VYPR

CWE-277

Insecure Inherited Permissions

VariantDraft

Description

A product defines a set of insecure permissions that are inherited by objects that are created by the program.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (32)

page 2 of 2
  • CVE-2024-27847MedMay 14, 2024
    risk 0.36cvss 5.5epss 0.00

    This issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.5, macOS Sonoma 14.5, macOS Ventura 13.6.7. An app may be able to bypass Privacy preferences.

  • CVE-2024-27834MedMay 14, 2024
    risk 0.36cvss 5.5epss 0.01

    The issue was addressed with improved checks. This issue is fixed in Safari 17.5, iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5, watchOS 10.5. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication.

  • CVE-2024-45599LowSep 25, 2024
    risk 0.25cvss 3.8epss 0.00

    Cursor is an artificial intelligence code editor. Prior to version 0.41.0, if a user on macOS has granted Cursor access to the camera or microphone, any program that is run on the machine is able to access the camera or the microphone without explicitly being granted access,…

  • CVE-2026-44997MedMay 11, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning…

  • CVE-2025-9039MedAug 14, 2025
    risk 0.21cvss 4.3epss 0.00

    We identified an issue in the Amazon ECS agent where, under certain conditions, an introspection server could be accessed off-host by another instance if the instances are in the same security group or if their security groups allow incoming connections that include the port…

  • CVE-2025-65111Nov 21, 2025
    risk 0.00cvss epss 0.00

    SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on…

  • CVE-2025-58437Sep 6, 2025
    risk 0.00cvss epss 0.00

    Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a…

  • CVE-2018-25111May 31, 2025
    risk 0.00cvss epss 0.00

    django-helpdesk before 1.0.0 allows Sensitive Data Exposure because of os.umask(0) in models.py.

  • CVE-2024-42681Aug 15, 2024
    risk 0.00cvss epss 0.01

    Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.

  • CVE-2024-7143Aug 7, 2024
    risk 0.00cvss epss 0.01

    A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the…

  • CVE-2024-39877Jul 17, 2024
    risk 0.00cvss epss 0.02

    Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users…

  • CVE-2021-41170Nov 8, 2021
    risk 0.00cvss epss 0.02

    neoan3-apps/template is a neoan3 minimal template engine. Versions prior to 1.1.1 have allowed for passing in closures directly into the template engine. As a result values that are callable are executed by the template engine. The issue arises if a value has the same name as a…