CWE-276
AllowedIncorrect Default Permissions
Abstraction: Base · Status: Draft
During installation, installed file permissions are set to allow anyone to modify those files.
2035 vulnerabilities reference this CWE, most recent first.
GHSA-83X8-R8F9-J2F7
Vulnerability from github – Published: 2025-10-21 21:33 – Updated: 2025-10-21 21:33Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension: from 1.43 before 1.44.
{
"affected": [],
"aliases": [
"CVE-2025-62661"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-21T20:20:55Z",
"severity": "MODERATE"
},
"details": "Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mediawiki - Thanks Extension, Mediawiki - Growth Experiments Extension: from 1.43 before 1.44.",
"id": "GHSA-83x8-r8f9-j2f7",
"modified": "2025-10-21T21:33:44Z",
"published": "2025-10-21T21:33:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62661"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/Ia584966bb7d4d707eef50529293aa3d468470f18"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/Idbc1b5a288ffaa7074eedcbac066358a8ec649dc"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T397497"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8425-8R2F-MRV6
Vulnerability from github – Published: 2025-09-17 19:55 – Updated: 2025-09-26 16:17Impact
DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files.
Eve has unprivileged access to the machine where Alice uses DragonFly2. Eve watches the commands executed by Alice and introduces new directories/paths with 0777 permissions before DragonFly2 does so. Eve can then delete and forge files in that directory to change the results of further commands executed by Alice.
Patches
- Dragonfy v2.1.0 and above.
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/dragonflyoss/dragonfly"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "d7y.io/dragonfly/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59349"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-17T19:55:25Z",
"nvd_published_at": "2025-09-17T20:15:37Z",
"severity": "LOW"
},
"details": "### Impact\n\nDragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files.\n\nEve has unprivileged access to the machine where Alice uses DragonFly2. Eve watches the commands executed by Alice and introduces new directories/paths with 0777 permissions before DragonFly2 does so. Eve can then delete and forge files in that directory to change the results of further commands executed by Alice.\n\n### Patches\n\n- Dragonfy v2.1.0 and above.\n\n### Workarounds\n\nThere are no effective workarounds, beyond upgrading.\n\n### References\n\nA third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf).\n\nIf you have any questions or comments about this advisory, please email us at [dragonfly-maintainers@googlegroups.com](mailto:dragonfly-maintainers@googlegroups.com).",
"id": "GHSA-8425-8r2f-mrv6",
"modified": "2025-09-26T16:17:33Z",
"published": "2025-09-17T19:55:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-8425-8r2f-mrv6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59349"
},
{
"type": "PACKAGE",
"url": "https://github.com/dragonflyoss/dragonfly"
},
{
"type": "WEB",
"url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3964"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Dragonfly\u0027s directories created via os.MkdirAll are not checked for permissions"
}
GHSA-846G-P7HM-F54R
Vulnerability from github – Published: 2024-04-15 18:30 – Updated: 2024-08-15 21:38Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but "Effect":"Allow" remains present, and consequently sts:AssumeRoleWithWebIdentity would be available to threat actors with no conditions. Thus, if Amplify CLI had been used to remove the Authentication component from a project built between August 2019 and January 2024, an "assume role" may have occurred, and may have been leveraged to obtain unauthorized access to an organization's AWS resources. NOTE: the problem could only occur if an authorized AWS user removed an Authentication component. (The vulnerability did not give a threat actor the ability to remove an Authentication component.) However, in realistic situations, an authorized AWS user may have removed an Authentication component, e.g., if the objective were to stop using built-in Cognito resources, or move to a completely different identity provider.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@aws-amplify/cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28056"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-276"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-15T20:25:04Z",
"nvd_published_at": "2024-04-15T18:15:10Z",
"severity": "CRITICAL"
},
