Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-276 (缺省权限不正确) — Vulnerability Class 448

448 vulnerabilities classified as CWE-276 (缺省权限不正确). AI Chinese analysis included.

CWE-276 represents a critical configuration weakness where software installation processes assign overly permissive access rights to files, often granting read, write, and execute privileges to all users. This flaw typically allows malicious actors to modify or replace critical application binaries, configuration files, or scripts without authentication. By altering these unprotected resources, attackers can inject malicious code, escalate privileges, or compromise system integrity, effectively bypassing security controls that rely on file integrity. To mitigate this risk, developers must adhere to the principle of least privilege during deployment. This involves explicitly setting restrictive permissions, such as read-only access for general users and write access only for administrators. Automated installation scripts should verify and enforce these secure defaults, ensuring that sensitive files remain immutable to unauthorized entities and preserving the overall security posture of the deployed environment.

MITRE CWE Description
During installation, installed file permissions are set to allow anyone to modify those files.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
Mitigations (2)
Architecture and Design, OperationThe architecture needs to access and modification attributes for files to only those users who actually require those actions.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
CVE IDTitleCVSSSeverityPublished
CVE-2024-21615 Junos OS and Junos OS Evolved: A low-privileged user can access confidential information — Junos OS 5.0 Medium2024-04-12
CVE-2024-31442 Redon-Hub has incorrect permissions on all admin related commands — Redon-Hub 8.8 High2024-04-08
CVE-2024-0259 Privilege Escalation in Robot Schedule Enterprise Agent for Windows prior to version 3.04 — Robot Schedule Enterprise Agent 7.3 High2024-03-28
CVE-2024-25958 Dell Grab 安全漏洞 — Grab for Windows 6.7 Medium2024-03-26
CVE-2024-1605 DLL side-loading in BMC Control-M — Control-M 6.6 Medium2024-03-18
CVE-2024-28862 ROTP 6.2.2 and 6.2.1 has 0666 permissions for the .rb files. — rotp 5.3 Medium2024-03-15
CVE-2024-20671 Microsoft Defender Security Feature Bypass Vulnerability — Windows Defender Antimalware Platform 5.5 Medium2024-03-12
CVE-2024-26280 Apache Airflow: Overly broad default permissions for Viewer/Ops (audit logs) — Apache Airflow 2.7 -2024-03-01
CVE-2023-48678 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 16 7.5 -2024-02-27
CVE-2023-7235 OpenVPN 安全漏洞 — OpenVPN 7.8AIHighAI2024-02-21
CVE-2024-1156 NI SystemLink Server 安全漏洞 — SystemLink Server 7.8 High2024-02-20
CVE-2024-1155 Incorrect permissions for shared NI SystemLink Elixir based services — SystemLink Server 7.8 High2024-02-20
CVE-2024-25605 Liferay Portal和Liferay DXP 安全漏洞 — Portal 5.3 Medium2024-02-20
CVE-2024-1488 Unbound: unrestricted reconfiguration enabled to anyone that may lead to local privilege escalation 8.0 High2024-02-15
CVE-2023-50236 Siemens Polarion ALM 安全漏洞 — Polarion ALM 7.8 High2024-02-13
CVE-2024-24828 Local Privilege Escalation in execuatables bundled by pkg — pkg 6.6 Medium2024-02-09
CVE-2024-22430 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 5.5 Medium2024-02-01
CVE-2024-21840 Directory and File Permission Vulnerability in Hitachi Storage Plug-in for VMware vCenter — Hitachi Storage Plug-in for VMware vCenter 7.9 High2024-01-30
CVE-2023-29081 InstallShield Symlink Vulnerability Affecting Suite Project Setups — InstallShield 5.5 Medium2024-01-26
CVE-2024-0770 European Chemicals Agency IUCLID Desktop Installer iuclid6.exe default permission — IUCLID 4.4 Medium2024-01-21
CVE-2024-22409 Default Privileges allow for high level operations for low privileged users in datahub — datahub 7.5 High2024-01-16
CVE-2024-22428 Dell iDRAC9 安全漏洞 — iDRAC Service Module (iSM) 7.0 High2024-01-16
CVE-2023-6457 File and Directory Permission Vulnerability in Hitachi Tuning Manager — Hitachi Tuning Manager 6.6 Medium2024-01-16
CVE-2022-45793 Executable files writable by low-privileged users in Omron Sysmac Studio — Sysmac Studio 5.5 Medium2024-01-10
CVE-2023-42501 Apache Superset: Unnecessary read permissions within the Gamma role — Apache Superset 4.3 Medium2023-11-27
CVE-2023-43081 Dell PowerProtect Data Manager 安全漏洞 — PowerProtect Agent for File System 4.0 Medium2023-11-22
CVE-2023-42774 Liteos-A has a incorrect default permissions vulnerability — OpenHarmony 6.2 Medium2023-11-20
CVE-2023-3116 Liteos-A has a incorrect default permissions vulnerability — OpenHarmony 7.3 High2023-11-20
CVE-2023-46743 The same file cannot be opened with different rights — application-collabora 7.4 High2023-11-09
CVE-2023-4706 Lenovo PC 安全漏洞 — 1Lenovo Preload Directory 7.3 High2023-11-08

Vulnerabilities classified as CWE-276 (缺省权限不正确) represent 448 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.