Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-276 (缺省权限不正确) — Vulnerability Class 448

448 vulnerabilities classified as CWE-276 (缺省权限不正确). AI Chinese analysis included.

CWE-276 represents a critical configuration weakness where software installation processes assign overly permissive access rights to files, often granting read, write, and execute privileges to all users. This flaw typically allows malicious actors to modify or replace critical application binaries, configuration files, or scripts without authentication. By altering these unprotected resources, attackers can inject malicious code, escalate privileges, or compromise system integrity, effectively bypassing security controls that rely on file integrity. To mitigate this risk, developers must adhere to the principle of least privilege during deployment. This involves explicitly setting restrictive permissions, such as read-only access for general users and write access only for administrators. Automated installation scripts should verify and enforce these secure defaults, ensuring that sensitive files remain immutable to unauthorized entities and preserving the overall security posture of the deployed environment.

MITRE CWE Description
During installation, installed file permissions are set to allow anyone to modify those files.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
Mitigations (2)
Architecture and Design, OperationThe architecture needs to access and modification attributes for files to only those users who actually require those actions.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
CVE IDTitleCVSSSeverityPublished
CVE-2021-40396 Advantech 安全漏洞 — n/a 8.8 -2022-01-28
CVE-2021-40397 Advantech 安全漏洞 — n/a 7.8 -2022-01-28
CVE-2021-40389 Advantech 安全漏洞 — n/a 8.8 -2022-01-28
CVE-2021-40388 Advantech 安全漏洞 — n/a 8.8 -2022-01-28
CVE-2021-41166 Permission bypass in Nextcloud Android App — security-advisories 4.3 Medium2022-01-26
CVE-2022-21704 Incorrect Default Permissions in log4js-node — log4js-node 5.5 Medium2022-01-19
CVE-2021-36781 parsec: dangerous 777 permissions for /run/parsec — Factory 5.9 Medium2022-01-14
CVE-2021-21911 Advantech R-SeeNet 安全漏洞 — Advantech 7.8 -2021-12-22
CVE-2021-21912 Advantech R-SeeNet 安全漏洞 — Advantech 7.8 -2021-12-22
CVE-2021-21910 Advantech R-SeeNet 安全漏洞 — Advantech 7.8 -2021-12-22
CVE-2021-21957 Dream Report ODS Remote Connector 安全漏洞 — Dream Report 7.8 -2021-12-08
CVE-2021-3720 Legion Phone Pro(L79031)和Legion Phone2 Pro(L70081)上时间天气系统小部件 安全漏洞 — Legion Phone Pro (L79031) 5.5 Medium2021-11-12
CVE-2021-3579 Incorrect Default Permissions vulnerability in bdservicehost.exe and Vulnerability.Scan.exe — ENdpoint Security Tools for Windows 7.8 High2021-10-28
CVE-2021-20037 SonicWall Global VPN client 安全漏洞 — SonicWall Global VPN Client 7.8 -2021-09-21
CVE-2020-5353 DELL Dell EMC Isilon OneFS 和 EMC PowerScale 安全漏洞 — Isilon OneFS 8.8 High2021-07-29
CVE-2020-26180 Dell EMC Isilon OneFS 和 EMC PowerScale 权限许可和访问控制问题漏洞 — PowerScale OneFS 6.3 Medium2021-07-28
CVE-2020-29503 Dell EMC PowerStore 安全漏洞 — PowerStore 4.1 Medium2021-07-19
CVE-2021-31998 inn: %post calls user owned file allowing local privilege escalation to root — SUSE Linux Enterprise Server 11-SP3 6.8 Medium2021-06-10
CVE-2020-13599 Security problem with settings and littlefs — zephyr 3.3 Low2021-05-24
CVE-2021-25317 cups: ownership of /var/log/cups allows the lp user to create files as root — SUSE Linux Enterprise Server 11-SP4-LTSS 3.3 Low2021-05-05
CVE-2021-25319 virtualbox: missing sticky bit for /etc/vbox allows local root exploit for members of vboxusers group — Factory 7.8 High2021-05-05
CVE-2021-3451 Lenovo PCManager 安全漏洞 — PCManager 5.5 Medium2021-04-27
CVE-2021-0235 Junos OS: SRX1500, SRX4100, SRX4200, SRX4600, SRX5000 Series with SPC2/SPC3, vSRX Series: In a multi-tenant environment, a tenant host administrator may configure logical firewall isolation affecting other tenant networks — Junos OS 7.3 High2021-04-22
CVE-2021-3462 Lenovo Power Management 安全漏洞 — Power Management Driver for Windows 10 5.5 Medium2021-04-13
CVE-2020-27228 OpenClinic GA 安全漏洞 — OpenClinic 7.8 -2021-04-13
CVE-2020-13532 Ocean Data Systems Dream Report 5 R20-2 安全漏洞 — Dream Report 7.8 -2021-04-09
CVE-2020-13533 Ocean Data Systems Dream Report 5 R20-2 安全漏洞 — Dream Report 7.3 -2021-04-09
CVE-2020-13534 Ocean Data Systems Dream Report 5 R20-2 安全漏洞 — Dream Report 7.8 -2021-04-09
CVE-2020-8357 Lenovo Pcmanager 安全漏洞 — PCManager 5.5 Medium2021-03-09
CVE-2020-13554 多款Advantech产品安全漏洞 — Advantech 8.8 -2021-03-03

Vulnerabilities classified as CWE-276 (缺省权限不正确) represent 448 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.