CVE-2024-36542 | Hig | 0.57 | 8.8 | 0.00 | Jul 25, 2024 | Insecure permissions in kuma v2.7.0 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | ||
| CVE-2016-6811 | Hig | 0.57 | 8.8 | 0.03 | Apr 11, 2017 | In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user. | ||
| CVE-2024-34329 | Hig | 0.55 | 8.4 | 0.01 | Jul 22, 2024 | Insecure permissions in Entrust Datacard XPS Card Printer Driver 8.5 and earlier without the dxp1-patch-E24-004 patch allows unauthenticated attackers to execute arbitrary code as SYSTEM via a crafted DLL payload. | ||
| CVE-2024-29417 | Hig | 0.55 | 8.4 | 0.00 | May 3, 2024 | Insecure Permissions vulnerability in e-trust Horacius 1.0, 1.1, and 1.2 allows a local attacker to escalate privileges via the password reset function. | ||
| CVE-2026-30266 | Hig | 0.51 | 7.8 | 0.00 | Apr 20, 2026 | Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.12 and before allows a local attacker to execute arbitrary code via a crafted file | ||
| CVE-2024-27848 | Hig | 0.51 | 7.8 | 0.00 | Jun 10, 2024 | This issue was addressed with improved permissions checking. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5. A malicious app may be able to gain root privileges. | ||
| CVE-2024-27822 | Hig | 0.51 | 7.8 | 0.00 | May 14, 2024 | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to gain root privileges. | ||
| CVE-2024-23233 | Hig | 0.51 | 7.8 | 0.00 | Mar 8, 2024 | This issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.4. Entitlements and privacy permissions granted to this app may be used by a malicious app. | ||
| CVE-2025-20008 | Hig | 0.50 | 7.7 | 0.00 | May 13, 2025 | Insecure inherited permissions for some Intel(R) Simics(R) Package Manager software before version 1.12.0 may allow a privileged user to potentially enable escalation of privilege via local access. | ||
| CVE-2024-41601 | Hig | 0.49 | 7.5 | 0.00 | Jul 19, 2024 | Insecure Permissions vulnerability in lin-CMS v.0.2.0 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component. | ||
| CVE-2024-27825 | Hig | 0.46 | 7.1 | 0.00 | May 14, 2024 | A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to bypass certain Privacy preferences. | ||
| CVE-2025-64185 | Med | 0.45 | — | 0.00 | Nov 20, 2025 | Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, Open OnDemand packages create world writable locations in the GEM_PATH. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability. | ||
| CVE-2025-32092 | Med | 0.44 | 6.7 | 0.00 | Feb 10, 2026 | Insecure inherited permissions for some Intel(R) Graphics Software before version 25.30.1702.0 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable… | ||
| CVE-2025-24327 | Med | 0.44 | 6.7 | 0.00 | Nov 11, 2025 | Insecure inherited permissions for some Intel(R) Rapid Storage Technology Application before version 20.0.1021 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack… | ||
| CVE-2025-20629 | Med | 0.44 | 6.7 | 0.00 | May 13, 2025 | Insecure inherited permissions in the NVM Update Utility for some Intel(R) Ethernet Network Adapter E810 Series before version 4.60 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||
| CVE-2026-44836 | — | Med | 0.42 | 6.5 | 0.00 | May 26, 2026 | view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one… | |
| CVE-2025-11554 | Med | 0.41 | 6.3 | 0.00 | Oct 9, 2025 | A security vulnerability has been detected in Portabilis i-Educar up to 2.9.10. Affected by this issue is some unknown functionality of the file app/Http/Controllers/AccessLevelController.php of the component User Type Handler. The manipulation leads to insecure inherited… | ||
| CVE-2024-36691 | Med | 0.41 | 6.3 | 0.00 | Jun 12, 2024 | Insecure permissions in the AdminController.AjaxSave() method of PPGo_Jobs v2.8.0 allows authenticated attackers to arbitrarily modify users' account information. | ||
| CVE-2025-22448 | Med | 0.40 | 6.1 | 0.00 | May 13, 2025 | Insecure inherited permissions for some Intel(R) Simics(R) Package Manager software before version 1.12.0 may allow an authenticated user to potentially enable denial of service via local access. |
- risk 0.60cvss —epss 0.00
The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though…
- risk 0.57cvss 8.8epss 0.00
Insecure permissions in kuma v2.7.0 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
- risk 0.57cvss 8.8epss 0.03
In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
- risk 0.55cvss 8.4epss 0.01
Insecure permissions in Entrust Datacard XPS Card Printer Driver 8.5 and earlier without the dxp1-patch-E24-004 patch allows unauthenticated attackers to execute arbitrary code as SYSTEM via a crafted DLL payload.
- risk 0.55cvss 8.4epss 0.00
Insecure Permissions vulnerability in e-trust Horacius 1.0, 1.1, and 1.2 allows a local attacker to escalate privileges via the password reset function.
- risk 0.51cvss 7.8epss 0.00
Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.12 and before allows a local attacker to execute arbitrary code via a crafted file
- risk 0.51cvss 7.8epss 0.00
This issue was addressed with improved permissions checking. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5. A malicious app may be able to gain root privileges.
- risk 0.51cvss 7.8epss 0.00
A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to gain root privileges.
- risk 0.51cvss 7.8epss 0.00
This issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.4. Entitlements and privacy permissions granted to this app may be used by a malicious app.
- risk 0.50cvss 7.7epss 0.00
Insecure inherited permissions for some Intel(R) Simics(R) Package Manager software before version 1.12.0 may allow a privileged user to potentially enable escalation of privilege via local access.
- risk 0.49cvss 7.5epss 0.00
Insecure Permissions vulnerability in lin-CMS v.0.2.0 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component.
- risk 0.46cvss 7.1epss 0.00
A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to bypass certain Privacy preferences.
- risk 0.45cvss —epss 0.00
Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, Open OnDemand packages create world writable locations in the GEM_PATH. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability.
- risk 0.44cvss 6.7epss 0.00
Insecure inherited permissions for some Intel(R) Graphics Software before version 25.30.1702.0 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable…
- risk 0.44cvss 6.7epss 0.00
Insecure inherited permissions for some Intel(R) Rapid Storage Technology Application before version 20.0.1021 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack…
- risk 0.44cvss 6.7epss 0.00
Insecure inherited permissions in the NVM Update Utility for some Intel(R) Ethernet Network Adapter E810 Series before version 4.60 may allow an authenticated user to potentially enable escalation of privilege via local access.
- risk 0.42cvss 6.5epss 0.00
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one…
- risk 0.41cvss 6.3epss 0.00
A security vulnerability has been detected in Portabilis i-Educar up to 2.9.10. Affected by this issue is some unknown functionality of the file app/Http/Controllers/AccessLevelController.php of the component User Type Handler. The manipulation leads to insecure inherited…
- risk 0.41cvss 6.3epss 0.00
Insecure permissions in the AdminController.AjaxSave() method of PPGo_Jobs v2.8.0 allows authenticated attackers to arbitrarily modify users' account information.
- risk 0.40cvss 6.1epss 0.00
Insecure inherited permissions for some Intel(R) Simics(R) Package Manager software before version 1.12.0 may allow an authenticated user to potentially enable denial of service via local access.