Common Weakness Enumeration

CWE-276

Allowed

Incorrect Default Permissions

Abstraction: Base · Status: Draft

During installation, installed file permissions are set to allow anyone to modify those files.

2035 vulnerabilities reference this CWE, most recent first.

GHSA-8JX9-7J5M-79X4

Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2024-01-30 22:46
VLAI
Summary
Jenkins Build Step Plugin fails to check Item/Build permission
Details

Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:pipeline-build-step"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-1000089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T22:46:28Z",
    "nvd_published_at": "2017-10-05T01:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins.",
  "id": "GHSA-8jx9-7j5m-79x4",
  "modified": "2024-01-30T22:46:28Z",
  "published": "2022-05-13T01:40:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000089"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2017-07-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Build Step Plugin fails to check Item/Build permission"
}

GHSA-8M34-GHFG-XXC2

Vulnerability from github – Published: 2025-01-22 18:31 – Updated: 2025-01-22 18:31
VLAI
Details

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device.

This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-274",
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-22T17:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device.\n\nThis vulnerability exists because proper authorization is not enforced upon\u0026nbsp;REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.",
  "id": "GHSA-8m34-ghfg-xxc2",
  "modified": "2025-01-22T18:31:56Z",
  "published": "2025-01-22T18:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20156"
    },
    {
      "type": "WEB",
      "url": "https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-ole2-H549rphA"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmm-privesc-uy2Vf8pc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8M3R-RFC5-MRMG

Vulnerability from github – Published: 2024-09-11 00:30 – Updated: 2024-10-16 18:31
VLAI
Details

In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-11T00:15:11Z",
    "severity": "HIGH"
  },
  "details": "In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.",
  "id": "GHSA-8m3r-rfc5-mrmg",
  "modified": "2024-10-16T18:31:33Z",
  "published": "2024-09-11T00:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40654"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/packages/apps/Settings/+/f1d0079c91734168c150f839168544f407b17b06"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2024-09-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8MJH-72QW-G4WP

Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21
VLAI
Details

There is an Improper permission vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-23T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is an Improper permission vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability.",
  "id": "GHSA-8mjh-72qw-g4wp",
  "modified": "2022-05-24T19:21:15Z",
  "published": "2022-05-24T19:21:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37030"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2021/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8MPM-Q7MH-8FVH

Vulnerability from github – Published: 2026-03-18 16:09 – Updated: 2026-03-18 16:09
VLAI
Summary
Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)
Details

Summary

The Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.

Details

Issue 1 - Arbitrary file overwrite via .capgo symlink (login --local)

  • Location: src/login.ts
  • Behavior: loginInternal(..., { local: true }) performs writeFileSync('.capgo', ...) before validating the API key with verifyUser().
  • No checks are performed to prevent writing through a symlink.
  • Result: if .capgo is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled content (the provided API key string), even when login fails.

Issue 2 - Arbitrary file overwrite via .capgo-credentials.json symlink (build credentials save --local)

  • Location: src/build/credentials.ts (local path is join(cwd(), '.capgo-credentials.json'))
  • Behavior: credentials are written using writeFile() without checking whether the destination is a symlink.
  • Result: if .capgo-credentials.json is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled JSON (including base64-encoded credential material). This occurs even if the user is not logged in / no API key exists.

Issue 3 - Insecure default permissions for global credentials

  • Location: src/build/credentials.ts (global path $HOME/.capgo-credentials/credentials.json)
  • Observed permissions after save: -rw-rw-r-- (664)
  • Impact: credentials file contains sensitive signing material (e.g., Android keystore + Play config; iOS cert/profile/API key in other flows). World/group readability is unsafe on shared hosts and CI runners. Expected minimum: file 0600, directory 0700.

PoC

PoC A: .capgo symlink clobber (writes even when API key invalid)

set -euo pipefail
BASE="/tmp/capgo_cli_poc_$(date +%s)"
HOME_SANDBOX="$BASE/home"
REPO="$BASE/repo"
TARGET="$BASE/clobbered.txt"

mkdir -p "$HOME_SANDBOX" "$REPO"
cd "$REPO"
git init -q

ln -s "$TARGET" .capgo

# This should fail auth, but still overwrites TARGET
HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 login "INVALID_KEY_SHOULD_FAIL" --local || true

echo "== TARGET content =="
cat "$TARGET"

Expected: On invalid key, nothing is written; .capgo should never follow symlinks. Observed: TARGET contains INVALID_KEY_SHOULD_FAIL.

