CWE-276
AllowedIncorrect Default Permissions
Abstraction: Base · Status: Draft
During installation, installed file permissions are set to allow anyone to modify those files.
2034 vulnerabilities reference this CWE, most recent first.
GHSA-5438-XRX8-Q93J
Vulnerability from github – Published: 2024-10-23 09:33 – Updated: 2024-10-23 09:33The ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
{
"affected": [],
"aliases": [
"CVE-2024-9947"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-23T07:15:04Z",
"severity": "HIGH"
},
"details": "The ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.",
"id": "GHSA-5438-xrx8-q93j",
"modified": "2024-10-23T09:33:12Z",
"published": "2024-10-23T09:33:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9947"
},
{
"type": "WEB",
"url": "https://profilepress.com"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61b477c3-88b7-45a4-9fc4-6bca6f7c3604?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-54H3-RFWF-3G76
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09The Dell Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 default configuration for Network File System (NFS) allows access to an 'admin' home directory. An attacker may leverage a spoofed Unique Identifier (UID) over NFS to rewrite sensitive files to gain administrative access to the system.
{
"affected": [],
"aliases": [
"CVE-2020-5353"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-29T16:15:00Z",
"severity": "HIGH"
},
"details": "The Dell Isilon OneFS versions 8.2.2 and earlier and Dell EMC PowerScale OneFS version 9.0.0 default configuration for Network File System (NFS) allows access to an \u0027admin\u0027 home directory. An attacker may leverage a spoofed Unique Identifier (UID) over NFS to rewrite sensitive files to gain administrative access to the system.",
"id": "GHSA-54h3-rfwf-3g76",
"modified": "2022-05-24T19:09:18Z",
"published": "2022-05-24T19:09:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5353"
},
{
"type": "WEB",
"url": "https://support.emc.com/kb/542721"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-54R5-WR8X-X5V3
Vulnerability from github – Published: 2022-12-20 00:30 – Updated: 2024-10-07 21:00Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-j94p-hv25-rm5g. This link is maintained to preserve external references.
Original Description
Apiman 1.5.7 through 2.2.3.Final has insufficient checks for read permissions within the Apiman Manager REST API. A malicious user may be able to find and subscribe to private APIs they do not have permission for, thus accessing API Management-protected resources they should not be allowed to access. The root cause of the issue is the Apiman project's accidental acceptance of a large contribution that was not fully compatible with the security model of Apiman versions before 3.0.0.Final. Because of this, 3.0.0.Final is not affected by the vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.3.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.apiman:apiman-manager-api-rest-impl"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.7"
},
{
"fixed": "3.0.0.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-280"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-20T17:37:18Z",
"nvd_published_at": "2022-12-20T00:15:00Z",
"severity": "HIGH"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-j94p-hv25-rm5g. This link is maintained to preserve external references.\n\n## Original Description\nApiman 1.5.7 through 2.2.3.Final has insufficient checks for read permissions within the Apiman Manager REST API. A malicious user may be able to find and subscribe to private APIs they do not have permission for, thus accessing API Management-protected resources they should not be allowed to access. The root cause of the issue is the Apiman project\u0027s accidental acceptance of a large contribution that was not fully compatible with the security model of Apiman versions before 3.0.0.Final. Because of this, 3.0.0.Final is not affected by the vulnerability.",
"id": "GHSA-54r5-wr8x-x5v3",
"modified": "2024-10-07T21:00:34Z",
"published": "2022-12-20T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47551"
},
{
"type": "WEB",
"url": "https://github.com/apiman/apiman/discussions/2409"
},
{
"type": "WEB",
"url": "https://www.apiman.io/blog/permissions-bypass-disclosure"
},
{
"type": "PACKAGE",
"url": "https://www.github.com/apiman/apiman"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Apiman has insufficient checks for read permissions",
"withdrawn": "2024-10-07T21:00:34Z"
}
GHSA-557Q-69Q9-3WVH
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 15:34Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.
{
"affected": [],
"aliases": [
"CVE-2022-29909"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "HIGH"
},
"details": "Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird \u003c 91.9, Firefox ESR \u003c 91.9, and Firefox \u003c 100.",
"id": "GHSA-557q-69q9-3wvh",
"modified": "2025-04-16T15:34:08Z",
"published": "2022-12-22T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29909"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1755081"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-16"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-17"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-55H9-M2G5-R4XM
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-17 00:02A flaw was found in the permissions of a log file created by kexec-tools. This flaw allows a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. This flaw affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47.
{
"affected": [],
"aliases": [
"CVE-2021-20269"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:41:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the permissions of a log file created by kexec-tools. This flaw allows a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. This flaw affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47.",
"id": "GHSA-55h9-m2g5-r4xm",
"modified": "2022-03-17T00:02:04Z",
"published": "2022-03-11T00:02:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20269"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2021:4404"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-20269"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934261"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-55Q2-P5PH-M3FP
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via “WIN-911 Mobile Runtime” service. Depending on the vector chosen, an attacker can overwrite various executables which could lead to escalation of the privileges when executed.
