VYPR

CWE-281

Improper Preservation of Permissions

BaseDraft

Description

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (135)

page 7 of 7
  • CVE-2022-27215Mar 15, 2022
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Release Helper Plugin 1.3.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

  • CVE-2021-43816Jan 5, 2022
    risk 0.00cvss epss 0.02

    containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount,…

  • CVE-2021-41089Oct 4, 2021
    risk 0.00cvss epss 0.00

    Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the…

  • CVE-2021-41091Oct 4, 2021
    risk 0.00cvss epss 0.03

    Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise…

  • CVE-2021-38553Aug 13, 2021
    risk 0.00cvss epss 0.00

    HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

  • CVE-2021-3495Jun 1, 2021
    risk 0.00cvss epss 0.01

    An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0 and before 1.24.7. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in…

  • CVE-2021-22137May 13, 2021
    risk 0.00cvss epss 0.01

    In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the…

  • CVE-2021-21379Mar 12, 2021
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform, the `{{wikimacrocontent}}` executes the content with the rights of the wiki macro author instead of the caller of that wiki macro.…

  • CVE-2020-15113Aug 5, 2020
    risk 0.00cvss epss 0.00

    In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the…

  • CVE-2020-14958Jun 21, 2020
    risk 0.00cvss epss 0.01

    In Gogs 0.11.91, MakeEmailPrimary in models/user_mail.go lacks a "not the owner of the email" check.

  • CVE-2019-16539Nov 21, 2019
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles.

  • CVE-2013-2027Feb 13, 2015
    risk 0.00cvss epss 0.00

    Jython 2.2.1 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors.

  • CVE-2013-6335Aug 26, 2014
    risk 0.00cvss epss 0.00

    The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file…

  • CVE-2013-4260Sep 16, 2013
    risk 0.00cvss epss 0.00

    lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/.

  • CVE-2009-5054Feb 3, 2011
    risk 0.00cvss epss 0.02

    Smarty before 3.0.0 beta 4 does not consider the umask value when setting the permissions of files, which might allow attackers to bypass intended access restrictions via standard filesystem operations.