Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-276 (缺省权限不正确) — Vulnerability Class 448

448 vulnerabilities classified as CWE-276 (缺省权限不正确). AI Chinese analysis included.

CWE-276 represents a critical configuration weakness where software installation processes assign overly permissive access rights to files, often granting read, write, and execute privileges to all users. This flaw typically allows malicious actors to modify or replace critical application binaries, configuration files, or scripts without authentication. By altering these unprotected resources, attackers can inject malicious code, escalate privileges, or compromise system integrity, effectively bypassing security controls that rely on file integrity. To mitigate this risk, developers must adhere to the principle of least privilege during deployment. This involves explicitly setting restrictive permissions, such as read-only access for general users and write access only for administrators. Automated installation scripts should verify and enforce these secure defaults, ensuring that sensitive files remain immutable to unauthorized entities and preserving the overall security posture of the deployed environment.

MITRE CWE Description
During installation, installed file permissions are set to allow anyone to modify those files.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
Mitigations (2)
Architecture and Design, OperationThe architecture needs to access and modification attributes for files to only those users who actually require those actions.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
CVE IDTitleCVSSSeverityPublished
CVE-2024-3779 Denial of Service in ESET products for Windows — ESET NOD32 Antivirus 6.1 Medium2024-07-16
CVE-2024-3904 Mitsubishi Electric MELIPC Series 安全漏洞 — MELIPC Series MI5122-VW 8.8 High2024-07-04
CVE-2024-2819 File Permission Vulnerability in Hitachi Ops Center Common Services — Hitachi Ops Center Common Services 5.1 Medium2024-07-02
CVE-2024-4679 Folder Permission Vulnerability in JP1/Extensible SNMP Agent — JP1/Extensible SNMP Agent for Windows 7.8 High2024-07-02
CVE-2024-35139 IBM Security Access Manager Docker information disclosure — Security Verify Access Docker 6.2 Medium2024-06-28
CVE-2024-39347 Synology Router Manager 安全漏洞 — Synology Router Manager (SRM) 5.9 Medium2024-06-28
CVE-2023-38370 IBM Security Access Manager Docker information disclosure — Security Access Manager Docker 7.5 High2024-06-27
CVE-2024-22385 File and Directory Permission Vulnerability in Hitachi Storage Provider for VMware vCenter — Hitachi Storage Provider for VMware vCenter 4.4 Medium2024-06-25
CVE-2024-36495 Read/Write Permissions for Everyone on Configuration File — WINSelect (Standard + Enterprise) 5.5AIMediumAI2024-06-24
CVE-2024-5967 Keycloak: leak of configured ldap bind credentials through the keycloak admin console 2.7 Low2024-06-18
CVE-2024-34012 Acronis Cloud Manager 安全漏洞 — Acronis Cloud Manager 7.8AIHighAI2024-06-14
CVE-2024-27180 TOCTOU vulnerability — Toshiba Tec e-Studio multi-function peripheral (MFP) 6.7 Medium2024-06-14
CVE-2024-27171 Insecure permissions — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.4 High2024-06-14
CVE-2024-27167 Insecure permissions — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.4 High2024-06-14
CVE-2024-27166 Insecure permissions — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.4 High2024-06-14
CVE-2024-27155 Local Privilege Escalation and Remote Code Execution using insecure permissions — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.7 High2024-06-14
CVE-2024-27153 Local Privilege Escalation and Remote Code Execution — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.4 High2024-06-14
CVE-2024-27152 Local Privilege Escalation and Remote Code Execution using insecure permissions — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.4 High2024-06-14
CVE-2024-27151 Local Privilege Escalation and Remote Code Execution using insecure permissions — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.4 High2024-06-14
CVE-2024-27150 Local Privilege Escalation and Remote Code Execution using insecure LD_LIBRARY_PATH — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.4 High2024-06-14
CVE-2024-27149 Local Privilege Escalation and Remote Code Execution using insecure LD_PRELOAD — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.4 High2024-06-14
CVE-2024-27148 Local Privilege Escalation and Remote Code Execution using insecure PATH — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.4 High2024-06-14
CVE-2024-37038 Schneider Electric SAGE RTUs 安全漏洞 — Sage 1410 7.5 High2024-06-12
CVE-2024-23847 Yokogawa Rental & Lease Unifier 安全漏洞 — Unifier 8.4AIHighAI2024-05-31
CVE-2024-32978 Kaminari Insecure File Permissions Vulnerability — kaminari 6.6 Medium2024-05-27
CVE-2024-4030 tempfile.mkdtemp() may be readable and writeable by all users on Windows — CPython 7.1AIHighAI2024-05-07
CVE-2024-34011 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect Cloud Agent 7.8AIHighAI2024-04-29
CVE-2023-23976 WordPress RegistrationMagic plugin <= 5.1.9.2 - Arbitrary Price Change — RegistrationMagic 7.5 High2024-04-24
CVE-2024-29967 In Brocade SANnav before v2.31 and v2.3.0a, it was observed that Docker instances inside the appliance have insecure mount points — Brocade SANnav 4.4 Medium2024-04-19
CVE-2024-29962 Insecure file permission setting that makes files world-readable — Brocade SANnav 5.5 Medium2024-04-19

Vulnerabilities classified as CWE-276 (缺省权限不正确) represent 448 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.