Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-276 (缺省权限不正确) — Vulnerability Class 448

448 vulnerabilities classified as CWE-276 (缺省权限不正确). AI Chinese analysis included.

CWE-276 represents a critical configuration weakness where software installation processes assign overly permissive access rights to files, often granting read, write, and execute privileges to all users. This flaw typically allows malicious actors to modify or replace critical application binaries, configuration files, or scripts without authentication. By altering these unprotected resources, attackers can inject malicious code, escalate privileges, or compromise system integrity, effectively bypassing security controls that rely on file integrity. To mitigate this risk, developers must adhere to the principle of least privilege during deployment. This involves explicitly setting restrictive permissions, such as read-only access for general users and write access only for administrators. Automated installation scripts should verify and enforce these secure defaults, ensuring that sensitive files remain immutable to unauthorized entities and preserving the overall security posture of the deployed environment.

MITRE CWE Description
During installation, installed file permissions are set to allow anyone to modify those files.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
Mitigations (2)
Architecture and Design, OperationThe architecture needs to access and modification attributes for files to only those users who actually require those actions.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
CVE IDTitleCVSSSeverityPublished
CVE-2023-4091 Samba: smb clients can truncate files with read-only permissions — Red Hat Enterprise Linux 8 6.5 Medium2023-11-03
CVE-2022-4575 Lenovo ThinkPad 安全漏洞 — ThinkPad BIOS 6.7 Medium2023-10-30
CVE-2023-3112 Lenovo ThinkPad T14 Gen 3 安全漏洞 — Elliptic Labs Virtual Lock Sensor 7.8 High2023-10-24
CVE-2023-35181 SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability — Access Rights Manager 7.8 High2023-10-19
CVE-2023-35183 SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability — Access Rights Manager 7.8 High2023-10-19
CVE-2023-45690 Information leak via default file permissions on Titan MFT and Titan SFTP servers — Titan MFT 6.5 -2023-10-16
CVE-2023-44194 Junos OS: An unauthenticated attacker with local access to the device can create a backdoor with root privileges — Junos OS 8.4 High2023-10-12
CVE-2022-3431 Lenovo Notebook 安全漏洞 — BIOS 6.7 Medium2023-10-09
CVE-2023-3440 File and Directory Permission Vulnerability in JP1/Performance Management — JP1/Performance Management - Manager 8.4 High2023-10-03
CVE-2023-44157 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 15 7.8 -2023-09-27
CVE-2022-4039 Rhsso-container-image: unsecured management interface exposed to adjecent network — RHEL-8 based Middleware Containers 8.0 High2023-09-22
CVE-2023-5042 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect Home Office 7.5 -2023-09-20
CVE-2023-4088 Malicious Code Execution Vulnerability in FA Engineering Software Products — GX Works3 9.3 Critical2023-09-20
CVE-2022-3466 Cri-o: security regression of cve-2022-27652 — Red Hat OpenShift Container Platform 4.12 4.8 Medium2023-09-15
CVE-2023-4664 Privilage Escalation in Saphira Connect — Saphira Connect 8.8 High2023-09-15
CVE-2023-37878 Insecure Default Permissions in Wing FTP Server <= 7.2.0 — Wing FTP Server 6.1 Medium2023-09-12
CVE-2023-2737 Improper securing of log directory may allow a denial of service — SafeNet Authtentication Service Agent 5.7 Medium2023-08-16
CVE-2023-32492 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 5.3 Medium2023-08-16
CVE-2022-43701 Insecure directory permissions on installer files — Arm Compiler 5 (AC5), Arm Compiler for Embedded 6 (AC6), Fast Models (FM), Arm Compiler for Embedded FuSA (ACEF), Arm Development Studio (ADS), Arm Forge (AF), Arm Mobile Studio (AMS), DS-5 Development Studio, Fast Models (FM), GNU Toolchain (GT), Keil MDK (KMDK), Mbed Studio (MS) 8.4 -2023-07-27
CVE-2023-3323 Code Execution through overwriting project file on zenon engineering studio system — ABB Ability™ zenon 5.9 Medium2023-07-24
CVE-2020-36695 File and Directory Permission Vulnerability in Hitachi Command Suite — Hitachi Device Manager 6.6 Medium2023-07-18
CVE-2023-29131 Siemens SIMATIC CN 4100 安全漏洞 — SIMATIC CN 4100 7.4 High2023-07-11
CVE-2023-32183 openSUSE Tumbleweed 安全漏洞 — Tumbleweed 7.8 High2023-07-07
CVE-2023-20178 Cisco AnyConnect Secure Mobility Client for Windows 安全漏洞 — Cisco Secure Client 7.8 High2023-06-28
CVE-2022-33877 Fortinet FortiClient 安全漏洞 — FortiConverter 6.8 High2023-06-13
CVE-2022-4569 ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool 安全漏洞 — ThinkPad Hybrid USB-C with USB-A Dock Firmware Update Tool 7.8 High2023-06-05
CVE-2023-28079 Dell PowerPath Management Appliance 安全漏洞 — PowerPath Windows 7.0 High2023-05-30
CVE-2023-32698 nfpm vulnerable to Incorrect Default Permissions — nfpm 7.1 High2023-05-30
CVE-2023-28724 NGINX Management Suite vulnerability — NGINX Instance Manager 7.1 High2023-05-03
CVE-2022-4568 Lenovo System Update 安全漏洞 — Lenovo System Update 7.0 High2023-05-01

Vulnerabilities classified as CWE-276 (缺省权限不正确) represent 448 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.