VYPR

CWE-732

Incorrect Permission Assignment for Critical Resource

ClassDraftLikelihood: High

Description

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-122 · CAPEC-127 · CAPEC-17 · CAPEC-180 · CAPEC-206 · CAPEC-234 · CAPEC-60 · CAPEC-61 · CAPEC-62 · CAPEC-642

CVEs mapped to this weakness (623)

page 14 of 32
  • CVE-2017-8450HigJun 16, 2017
    risk 0.49cvss 7.5epss 0.01

    X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information.

  • CVE-2017-9136HigMay 21, 2017
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered on Mimosa Client Radios before 2.2.3. In the device's web interface, there is a page that allows an attacker to use an unsanitized GET parameter to download files from the device as the root user. The attacker can download any file from the device's…

  • CVE-2017-0317HigFeb 15, 2017
    risk 0.49cvss 7.5epss 0.00

    All versions of NVIDIA GPU and GeForce Experience installer contain a vulnerability where it fails to set proper permissions on the package extraction path thus allowing a non-privileged user to tamper with the extracted files, potentially leading to escalation of privileges via…

  • CVE-2005-4868HigDec 31, 2005
    risk 0.49cvss 7.1epss 0.01

    Shared memory sections and events in IBM DB2 8.1 have default permissions of read and write for the Everyone group, which allows local users to gain unauthorized access, gain sensitive information, such as cleartext passwords, and cause a denial of service.

  • CVE-2004-1714HigAug 11, 2004
    risk 0.49cvss 7.1epss 0.01

    BlackICE PC Protection and Server Protection installs (1) firewall.ini, (2) blackice.ini, (3) sigs.ini and (4) protect.ini with Everyone Full Control permissions, which allows local users to cause a denial of service (crash) or modify configuration, as demonstrated by modifying…

  • CVE-2001-0006HigFeb 12, 2001
    risk 0.49cvss 7.1epss 0.03

    The Winsock2ProtocolCatalogMutex mutex in Windows NT 4.0 has inappropriate Everyone/Full Control permissions, which allows local users to modify the permissions to "No Access" and disable Winsock network connectivity to cause a denial of service, aka the "Winsock Mutex"…

  • CVE-2026-50570HigJun 10, 2026
    risk 0.48cvss 8.5epss 0.00

    Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment and Function CRDs (ValidatePodSpecSafety /…

  • CVE-2026-26422HigJun 6, 2026
    risk 0.48cvss 8.4epss 0.00

    clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation.

  • CVE-2026-33572HigMar 29, 2026
    risk 0.48cvss 8.4epss 0.00

    OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.

  • CVE-2026-34352HigMar 26, 2026
    risk 0.48cvss 8.5epss 0.00

    In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions.

  • CVE-2024-1486HigMay 14, 2024
    risk 0.48cvss 7.4epss 0.00

    Elevation of privileges via misconfigured access control list in GE HealthCare ultrasound devices

  • CVE-2018-0422HigOct 5, 2018
    risk 0.48cvss 7.3epss 0.01

    A vulnerability in the folder permissions of Cisco Webex Meetings client for Windows could allow an authenticated, local attacker to modify locally stored files and execute code on a targeted device with the privilege level of the user. The vulnerability is due to folder…

  • CVE-2026-8070HigMay 29, 2026
    risk 0.47cvss epss 0.00

    Incorrect permission assignment for a critical resource in Armoury Crate allows a local user to bypass the driver’s validation mechanism, resulting in unauthorized read and write access to physical memory.Refer to the '  Security Update for Armoury Crate App   ' section on…

  • CVE-2026-7480HigMay 29, 2026
    risk 0.47cvss epss 0.00

    An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RPC call that bypass the validation mechanism. Refer to the 'Security Update for…

  • CVE-2026-22768HigApr 1, 2026
    risk 0.47cvss 7.3epss 0.00

    Dell AppSync, version(s) 4.6.0, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.

  • CVE-2025-67246HigJan 15, 2026
    risk 0.47cvss 7.3epss 0.00

    A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of…

  • CVE-2025-23258HigSep 4, 2025
    risk 0.47cvss 7.3epss 0.00

    NVIDIA DOCA contains a vulnerability in the collectx-dpeserver Debian package for arm64 that could allow an attacker with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.

  • CVE-2025-23257HigSep 4, 2025
    risk 0.47cvss 7.3epss 0.00

    NVIDIA DOCA contains a vulnerability in the collectx-clxapidev Debian package that could allow an actor with low privileges to escalate privileges. A successful exploit of this vulnerability might lead to escalation of privileges.

  • CVE-2025-48961HigJun 4, 2025
    risk 0.47cvss 7.3epss 0.00

    Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39938.

  • CVE-2023-6729HigOct 17, 2024
    risk 0.47cvss 7.3epss 0.00

    Nokia SR OS routers allow read-write access to the entire file system via SFTP or SCP for users configured with "access console." Consequently, a low privilege authenticated user with "access console" can read or replace the router configuration file as well as other files…