CWE-276 (缺省权限不正确) — Vulnerability Class 448

448 vulnerabilities classified as CWE-276 (缺省权限不正确). AI Chinese analysis included.

CWE-276 represents a critical configuration weakness where software installation processes assign overly permissive access rights to files, often granting read, write, and execute privileges to all users. This flaw typically allows malicious actors to modify or replace critical application binaries, configuration files, or scripts without authentication. By altering these unprotected resources, attackers can inject malicious code, escalate privileges, or compromise system integrity, effectively bypassing security controls that rely on file integrity. To mitigate this risk, developers must adhere to the principle of least privilege during deployment. This involves explicitly setting restrictive permissions, such as read-only access for general users and write access only for administrators. Automated installation scripts should verify and enforce these secure defaults, ensuring that sensitive files remain immutable to unauthorized entities and preserving the overall security posture of the deployed environment.

MITRE CWE Description

During installation, installed file permissions are set to allow anyone to modify those files.

Common Consequences (1)

Confidentiality, IntegrityRead Application Data, Modify Application Data

Mitigations (2)

Architecture and Design, OperationThe architecture needs to access and modification attributes for files to only those users who actually require those actions.

Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…

CVE ID	Title	CVSS	Severity	Published
CVE-2022-2366	Incorrect defaults can cause attackers to bypass rate limitations — Mattermost	5.6	Medium	2022-07-11
CVE-2022-30758	SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices	4.0	Medium	2022-07-11
CVE-2022-1833	Red Hat AMQ Broker 权限许可和访问控制问题漏洞 — AMQ Broker Operator	8.8	-	2022-06-21
CVE-2022-31071	Octopoller gem published with world-writable files — octopoller.rb	2.5	Low	2022-06-15
CVE-2022-31072	Octokit gem published with world-writable files — octokit.rb	2.5	Low	2022-06-15
CVE-2022-30747	Samsung mobile 安全漏洞 — Smart Things	5.5	Medium	2022-06-07
CVE-2022-29483	e-Design - Multiple vulnerabilities — e-Design	7.8	High	2022-05-31
CVE-2022-28702	e-Design - Multiple vulnerabilities — e-Design	6.1	Medium	2022-05-31
CVE-2022-29178	Incorrect Default Permissions in Cilium — cilium	8.8	High	2022-05-20
CVE-2022-0486	Privileged Command Injection Vulnerability in Fidelis Network and Deception — Fidelis Network	4.4	Medium	2022-05-17
CVE-2022-0997	Local Privilege Escalation Vulnerability in Fidelis Network and Deception — Fidelis Network	3.9	Low	2022-05-17
CVE-2022-29162	Incorrect Default Permissions in runc — runc	5.9	Medium	2022-05-17
CVE-2021-3722	Lenovo Pcmanager 安全漏洞 — PCManager	5.0	Medium	2022-04-22
CVE-2022-27652	cri-o 安全漏洞 — cri-o	7.5	-	2022-04-18
CVE-2022-26855	Dell Technologies Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS	5.5	Medium	2022-04-08
CVE-2022-22518	A bug in the CODESYS V3 CmpUserMgr component fails to correctly apply a security policy. — CODESYS Control for BeagleBone SL	6.5	Medium	2022-04-07
CVE-2022-27650	Buildah 安全漏洞 — crun	7.5	-	2022-04-04
CVE-2022-27651	crun 安全漏洞 — buildah	6.8	-	2022-04-04
CVE-2022-27649	Podman 安全漏洞 — podman	7.5	-	2022-04-04
CVE-2022-26839	Delta Electronics DIAEnergie Incorrect Default Permissions — DIAEnergie	7.8	High	2022-03-29
CVE-2021-20269	Red Hat Enterprise Linux 安全漏洞 — kexec-tools	5.5	-	2022-03-09
CVE-2022-25943	WPS 安全漏洞 — WPS Office for Windows	7.1	-	2022-03-09
CVE-2021-3981	grub2 安全漏洞 — grub2	5.5	-	2022-03-08
CVE-2022-25815	Samsung Weather application 安全漏洞 — Samsung Mobile Devices	5.5	Medium	2022-03-08
CVE-2022-25814	Wearable Manager Installer 安全漏洞 — Samsung Mobile Devices	5.5	Medium	2022-03-08
CVE-2022-23104	WIN-911 2021 Incorrect Default Permissions — WIN-911	5.6	Medium	2022-02-24
CVE-2022-23922	WIN-911 2021 Incorrect Default Permissions — WIN-911	5.6	Medium	2022-02-24
CVE-2021-3948	QEMU 安全漏洞 — mig-controller	7.6	-	2022-02-18
CVE-2021-3155	snapd created ~/snap with too-wide permissions — snapd	3.8	Low	2022-02-17
CVE-2021-22817	Schneider Electric 多款产品安全漏洞 — Harmony/Magelis iPC Series (All Versions), Vijeo Designer (All Versions prior to V6.2 SP11 Multiple HotFix 4), Vijeo Designer Basic (All Versions prior to V1.2.1)	7.8	-	2022-02-09

Vulnerabilities classified as CWE-276 (缺省权限不正确) represent 448 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-276 (缺省权限不正确) — Vulnerability Class 448