Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-276 (缺省权限不正确) — Vulnerability Class 448

448 vulnerabilities classified as CWE-276 (缺省权限不正确). AI Chinese analysis included.

CWE-276 represents a critical configuration weakness where software installation processes assign overly permissive access rights to files, often granting read, write, and execute privileges to all users. This flaw typically allows malicious actors to modify or replace critical application binaries, configuration files, or scripts without authentication. By altering these unprotected resources, attackers can inject malicious code, escalate privileges, or compromise system integrity, effectively bypassing security controls that rely on file integrity. To mitigate this risk, developers must adhere to the principle of least privilege during deployment. This involves explicitly setting restrictive permissions, such as read-only access for general users and write access only for administrators. Automated installation scripts should verify and enforce these secure defaults, ensuring that sensitive files remain immutable to unauthorized entities and preserving the overall security posture of the deployed environment.

MITRE CWE Description
During installation, installed file permissions are set to allow anyone to modify those files.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
Mitigations (2)
Architecture and Design, OperationThe architecture needs to access and modification attributes for files to only those users who actually require those actions.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
CVE IDTitleCVSSSeverityPublished
CVE-2024-21946 AMD Ryzen Master 安全漏洞 — AMD Ryzen Master Utility for Overclocking Control 7.3 High2024-11-12
CVE-2024-21945 AMD Ryzen Master 安全漏洞 — AMD Ryzen™ Master Monitoring SDK 7.3 High2024-11-12
CVE-2024-21939 AMD Cloud Manageability Service 安全漏洞 — AMD Cloud Manageability Service Software 7.3 High2024-11-12
CVE-2024-21938 AMD Management Plugin 安全漏洞 — AMD Management Plug-In for SCCM 7.3 High2024-11-12
CVE-2024-21937 AMD HIP SDK 安全漏洞 — AMD Software: PRO Edition 7.3 High2024-11-12
CVE-2024-50590 Local Privilege Escalation via Weak Service Binary Permissions — Elefant 6.7 -2024-11-08
CVE-2024-9191 Okta Verify 安全漏洞 — Okta Verify for Windows 7.1 High2024-11-01
CVE-2024-10469 CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view. — VINCE 6.5AIMediumAI2024-10-28
CVE-2024-7587 Information Disclosure, Information Tampering and Denial of Service (DoS) Vulnerability in GENESIS64, ICONICS Suite, MC Works64, and GENESIS32 — GENESIS64 7.8 High2024-10-22
CVE-2024-10183 Arbitrary File Write Vulnerability in Jamf Remote Assist Leading to Privilege Escalation — Pro 7.8AIHighAI2024-10-22
CVE-2024-47825 CIDR deny policies may not take effect when a more narrow CIDR allow is present — cilium 4.0 Medium2024-10-21
CVE-2024-47240 Dell Secure Connect Gateway 安全漏洞 — Secure Connect Gateway (SCG) 5.0 Appliance - SRS 5.5 Medium2024-10-18
CVE-2024-49389 Acronis Cyber Files 安全漏洞 — Acronis Cyber Files 7.8AIHighAI2024-10-17
CVE-2024-9858 Insecure user permissions in Google Cloud Migrate to Containers for Windows — Migrate to Containers 6.7 -2024-10-16
CVE-2024-39544 Junos OS Evolved: Low privileged local user able to view NETCONF traceoptions files — Junos OS Evolved 5.0 Medium2024-10-11
CVE-2024-5474 Lenovo Dolby Vision Provisioning 安全漏洞 — Dolby Vision Provisioning software 5.5 Medium2024-10-11
CVE-2023-42133 PAX Android based POS 安全漏洞 — POS terminals 6.7 Medium2024-10-11
CVE-2024-9167 Ivanti Velocity License Server 安全漏洞 — Velocity License Server 7.8 High2024-10-08
CVE-2024-46544 Apache Tomcat Connectors: mod_jk: local users can view and modify configuration — Apache Tomcat Connectors 7.8AIHighAI2024-09-23
CVE-2022-25776 Sensitive Data Exposure due to inadequate user permission settings — Mautic 8.3 High2024-09-18
CVE-2024-38222 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability — Microsoft Edge (Chromium-based) 6.5 Medium2024-09-12
CVE-2024-34018 Acronis Snap Deploy 安全漏洞 — Acronis Snap Deploy 7.5AIHighAI2024-08-29
CVE-2024-43791 RequestStore has Incorrect Default Permissions — request_store 7.8 High2024-08-23
CVE-2024-4763 Lenovo Display Control Center和Lenovo Accessories and Display Manager 安全漏洞 — Display Control Center 7.8 High2024-08-16
CVE-2024-2175 Lenovo Display Control Center和Lenovo Accessories and Display Manager 安全漏洞 — Display Control Center 7.8 High2024-08-16
CVE-2023-31349 AMD μProf 安全漏洞 — μProf Tool 7.3 High2024-08-13
CVE-2024-43114 JetBrains TeamCity 安全漏洞 — TeamCity 7.5 High2024-08-06
CVE-2024-6122 Incorrect Default Directory Permissions for NI SystemLink Redis Service — SystemLink Server 5.5 Medium2024-07-22
CVE-2024-5321 Incorrect permissions on Windows containers logs — Kubernetes 6.1 Medium2024-07-18
CVE-2024-32861 Software House C•CURE - CouchDB executable protection — Software House C•CURE 9000 Installer 7.8 High2024-07-16

Vulnerabilities classified as CWE-276 (缺省权限不正确) represent 448 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.