Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-276 (缺省权限不正确) — Vulnerability Class 448

448 vulnerabilities classified as CWE-276 (缺省权限不正确). AI Chinese analysis included.

CWE-276 represents a critical configuration weakness where software installation processes assign overly permissive access rights to files, often granting read, write, and execute privileges to all users. This flaw typically allows malicious actors to modify or replace critical application binaries, configuration files, or scripts without authentication. By altering these unprotected resources, attackers can inject malicious code, escalate privileges, or compromise system integrity, effectively bypassing security controls that rely on file integrity. To mitigate this risk, developers must adhere to the principle of least privilege during deployment. This involves explicitly setting restrictive permissions, such as read-only access for general users and write access only for administrators. Automated installation scripts should verify and enforce these secure defaults, ensuring that sensitive files remain immutable to unauthorized entities and preserving the overall security posture of the deployed environment.

MITRE CWE Description
During installation, installed file permissions are set to allow anyone to modify those files.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
Mitigations (2)
Architecture and Design, OperationThe architecture needs to access and modification attributes for files to only those users who actually require those actions.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
CVE IDTitleCVSSSeverityPublished
CVE-2020-8907 Priviged Escalation in Google Cloud Platform's Guest-OSLogin — guest-oslogin 8.8 -2020-06-22
CVE-2020-10782 Red Hat Ansible 信息泄露漏洞 — Ansible Tower 6.5 Medium2020-06-18
CVE-2020-8018 User owned /etc in SLES15-SP1-CHOST-BYOS — SUSE Linux Enterprise Server 15 SP1 8.4 High2020-05-04
CVE-2020-1985 Secdo: Incorrect Default Permissions — Secdo 7.8 High2020-04-08
CVE-2020-7004 VISAM VBASE Editor和VBASE Web-Remote Module 路径遍历漏洞 — VBASE Editor 7.3 -2020-04-03
CVE-2020-7943 Puppet和PuppetDB 信息泄露漏洞 — Puppet Enterprise 2018.1.x stream 7.1 -2020-03-11
CVE-2020-5342 Dell Digital Delivery 安全漏洞 — Dell Digital Delivery (Cirrus) 7.8 High2020-03-09
CVE-2019-17103 Get-task-allow entitlement via BDLDaemon on macOS — Bitdefender AV for Mac 4.9 Medium2020-01-27
CVE-2019-18900 libzypp stores cookies world readable — CaaS Platform 3.0 4.0 Medium2020-01-24
CVE-2019-3687 "easy" permission profile allows everyone execute dumpcap and read all network traffic — SUSE Linux Enterprise Server 4.0 Medium2020-01-24
CVE-2019-14861 Samba 输入验证错误漏洞 — samba 5.3 -2019-12-10
CVE-2019-3688 squid: /usr/sbin/pinger packaged with wrong permission — SUSE Linux Enterprise Server 15 5.1 Medium2019-10-07
CVE-2019-3689 nfs-utils: root-owned files stored in insecure /var/lib/nfs directory — SUSE Linux Enterprise Server 12 5.1 Medium2019-09-19
CVE-2019-3870 Samba 授权问题漏洞 — samba 6.3 -2019-04-09
CVE-2018-13287 Synology Router Manager 权限许可和访问控制问题漏洞 — Synology Router Manager (SRM) 6.5 -2019-04-01
CVE-2018-13286 Synology DiskStation Manager 信息泄露漏洞 — DiskStation Manager (DSM) 4.3 -2019-04-01
CVE-2018-10605 Martem TELEM GW6/GWM 权限许可和访问控制问题漏洞 — TELEM-GW6/GWM 8.8 -2018-10-01
CVE-2018-8848 Philips e-Alert 安全漏洞 — e-Alert Unit (non-medical device) 9.8 -2018-09-26
CVE-2018-11453 Siemens SIMATIC STEP 7和WinCC 安全漏洞 — SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12, SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V13, SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V14, SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V15 8.4 -2018-08-07
CVE-2018-11454 Siemens SIMATIC STEP 7和WinCC 安全漏洞 — SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12, SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V13, SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V14, SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V15 8.4 -2018-08-07
CVE-2017-3209 The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user — U818A WiFi Quadcopter Drone 8.1 -2018-07-24
CVE-2017-3210 Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution — SDK 7.8 -2018-07-24
CVE-2018-10604 SEL Compass 安全漏洞 — Compass 7.8 -2018-07-24
CVE-2018-7533 OSIsoft PI Data Archive 安全漏洞 — OSIsoft PI Data Archive 7.8 -2018-03-14
CVE-2017-12699 AzeoTech DAQFactory 安全漏洞 — AzeoTech DAQFactory 5.5 -2017-09-09
CVE-2017-11156 Synology Download Station 安全漏洞 — Synology Download Station 7.8 -2017-08-14
CVE-2017-7968 Schneider Electric Wonderware InduSoft Web Studio 安全漏洞 — Schneider Electric Wonderware InduSoft Web Studio 7.8 -2017-05-19
CVE-2013-0266 Puppetlabs-cinder: packstack: openstack: puppetlabs-cinder: information disclosure of openstack administrative passwords due to world-readable configuration files. — Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse) 5.5 Medium2013-03-08

Vulnerabilities classified as CWE-276 (缺省权限不正确) represent 448 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.