Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-276 (缺省权限不正确) — Vulnerability Class 448

448 vulnerabilities classified as CWE-276 (缺省权限不正确). AI Chinese analysis included.

CWE-276 represents a critical configuration weakness where software installation processes assign overly permissive access rights to files, often granting read, write, and execute privileges to all users. This flaw typically allows malicious actors to modify or replace critical application binaries, configuration files, or scripts without authentication. By altering these unprotected resources, attackers can inject malicious code, escalate privileges, or compromise system integrity, effectively bypassing security controls that rely on file integrity. To mitigate this risk, developers must adhere to the principle of least privilege during deployment. This involves explicitly setting restrictive permissions, such as read-only access for general users and write access only for administrators. Automated installation scripts should verify and enforce these secure defaults, ensuring that sensitive files remain immutable to unauthorized entities and preserving the overall security posture of the deployed environment.

MITRE CWE Description
During installation, installed file permissions are set to allow anyone to modify those files.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
Mitigations (2)
Architecture and Design, OperationThe architecture needs to access and modification attributes for files to only those users who actually require those actions.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
CVE IDTitleCVSSSeverityPublished
CVE-2023-29057 Lenovo XClarity Controller 安全漏洞 — XClarity Controller 7.3 High2023-04-28
CVE-2023-29058 Lenovo XClarity Controller 安全漏洞 — XClarity Controller 6.4 Medium2023-04-28
CVE-2023-28966 Junos OS Evolved: Local low-privileged user with shell access can execute CLI commands as root — Junos OS Evolved 7.8 High2023-04-17
CVE-2023-25542 Dell Trusted Device Agent 访问控制错误漏洞 — Dell Trusted Device Client 7.0 High2023-04-06
CVE-2023-25941 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 7.8 High2023-04-04
CVE-2023-27593 cilium-agent container can access the host via `hostPath` mount — cilium 4.4 Medium2023-03-17
CVE-2021-36397 Moodle 安全漏洞 — Moodle 5.3 -2023-03-06
CVE-2021-36400 Moodle 安全漏洞 — Moodle 5.3 -2023-03-06
CVE-2023-25540 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.0 Medium2023-02-28
CVE-2020-36652 File and Directory Permissions Vulnerability in Hitachi Automation Director, Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center — Hitachi Automation Director 6.6 Medium2023-02-28
CVE-2022-3884 Directory Permission Vulnerability in Hitachi Ops Center Analyzer — Hitachi Ops Center Analyzer 7.3 High2023-02-28
CVE-2022-45153 saphanabootstrap-formula: Escalation to root for arbitrary users in hana/ha_cluster.sls — SUSE Linux Enterprise Module for SAP Applications 15-SP1 7.0 High2023-02-15
CVE-2022-31254 rmt-server-pubcloud allows to escalate from user _rmt to root — SUSE Linux Enterprise Server for SAP 15 7.8 High2023-02-07
CVE-2022-3432 Lenovo IdeaPad Y700-14ISK 安全漏洞 — BIOS 6.7 Medium2023-01-23
CVE-2022-3430 Lenovo Notebook 安全漏洞 — BIOS 6.7 Medium2023-01-23
CVE-2022-1109 Lenovo Leyun cloud music 安全漏洞 — Leyun 5.5 Medium2023-01-20
CVE-2020-36611 File and Directory Permission Vulnerability in Hitachi Tuning Manager — Hitachi Tuning Manager 6.6 Medium2023-01-17
CVE-2022-4020 Acer Aspire BIOS vulnerability — Aspire A315-22 8.1 High2022-11-28
CVE-2022-41943 Incorrect default permissions found in Sourcegraph — sourcegraph 9.0 Critical2022-11-22
CVE-2020-36605 File Permissions Vulnerability in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer, Hitachi Ops Center Viewpoint — Hitachi Infrastructure Analytics Advisor 6.6 Medium2022-11-01
CVE-2020-5355 Dell EMC Isilon OneFS 安全漏洞 — Isilon OneFS 4.3 Medium2022-10-21
CVE-2013-4281 Red Hat OpenShift 安全漏洞 — Red Hat Openshift 5.5 -2022-10-19
CVE-2022-42464 Kernel memory pool override in /dev/mmz_userdev device driver. The impact depends on the privileges of the attacker. The unprivileged process run on the device could disclose sensitive information including kernel pointer, which could be used in furth ... — OpenHarmony 6.7 Medium2022-10-14
CVE-2022-33922 Dell GeoDrive 安全漏洞 — GeoDrive 7.0 High2022-10-12
CVE-2022-31251 slurm: %post for slurm-testsuite operates as root in user owned directory — openSUSE Factory 6.5 Medium2022-09-07
CVE-2022-2735 PCS 安全漏洞 — ClusterLabs/pcs 7.8 -2022-09-06
CVE-2022-32743 Samba 安全漏洞 — samba 6.5 -2022-09-01
CVE-2022-0336 Samba 数据伪造问题漏洞 — Samba 8.1 -2022-08-29
CVE-2021-3917 Red Hat OpenShift Container Platform安全漏洞 — coreos-installer 5.5 -2022-08-23
CVE-2021-3701 Ansible Runner 安全漏洞 — ansible-runner 7.1 -2022-08-23

Vulnerabilities classified as CWE-276 (缺省权限不正确) represent 448 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.