VYPR

CWE-732

Incorrect Permission Assignment for Critical Resource

ClassDraftLikelihood: High

Description

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-122 · CAPEC-127 · CAPEC-17 · CAPEC-180 · CAPEC-206 · CAPEC-234 · CAPEC-60 · CAPEC-61 · CAPEC-62 · CAPEC-642

CVEs mapped to this weakness (623)

page 15 of 32
  • CVE-2018-12335HigJun 17, 2018
    risk 0.47cvss 7.3epss 0.00

    Incorrect access control in ECOS System Management Appliance (aka SMA) 5.2.68 allows a user to compromise authentication keys, and access and manipulate security relevant configurations, via unrestricted database access during Easy Enrollment.

  • CVE-2018-5342HigApr 18, 2018
    risk 0.47cvss 7.2epss 0.04

    An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account.

  • CVE-2018-1203MedMar 26, 2018
    risk 0.47cvss 6.7epss 0.02

    In Dell EMC Isilon OneFS, the compadmin is able to run tcpdump binary with root privileges. In versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, the tcpdump binary, being run with sudo, may potentially be used by compadmin to execute arbitrary code…

  • CVE-2017-9606HigJun 15, 2017
    risk 0.47cvss 7.3epss 0.00

    Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local users to gain privileges by placing a Trojan horse ViPNet update file in the update folder. The attack succeeds because of incorrect folder permissions in conjunction with a lack of integrity and authenticity…

  • CVE-2026-10840HigJun 4, 2026
    risk 0.46cvss 7.1epss 0.00

    A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are…

  • CVE-2026-35341HigApr 22, 2026
    risk 0.46cvss 7.1epss 0.00

    A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a…

  • CVE-2025-61969HigFeb 11, 2026
    risk 0.46cvss epss 0.00

    Incorrect permission assignment in AMD µProf may allow a local user-privileged attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.

  • CVE-2026-0775HigJan 23, 2026
    risk 0.46cvss 7.0epss 0.00

    npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system…

  • CVE-2025-62688HigOct 23, 2025
    risk 0.46cvss 7.1epss 0.00

    An incorrect permission assignment for a critical resource vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an attacker with low-privileged credentials to change their role, gaining full control access to the project.

  • CVE-2025-53396HigAug 28, 2025
    risk 0.46cvss 7.0epss 0.00

    Incorrect permission assignment for critical resource issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier), which may allow users who can log in to a client terminal to obtain root privileges.

  • CVE-2025-36537HigJun 24, 2025
    risk 0.46cvss 7.0epss 0.00

    Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI…

  • CVE-2025-23403HigFeb 11, 2025
    risk 0.46cvss 7.0epss 0.00

    A vulnerability has been identified in SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions). The affected device do not properly restrict the user permission for the registry key. This could allow an authenticated attacker to load vulnerable drivers into…

  • CVE-2025-24481HigJan 28, 2025
    risk 0.46cvss epss 0.00

    An Incorrect Permission Assignment Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect permissions being assigned to the remote debugger port and can allow for unauthenticated access to the system configuration.

  • CVE-2024-46881HigJan 26, 2025
    risk 0.46cvss 7.1epss 0.00

    Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable…

  • CVE-2024-12363HigDec 11, 2024
    risk 0.46cvss 7.1epss 0.00

    Insufficient permissions in the TeamViewer Patch & Asset Management component prior to version 24.12 on Windows allows a local authenticated user to delete arbitrary files. TeamViewer Patch & Asset Management is part of TeamViewer Remote Management.

  • CVE-2024-42449HigDec 4, 2024
    risk 0.46cvss 7.1epss 0.05

    From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to remove arbitrary files on the VSPC server machine.

  • CVE-2024-41974HigNov 18, 2024
    risk 0.46cvss 7.1epss 0.00

    A low privileged remote attacker may modify the BACNet service properties due to incorrect permission assignment for critical resources which may lead to a DoS limited to BACNet communication.

  • CVE-2024-0128HigOct 26, 2024
    risk 0.46cvss 7.1epss 0.00

    NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager that allows a user of the guest OS to access global resources. A successful exploit of this vulnerability might lead to information disclosure, data tampering, and escalation of privileges.

  • CVE-2021-36133HigDec 7, 2021
    risk 0.46cvss 7.1epss 0.00

    The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access configuration for several models, resulting in TrustZone bypass because the NonSecure World can perform arbitrary memory read/write operations on Secure World memory. This involves a DMA capable peripheral.

  • CVE-2018-6261HigOct 2, 2018
    risk 0.46cvss 7.0epss 0.00

    NVIDIA GeForce Experience prior to 3.15 contains a vulnerability when GameStream is enabled which sets incorrect permissions on a file, which may to code execution, denial of service, or escalation of privileges by users with system access.