PoC B: .capgo-credentials.json symlink clobber (no login required)

set -euo pipefail
BASE="/tmp/capgo_creds_symlink_$(date +%s)"
HOME_SANDBOX="$BASE/home"
REPO="$BASE/repo"
TARGET="$BASE/clobbered_creds.txt"

mkdir -p "$HOME_SANDBOX" "$REPO"
cd "$REPO"
git init -q

ln -s "$TARGET" .capgo-credentials.json

HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 build credentials save \
  --local --platform android --appId com.example.app \
  --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true

echo "== TARGET exists and contains JSON written via symlink =="
ls -la "$TARGET" || true
cat "$TARGET" || true

Expected: Refuse to write if destination is symlink; ideally require safe location and permissions. Observed: TARGET is created/overwritten with credentials JSON.

PoC C: global credentials permissions are world-readable

set -euo pipefail
BASE="/tmp/capgo_creds_perm_$(date +%s)"
HOME_SANDBOX="$BASE/home"
mkdir -p "$HOME_SANDBOX"

HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 build credentials save \
  --platform android --appId com.example.app \
  --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true

CREDS="$HOME_SANDBOX/.capgo-credentials/credentials.json"
ls -la "$CREDS" || true
stat -c '%a %U:%G %n' "$CREDS" || true

Observed: credentials.json created with mode 664 (-rw-rw-r--).

Impact

  • Arbitrary file overwrite (clobber) as the user running the CLI (developer workstation / CI runner).
  • This can cause:

developer environment compromise or sabotage (overwriting config files, scripts, env files) accidental or malicious leakage/destruction of secrets

  • Local secret exposure: global credentials written as 664 allows other local users to read signing material on shared machines.
  • A realistic scenario: a developer runs npx @capgo/cli ... --local inside an untrusted repo/template; the repo contains malicious symlinks.

Suggested remediation

  • Do not write .capgo until after API key validation succeeds.
  • For all secret/config writes:

refuse symlink destinations (lstat + isSymbolicLink) use safe file creation and enforce permissions (0600 for files; 0700 for directories) write atomically (temp file + rename) after safety checks

  • Avoid blindly appending to .gitignore unless it is a regular file (also check for symlink).
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@capgo/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.84.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-377",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T16:09:42Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nThe Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer\u2019s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.\n\n### Details\nIssue 1 - Arbitrary file overwrite via .capgo symlink (login --local)\n\n- Location: src/login.ts\n- Behavior: loginInternal(..., { local: true }) performs writeFileSync(\u0027.capgo\u0027, ...) before validating the API key with verifyUser().\n- No checks are performed to prevent writing through a symlink.\n- Result: if .capgo is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled content (the provided API key string), even when login fails.\n\nIssue 2 - Arbitrary file overwrite via .capgo-credentials.json symlink (build credentials save --local)\n\n- Location: src/build/credentials.ts (local path is join(cwd(), \u0027.capgo-credentials.json\u0027))\n- Behavior: credentials are written using writeFile() without checking whether the destination is a symlink.\n- Result: if .capgo-credentials.json is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled JSON (including base64-encoded credential material). This occurs even if the user is not logged in / no API key exists.\n\nIssue 3 - Insecure default permissions for global credentials\n\n- Location: src/build/credentials.ts (global path $HOME/.capgo-credentials/credentials.json)\n- Observed permissions after save: -rw-rw-r-- (664)\n- Impact: credentials file contains sensitive signing material (e.g., Android keystore + Play config; iOS cert/profile/API key in other flows). World/group readability is unsafe on shared hosts and CI runners. Expected minimum: file 0600, directory 0700.\n\n### PoC\nPoC A: .capgo symlink clobber (writes even when API key invalid)\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_cli_poc_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nREPO=\"$BASE/repo\"\nTARGET=\"$BASE/clobbered.txt\"\n\nmkdir -p \"$HOME_SANDBOX\" \"$REPO\"\ncd \"$REPO\"\ngit init -q\n\nln -s \"$TARGET\" .capgo\n\n# This should fail auth, but still overwrites TARGET\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 login \"INVALID_KEY_SHOULD_FAIL\" --local || true\n\necho \"== TARGET content ==\"\ncat \"$TARGET\"\n```\n_Expected: On invalid key, nothing is written; .capgo should never follow symlinks.\nObserved: TARGET contains INVALID_KEY_SHOULD_FAIL._\n\nPoC B: .capgo-credentials.json symlink clobber (no login required)\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_creds_symlink_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nREPO=\"$BASE/repo\"\nTARGET=\"$BASE/clobbered_creds.txt\"\n\nmkdir -p \"$HOME_SANDBOX\" \"$REPO\"\ncd \"$REPO\"\ngit init -q\n\nln -s \"$TARGET\" .capgo-credentials.json\n\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 build credentials save \\\n  --local --platform android --appId com.example.app \\\n  --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true\n\necho \"== TARGET exists and contains JSON written via symlink ==\"\nls -la \"$TARGET\" || true\ncat \"$TARGET\" || true\n```\n_Expected: Refuse to write if destination is symlink; ideally require safe location and permissions.\nObserved: TARGET is created/overwritten with credentials JSON._\n\nPoC C: global credentials permissions are world-readable\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_creds_perm_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nmkdir -p \"$HOME_SANDBOX\"\n\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 build credentials save \\\n  --platform android --appId com.example.app \\\n  --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true\n\nCREDS=\"$HOME_SANDBOX/.capgo-credentials/credentials.json\"\nls -la \"$CREDS\" || true\nstat -c \u0027%a %U:%G %n\u0027 \"$CREDS\" || true\n```\n_Observed: credentials.json created with mode 664 (-rw-rw-r--)._\n\n### Impact\n\n- Arbitrary file overwrite (clobber) as the user running the CLI (developer workstation / CI runner).\n- This can cause:\n\n\u003edeveloper environment compromise or sabotage (overwriting config files, scripts, env files)\n\u003eaccidental or malicious leakage/destruction of secrets\n\n- Local secret exposure: global credentials written as 664 allows other local users to read signing material on shared machines.\n- A realistic scenario: a developer runs npx @capgo/cli ... --local inside an untrusted repo/template; the repo contains malicious symlinks.\n\n### Suggested remediation\n\n- Do not write .capgo until after API key validation succeeds.\n- For all secret/config writes:\n\n\u003erefuse symlink destinations (lstat + isSymbolicLink)\n\u003euse safe file creation and enforce permissions (0600 for files; 0700 for directories)\n\u003ewrite atomically (temp file + rename) after safety checks\n\n- Avoid blindly appending to .gitignore unless it is a regular file (also check for symlink).",
  "id": "GHSA-8mpm-q7mh-8fvh",
  "modified": "2026-03-18T16:09:42Z",
  "published": "2026-03-18T16:09:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-8mpm-q7mh-8fvh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cap-go/CLI/commit/b8aa5ccbfad2d7f10f3cdbc00910d4a6aab026b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Cap-go/capgo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)"
}