"details": "Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authentication component is removed from an Amplify project, a Condition property is removed but \"Effect\":\"Allow\" remains present, and consequently sts:AssumeRoleWithWebIdentity would be available to threat actors with no conditions. Thus, if Amplify CLI had been used to remove the Authentication component from a project built between August 2019 and January 2024, an \"assume role\" may have occurred, and may have been leveraged to obtain unauthorized access to an organization\u0027s AWS resources. NOTE: the problem could only occur if an authorized AWS user removed an Authentication component. (The vulnerability did not give a threat actor the ability to remove an Authentication component.) However, in realistic situations, an authorized AWS user may have removed an Authentication component, e.g., if the objective were to stop using built-in Cognito resources, or move to a completely different identity provider.",
"id": "GHSA-846g-p7hm-f54r",
"modified": "2024-08-15T21:38:29Z",
"published": "2024-04-15T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28056"
},
{
"type": "WEB",
"url": "https://github.com/aws-amplify/amplify-cli/commit/73b08dc424db2fb60399c5343c314e02e849d4a1"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-003"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws-amplify/amplify-cli"
},
{
"type": "WEB",
"url": "https://github.com/aws-amplify/amplify-cli/blob/8ad57bf99a404f3c92547c8a175458016f682fac/packages/amplify-provider-awscloudformation/resources/update-idp-roles-cfn.json"
},
{
"type": "WEB",
"url": "https://github.com/aws-amplify/amplify-cli/releases/tag/v12.10.1"
},
{
"type": "WEB",
"url": "https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "AWS Amplify CLI has incorrect trust policy management"
}
GHSA-84HR-27GR-GJJG
Vulnerability from github – Published: 2022-06-18 00:00 – Updated: 2022-06-29 00:00A permission issue affects users that deployed the shipped version of the Checkmk Debian package. Packages created by the agent bakery (enterprise editions only) were not affected. Using the shipped version of the agents, the maintainer scripts located at /var/lib/dpkg/info/ will be owned by the user and the group with ID 1001. If such a user exists on the system, they can change the content of these files (which are then executed by root). This leads to a local privilege escalation on the monitored host. Version 1.6 through 1.6.9p29, version 2.0 through 2.0.0p26, version 2.1 through 2.1.0p3, and version 2.2.0i1 are affected.
{
"affected": [],
"aliases": [
"CVE-2022-33912"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-17T13:15:00Z",
"severity": "HIGH"
},
"details": "A permission issue affects users that deployed the shipped version of the Checkmk Debian package. Packages created by the agent bakery (enterprise editions only) were not affected. Using the shipped version of the agents, the maintainer scripts located at /var/lib/dpkg/info/ will be owned by the user and the group with ID 1001. If such a user exists on the system, they can change the content of these files (which are then executed by root). This leads to a local privilege escalation on the monitored host. Version 1.6 through 1.6.9p29, version 2.0 through 2.0.0p26, version 2.1 through 2.1.0p3, and version 2.2.0i1 are affected.",
"id": "GHSA-84hr-27gr-gjjg",
"modified": "2022-06-29T00:00:29Z",
"published": "2022-06-18T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33912"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/14098"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84VH-967Q-QR87
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14dracut.sh in dracut, as used in Red Hat Enterprise Linux 6, Fedora 16 and 17, and possibly other products, creates initramfs images with world-readable permissions, which might allow local users to obtain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2012-4453"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-10-09T23:55:00Z",
"severity": "LOW"
},
"details": "dracut.sh in dracut, as used in Red Hat Enterprise Linux 6, Fedora 16 and 17, and possibly other products, creates initramfs images with world-readable permissions, which might allow local users to obtain sensitive information.",
"id": "GHSA-84vh-967q-qr87",
"modified": "2022-05-13T01:14:46Z",
"published": "2022-05-13T01:14:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4453"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=859448"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79258"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=boot/dracut/dracut.git%3Ba=commit%3Bh=e1b48995c26c4f06d1a71"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=boot/dracut/dracut.git;a=commit;h=e1b48995c26c4f06d1a71"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1674.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/09/27/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/09/27/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/09/27/6"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/55713"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-856V-8QM2-9WJV
Vulnerability from github – Published: 2025-08-07 21:31 – Updated: 2026-03-24 15:30Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/operator-framework/operator-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.15.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-7195"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-07T21:59:46Z",
"nvd_published_at": "2025-08-07T19:15:29Z",
"severity": "MODERATE"
},
