Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-276 (缺省权限不正确) — Vulnerability Class 448

448 vulnerabilities classified as CWE-276 (缺省权限不正确). AI Chinese analysis included.

CWE-276 represents a critical configuration weakness where software installation processes assign overly permissive access rights to files, often granting read, write, and execute privileges to all users. This flaw typically allows malicious actors to modify or replace critical application binaries, configuration files, or scripts without authentication. By altering these unprotected resources, attackers can inject malicious code, escalate privileges, or compromise system integrity, effectively bypassing security controls that rely on file integrity. To mitigate this risk, developers must adhere to the principle of least privilege during deployment. This involves explicitly setting restrictive permissions, such as read-only access for general users and write access only for administrators. Automated installation scripts should verify and enforce these secure defaults, ensuring that sensitive files remain immutable to unauthorized entities and preserving the overall security posture of the deployed environment.

MITRE CWE Description
During installation, installed file permissions are set to allow anyone to modify those files.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
Mitigations (2)
Architecture and Design, OperationThe architecture needs to access and modification attributes for files to only those users who actually require those actions.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
CVE IDTitleCVSSSeverityPublished
CVE-2020-13549 Sytech XL Reporter 权限许可和访问控制问题漏洞 — Sytech 7.8 -2021-02-19
CVE-2020-13555 Advantech WebAccess/SCADA 安全漏洞 — Advantech 8.8 -2021-02-17
CVE-2020-13553 Advantech WebAccess/SCADA 安全漏洞 — Advantech 8.8 -2021-02-17
CVE-2020-13551 Advantech WebAccess/SCADA 安全漏洞 — Advantech 8.8 -2021-02-17
CVE-2020-13552 Advantech WebAccess/SCADA 安全漏洞 — Advantech 8.8 -2021-02-17
CVE-2020-28392 siemens SIMARIS configuratio 权限许可和访问控制问题漏洞 — SIMARIS configuration 6.7 -2021-02-09
CVE-2020-25245 DIGSI 4 权限许可和访问控制问题漏洞 — DIGSI 4 7.8 -2021-02-09
CVE-2020-29489 Dell EMC Unity,UnityVSA 安全漏洞 — Unity 6.4 Medium2021-01-05
CVE-2020-13541 Win911 Mobile Server 安全漏洞 — Win-911 8.8 -2021-01-05
CVE-2020-13540 Win911 Enterprise 安全漏洞 — Win-911 7.8 -2021-01-05
CVE-2020-13539 Win911 Enterprise 安全漏洞 — Win-911 7.8 -2021-01-05
CVE-2020-29492 Dell Wyse ThinOS 授权问题漏洞 — Wyse Proprietary OS (ThinOS) 10.0 Critical2021-01-04
CVE-2020-29491 Dell Wyse ThinOS 安全漏洞 — Wyse Proprietary OS (ThinOS) 10.0 Critical2021-01-04
CVE-2020-13535 Kepware Linkmaster 权限许可和访问控制问题漏洞 — Kepware 8.4 -2020-12-18
CVE-2020-12510 Beckhoff: Privilege Escalation through TwinCat System — TwinCat XAR 3.1 7.3 High2020-11-19
CVE-2020-24402 Incorrect permissions in the Integrations component could lead to unauthorized deletion of customer details via REST API — Magento Commerce 4.9 Medium2020-11-09
CVE-2020-13537 Moxa MXView 授权问题漏洞 — Moxa 7.8 -2020-11-05
CVE-2020-13536 Moxa MXView 授权问题漏洞 — Moxa 7.8 -2020-11-05
CVE-2020-8346 Lenovo System Interface Foundation和Lenovo Vantage 安全漏洞 — System Interface Foundation 5.5 Medium2020-09-15
CVE-2020-10050 Siemens SIMATIC RTLS Locating Manager 安全漏洞 — SIMATIC RTLS Locating Manager 7.8 -2020-09-09
CVE-2020-10049 Siemens SIMATIC RTLS Locating Manager 安全漏洞 — SIMATIC RTLS Locating Manager 7.3 -2020-09-09
CVE-2020-7527 SoMove 安全漏洞 — SoMove V2.8.1 and prior 7.8 -2020-08-31
CVE-2020-15145 Local privilege elevation in Composer-Setup for Windows — windows-setup 6.7 Medium2020-08-14
CVE-2020-8026 inn: non-root owned files — openSUSE Leap 15.2 8.4 High2020-08-07
CVE-2020-10606 多款OSIsoft产品安全漏洞 — OSIsoft PI System multiple products and versions 7.8 -2020-07-24
CVE-2020-8022 User-writeable configuration file /usr/lib/tmpfiles.d/tomcat.conf allows for escalation of priviliges — SUSE Enterprise Storage 5 7.7 High2020-06-29
CVE-2020-8024 Problematic permissions in hylafax+ packaging allow escalation from uucp to other users — openSUSE Leap 15.2 5.3 Medium2020-06-29
CVE-2020-10279 RVD#2569: Insecure operating system defaults in MiR robots — MiR100 8.1 -2020-06-24
CVE-2020-8933 Priviged Escalation in Google Cloud Platform's Guest-OSLogin — guest-oslogin 8.8 -2020-06-22
CVE-2020-8903 Priviged Escalation in Google Cloud Platform's Guest-OSLogin — guest-oslogin 8.8 -2020-06-22

Vulnerabilities classified as CWE-276 (缺省权限不正确) represent 448 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.