{
"affected": [],
"aliases": [
"CVE-2020-13539"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-05T16:15:00Z",
"severity": "HIGH"
},
"details": "An exploitable local privilege elevation vulnerability exists in the file system permissions of the Win-911 Enterprise V4.20.13 install directory via \u201cWIN-911 Mobile Runtime\u201d service. Depending on the vector chosen, an attacker can overwrite various executables which could lead to escalation of the privileges when executed.",
"id": "GHSA-55q2-p5ph-m3fp",
"modified": "2022-05-24T22:28:14Z",
"published": "2022-05-24T22:28:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13539"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1150"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1150"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-55WP-3PQ4-W8P9
Vulnerability from github – Published: 2023-09-20 18:30 – Updated: 2025-05-02 18:54Jenkins creates a temporary file when a plugin is deployed directly from a URL.
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files.
If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it.
This issue complements SECURITY-2823, which affected plugins uploaded from an administrator’s computer. Jenkins 2.424, LTS 2.414.2 creates the temporary file in a subdirectory with more restrictive permissions.
As a workaround, you can change your default temporary-file directory using the Java system property java.io.tmpdir, if you’re concerned about this issue but unable to immediately update Jenkins.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.50"
},
{
"fixed": "2.414.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.415"
},
{
"fixed": "2.424"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-43496"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-21T17:21:21Z",
"nvd_published_at": "2023-09-20T17:15:11Z",
"severity": "HIGH"
},
"details": "Jenkins creates a temporary file when a plugin is deployed directly from a URL.\n\nJenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files.\n\nIf these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.\n\nThis vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it.\n\nThis issue complements SECURITY-2823, which affected plugins uploaded from an administrator\u2019s computer.\nJenkins 2.424, LTS 2.414.2 creates the temporary file in a subdirectory with more restrictive permissions.\n\nAs a workaround, you can change your default temporary-file directory using the Java system property java.io.tmpdir, if you\u2019re concerned about this issue but unable to immediately update Jenkins.",
"id": "GHSA-55wp-3pq4-w8p9",
"modified": "2025-05-02T18:54:30Z",
"published": "2023-09-20T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43496"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/df7c4ccda8976c06bf31b8fb9938f26fc38501ca"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/20/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jenkins temporary plugin file created with insecure permissions "
}
GHSA-5622-5MVM-7268
Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-25 00:00Adobe Genuine Integrity Service versions Version 6.4 and earlier have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2020-3766"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-25T18:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Genuine Integrity Service versions Version 6.4 and earlier have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.",
"id": "GHSA-5622-5mvm-7268",
"modified": "2022-05-25T00:00:19Z",
"published": "2022-05-24T17:12:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3766"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/integrity_service/apsb20-12.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-372"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-564H-HX6X-WG47
Vulnerability from github – Published: 2026-04-21 21:31 – Updated: 2026-04-21 21:31HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.
{
"affected": [],
"aliases": [
"CVE-2026-6823"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T21:16:48Z",
"severity": "HIGH"
},
"details": "HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = [\"*\"] permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach host-backed agent runtimes, potentially leading to unauthorized file disclosure and read access through default-enabled read-only tools.",
"id": "GHSA-564h-hx6x-wg47",
"modified": "2026-04-21T21:31:28Z",
"published": "2026-04-21T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6823"
},
{
"type": "WEB",
"url": "https://github.com/HKUDS/OpenHarness/pull/147"
},
{
"type": "WEB",
"url": "https://github.com/HKUDS/OpenHarness/commit/fab40c6eabfb15f2bdf23cddd3cfe66a64ea203d"
},
{
"type": "WEB",
"url": "https://github.com/HKUDS/OpenHarness/releases/tag/v0.1.7"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/hkuds-openharness-insecure-default-remote-channel-allowlist"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-564M-562Q-F5W6
Vulnerability from github – Published: 2023-06-15 21:30 – Updated: 2024-04-04 04:52In onResume of AppManagementFragment.java, there is a possible way to prevent users from forgetting a previously connected VPN due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-205460459
{
"affected": [],
"aliases": [
"CVE-2023-21121"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-15T19:15:09Z",
"severity": "HIGH"
},
"details": "In onResume of AppManagementFragment.java, there is a possible way to prevent users from forgetting a previously connected VPN due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-205460459",
"id": "GHSA-564m-562q-f5w6",
"modified": "2024-04-04T04:52:22Z",
"published": "2023-06-15T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21121"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-1
The architecture needs to access and modification attributes for files to only those users who actually require those actions.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.