"details": "Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.",
"id": "GHSA-856v-8qm2-9wjv",
"modified": "2026-03-24T15:30:24Z",
"published": "2025-08-07T21:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195"
},
{
"type": "PACKAGE",
"url": "https://github.com/operator-framework/operator-sdk"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376300"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-7195"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5633"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2572"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0737"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0722"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0718"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0627"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23529"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23528"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22684"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22683"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22420"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22418"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22416"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22415"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21368"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19961"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19958"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19335"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19332"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHEA-2026:0129"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHEA-2025:23478"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHEA-2025:23406"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2024:11569"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd"
}
GHSA-85J3-J66Q-C47R
Vulnerability from github – Published: 2022-03-31 00:00 – Updated: 2022-04-06 00:01In InputMethodEditor, there is a possible way to access some files accessible to Settings due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-203777141
{
"affected": [],
"aliases": [
"CVE-2021-39748"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-30T16:15:00Z",
"severity": "MODERATE"
},
"details": "In InputMethodEditor, there is a possible way to access some files accessible to Settings due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-203777141",
"id": "GHSA-85j3-j66q-c47r",
"modified": "2022-04-06T00:01:54Z",
"published": "2022-03-31T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39748"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-12l"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-862G-9H5M-M3QV
Vulnerability from github – Published: 2021-11-08 18:01 – Updated: 2022-09-08 14:25Impact
On systems installed with coreos-installer before 0.10.0, the user-provided Ignition config was written to /boot/ignition/config.ign with world-readable permissions, granting unprivileged users access to any secrets included in the config.
Default configurations of Fedora CoreOS and RHEL CoreOS do not include any unprivileged user accounts. In addition, instances launched from a cloud image, and systems provisioned with the ignition.config.url kernel argument, do not use the config.ign file and are unaffected.
Patches
coreos-installer 0.10.0 and later writes the Ignition config with restricted permissions.
Workarounds
On Fedora CoreOS systems installed from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing), 34.20210711.1.1 (next) and later, the /boot/ignition directory and its contents are removed after provisioning is complete. All Fedora CoreOS systems that have updated to these versions or later have automatically removed the /boot/ignition directory and no action is required.
On other systems, /boot/ignition/config.ign can be removed manually, as it is not used after provisioning is complete:
sudo mount -o remount,rw /boot
sudo rm -rf /boot/ignition
References
For more information, see https://github.com/coreos/fedora-coreos-tracker/issues/889.
For more information
If you have any questions or comments about this advisory, open an issue in coreos-installer or email the CoreOS development mailing list.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "coreos-installer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3917"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-04T17:11:09Z",