GHSA-8MRF-X47V-MHG2

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-04-04 02:43
VLAI
Details

Improper directory permissions in the installer for Intel(R) Management Engine Consumer Driver for Windows before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45,13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-18T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper directory permissions in the installer for Intel(R) Management Engine Consumer Driver for Windows before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45,13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-8mrf-x47v-mhg2",
  "modified": "2024-04-04T02:43:58Z",
  "published": "2022-05-24T17:03:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11097"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8MW3-C47Q-XFHP

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42
VLAI
Details

An unspecified server utility in NoMachine before 5.3.10 on Mac OS X and Linux allows authenticated users to gain privileges by gaining access to local files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-29T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "An unspecified server utility in NoMachine before 5.3.10 on Mac OS X and Linux allows authenticated users to gain privileges by gaining access to local files.",
  "id": "GHSA-8mw3-c47q-xfhp",
  "modified": "2022-05-13T01:42:45Z",
  "published": "2022-05-13T01:42:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12763"
    },
    {
      "type": "WEB",
      "url": "https://www.nomachine.com/SU08O00185"
    },
    {
      "type": "WEB",
      "url": "https://www.nomachine.com/forums/topic/security-advisory-nomachine-privileges-escalation-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8MXP-VVJC-J78G

Vulnerability from github – Published: 2025-11-21 09:30 – Updated: 2025-11-21 09:30
VLAI
Details

The installation directory of LogStare Collector is configured with incorrect access permissions. A non-administrative user may manipulate files within the installation directory and execute arbitrary code with the administrative privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-21T07:15:53Z",
    "severity": "MODERATE"
  },
  "details": "The installation directory of LogStare Collector is configured with incorrect access permissions. A non-administrative user may manipulate files within the installation directory and execute arbitrary code with the administrative privilege.",
  "id": "GHSA-8mxp-vvjc-j78g",
  "modified": "2025-11-21T09:30:26Z",
  "published": "2025-11-21T09:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58097"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN77560819"
    },
    {
      "type": "WEB",
      "url": "https://www.logstare.com/vulnerability/2025-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8P26-V8P8-WHM6

Vulnerability from github – Published: 2022-12-20 18:30 – Updated: 2022-12-20 18:30
VLAI
Details

In getNearbyAppStreamingPolicy of DevicePolicyManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-235821829

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-16T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In getNearbyAppStreamingPolicy of DevicePolicyManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-235821829",
  "id": "GHSA-8p26-v8p8-whm6",
  "modified": "2022-12-20T18:30:19Z",
  "published": "2022-12-20T18:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20511"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8PQG-F92G-JRWJ

Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-16 00:00
VLAI
Details

In ContentService, there is a possible disclosure of available account types due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-199751623

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-12T15:15:00Z",
    "severity": "LOW"
  },
  "details": "In ContentService, there is a possible disclosure of available account types due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-199751623",
  "id": "GHSA-8pqg-f92g-jrwj",
  "modified": "2022-08-16T00:00:22Z",
  "published": "2022-08-13T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20305"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

The architecture needs to access and modification attributes for files to only those users who actually require those actions.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.