"nvd_published_at": "2022-08-23T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nOn systems installed with coreos-installer before 0.10.0, the user-provided Ignition config was written to `/boot/ignition/config.ign` with world-readable permissions, granting unprivileged users access to any secrets included in the config.\n\nDefault configurations of Fedora CoreOS and RHEL CoreOS do not include any unprivileged user accounts. In addition, instances launched from a cloud image, and systems provisioned with the `ignition.config.url` kernel argument, do not use the `config.ign` file and are unaffected.\n\n### Patches\ncoreos-installer 0.10.0 and later [writes](https://github.com/coreos/coreos-installer/pull/571) the Ignition config with restricted permissions.\n\n### Workarounds\n\nOn Fedora CoreOS systems installed from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing), 34.20210711.1.1 (next) and later, the `/boot/ignition` directory and its contents are removed after provisioning is complete. All Fedora CoreOS systems that have updated to these versions or later have automatically removed the `/boot/ignition` directory and no action is required.\n\nOn other systems, `/boot/ignition/config.ign` can be removed manually, as it is not used after provisioning is complete:\n\n```\nsudo mount -o remount,rw /boot\nsudo rm -rf /boot/ignition\n```\n\n### References\nFor more information, see https://github.com/coreos/fedora-coreos-tracker/issues/889.\n\n### For more information\nIf you have any questions or comments about this advisory, [open an issue in coreos-installer](https://github.com/coreos/coreos-installer/issues/new/choose) or email the CoreOS [development mailing list](https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.org/).",
"id": "GHSA-862g-9h5m-m3qv",
"modified": "2022-09-08T14:25:48Z",
"published": "2021-11-08T18:01:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coreos/coreos-installer/security/advisories/GHSA-862g-9h5m-m3qv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3917"
},
{
"type": "WEB",
"url": "https://github.com/coreos/fedora-coreos-tracker/issues/889"
},
{
"type": "WEB",
"url": "https://github.com/coreos/coreos-installer/commit/2a36405339c87b16ed6c76e91ad5b76638fbdb0c"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-3917"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2018478"
},
{
"type": "WEB",
"url": "https://github.com/coreos/coreos-installer"
},
{
"type": "WEB",
"url": "https://github.com/coreos/coreos-installer/releases/tag/v0.10.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "coreos-installer \u003c 0.10.0 writes world-readable Ignition config to installed system"
}
GHSA-86G4-G26W-P44C
Vulnerability from github – Published: 2024-02-21 21:30 – Updated: 2024-09-04 21:30The TD Bank TD Advanced Dashboard client through 3.0.3 for macOS allows arbitrary code execution because of the lack of electron::fuses::IsRunAsNodeEnabled (i.e., ELECTRON_RUN_AS_NODE can be used in production). This makes it easier for a compromised process to access banking information.
{
"affected": [],
"aliases": [
"CVE-2023-50975"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-21T19:15:08Z",
"severity": "HIGH"
},
"details": "The TD Bank TD Advanced Dashboard client through 3.0.3 for macOS allows arbitrary code execution because of the lack of electron::fuses::IsRunAsNodeEnabled (i.e., ELECTRON_RUN_AS_NODE can be used in production). This makes it easier for a compromised process to access banking information.",
"id": "GHSA-86g4-g26w-p44c",
"modified": "2024-09-04T21:30:31Z",
"published": "2024-02-21T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50975"
},
{
"type": "WEB",
"url": "https://gist.github.com/khronokernel/2598c067d0f49b0f0a4c8b01cf129d34"
},
{
"type": "WEB",
"url": "https://newsroom.ripeda.com/tag/macs-for-business"
},
{
"type": "WEB",
"url": "https://www.electronjs.org/blog/statement-run-as-node-cves"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-86PC-JX85-MVRW
Vulnerability from github – Published: 2025-05-13 18:30 – Updated: 2025-05-15 21:31A remote code execution vulnerability exists in the Windows agent component of SecureConnector due to improper access controls on a named pipe. The pipe is accessible to the Everyone group and does not restrict remote connections, allowing any network-based attacker to connect without authentication. By interacting with this pipe, an attacker can redirect the agent to communicate with a rogue server that can issue commands via the SecureConnector Agent.
This does not impact Linux or OSX Secure Connector.
{
"affected": [],
"aliases": [
"CVE-2025-4660"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T18:15:41Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists in the Windows agent component of SecureConnector\u00a0due to improper access controls on a named pipe. The pipe is accessible to the Everyone group and does not restrict remote connections, allowing any network-based attacker to connect without authentication. By interacting with this pipe, an attacker can redirect the agent to communicate with a rogue server that can issue commands via the SecureConnector Agent.\u00a0\n\n\n\nThis does not impact Linux or OSX Secure Connector.",
"id": "GHSA-86pc-jx85-mvrw",
"modified": "2025-05-15T21:31:25Z",
"published": "2025-05-13T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4660"
},
{
"type": "WEB",
"url": "https://forescout.my.site.com/support/s/article"
},
{
"type": "WEB",
"url": "https://forescout.my.site.com/support/s/article/High-Severity-Vulnerability-in-Secure-Connector-HPS-Inspection-Engine-v11-3-5-and-lower"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-1
The architecture needs to access and modification attributes for files to only those users who actually require those actions.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.