Common Weakness Enumeration

CWE-276

Allowed

Incorrect Default Permissions

Abstraction: Base · Status: Draft

During installation, installed file permissions are set to allow anyone to modify those files.

2035 vulnerabilities reference this CWE, most recent first.

GHSA-564P-H37M-W2XH

Vulnerability from github – Published: 2024-10-23 00:31 – Updated: 2024-10-23 00:31
VLAI
Details

Incorrect Default Permissions vulnerability in GenBroker32, which is included in the installers for ICONICS GENESIS64 version 10.97.3 and prior, Mitsubishi Electric GENESIS64 version 10.97.3 and prior and Mitsubishi Electric MC Works64 all versions allows a local authenticated attacker to disclose or tamper with confidential information and data contained in the products, or cause a denial of service (DoS) condition on the products, by accessing a folder with incorrect permissions, when GenBroker32 is installed on the same PC as GENESIS64 or MC Works64.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-22T23:15:02Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Default Permissions vulnerability in GenBroker32, which is included in the installers for ICONICS GENESIS64 version 10.97.3 and prior, Mitsubishi Electric GENESIS64 version 10.97.3 and prior and Mitsubishi Electric MC Works64 all versions allows a local authenticated attacker to disclose or tamper with confidential information and data contained in the products, or cause a denial of service (DoS) condition on the products, by accessing a folder with incorrect permissions, when GenBroker32 is installed on the same PC as GENESIS64 or MC Works64.",
  "id": "GHSA-564p-h37m-w2xh",
  "modified": "2024-10-23T00:31:46Z",
  "published": "2024-10-23T00:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7587"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU95548104"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-296-01"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2024-008_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5662-CV6M-63WH

Vulnerability from github – Published: 2025-07-18 20:13 – Updated: 2025-07-18 20:13
VLAI
Summary
melange's world-writable permissions expose SBOM files to potential image tampering
Details

It was discovered that the SBOM files generated by melange in apks had file system permissions mode 666:

$ apkrane ls https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz -P hello-wolfi --full --latest  | xargs wget -q -O  - | tar tzv 2>/dev/null var/lib/db/sbom
drwxr-xr-x root/root         0 2025-06-23 14:17 var/lib/db/sbom
-rw-rw-rw- root/root      3383 2025-06-23 14:17 var/lib/db/sbom/hello-wolfi-2.12.2-r1.spdx.json

This issue was introduced in commit 1b272db ("Persist workspace filesystem throughout package builds (#1836)") (v0.23.0).

Impact

This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances.

Patches

This issue was addressed in melange in e29494b ("fix: tighten up permissions for written SBOM files and signature tarballs (#2086)") (v0.29.5).

Acknowledgements

Thanks to Cody Harris H2O.ai and Markus Boehme for independently reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "chainguard.dev/melange"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.23.0"
            },
            {
              "fixed": "0.29.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-18T20:13:21Z",
    "nvd_published_at": "2025-07-18T16:15:30Z",
    "severity": "MODERATE"
  },
  "details": "It was discovered that the SBOM files generated by melange in apks had file system permissions mode 666:\n```\n$ apkrane ls https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz -P hello-wolfi --full --latest  | xargs wget -q -O  - | tar tzv 2\u003e/dev/null var/lib/db/sbom\ndrwxr-xr-x root/root         0 2025-06-23 14:17 var/lib/db/sbom\n-rw-rw-rw- root/root      3383 2025-06-23 14:17 var/lib/db/sbom/hello-wolfi-2.12.2-r1.spdx.json\n```\n\nThis issue was introduced in commit 1b272db (\"Persist workspace filesystem throughout package builds (#1836)\") ([v0.23.0](https://github.com/chainguard-dev/melange/releases/tag/v0.23.0)).\n\n### Impact\nThis potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances.\n\n### Patches\nThis issue was addressed in melange in e29494b (\"fix: tighten up permissions for written SBOM files and signature tarballs (#2086)\") ([v0.29.5](https://github.com/chainguard-dev/melange/releases/tag/v0.29.5)).\n\n## Acknowledgements\n\nThanks to Cody Harris [H2O.ai](https://h2o.ai/) and Markus Boehme for independently reporting this issue.",
  "id": "GHSA-5662-cv6m-63wh",
  "modified": "2025-07-18T20:13:21Z",
  "published": "2025-07-18T20:13:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54059"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/melange/pull/1836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/melange/pull/2086"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chainguard-dev/melange"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/melange/releases/tag/v0.29.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "melange\u0027s world-writable permissions expose SBOM files to potential image tampering"
}

GHSA-569F-2GGR-6V5W

Vulnerability from github – Published: 2023-01-04 12:30 – Updated: 2023-01-10 18:30
VLAI
Details

In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-77",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-04T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In network service, there is a missing permission check. This could lead to local escalation of privilege with System execution privileges needed.",
  "id": "GHSA-569f-2ggr-6v5w",
  "modified": "2023-01-10T18:30:26Z",
  "published": "2023-01-04T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39087"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1610118225591336001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-56GQ-M2M7-QC85

Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-07-25 21:33
VLAI
Details

Unitree Go1 <= Go1_2022_05_11 is vulnerable to Insecure Permissions as the firmware update functionality (via Wi-Fi/Ethernet) implements an insecure verification mechanism that solely relies on MD5 checksums for firmware integrity validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-45467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T15:15:29Z",
    "severity": "HIGH"
  },
  "details": "Unitree Go1 \u003c= Go1_2022_05_11 is vulnerable to Insecure Permissions as the firmware update functionality (via Wi-Fi/Ethernet) implements an insecure verification mechanism that solely relies on MD5 checksums for firmware integrity validation.",
  "id": "GHSA-56gq-m2m7-qc85",
  "modified": "2025-07-25T21:33:49Z",
  "published": "2025-07-25T15:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45467"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zgsnj123/CVE-2025-45467/tree/main"
    },
    {
      "type": "WEB",
      "url": "https://www.unitree.com/cn/go1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-56H4-RRGP-R6PX

Vulnerability from github – Published: 2024-11-28 18:38 – Updated: 2024-11-28 18:38
VLAI
Details

The NetCloud Exchange client for Windows, version 1.110.50, contains an insecure file and folder permissions vulnerability. A normal (non-admin) user could exploit the weakness in file and folder permissions to escalate privileges, execute arbitrary code and maintain persistence on the compromised machine. It has been identified that full control permissions exist on the ‘Everyone’ group (i.e. any user who has local access to the operating system regardless of their privileges).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-28T16:15:07Z",
    "severity": "HIGH"
  },
  "details": "The NetCloud Exchange client for Windows, version 1.110.50, contains an insecure file and folder permissions vulnerability. A normal (non-admin) user could exploit the weakness in file and folder permissions to escalate privileges, execute arbitrary code and maintain persistence on the compromised machine. It has been identified that full control permissions exist on the \u2018Everyone\u2019 group (i.e. any user who has local access to the operating system regardless of their privileges).",
  "id": "GHSA-56h4-rrgp-r6px",
  "modified": "2024-11-28T18:38:38Z",
  "published": "2024-11-28T18:38:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11969"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-default-permissions-cradlepoint-netcloud-exchange"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-56X3-C3F3-5345

Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-11-03 21:33
VLAI
Details

This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A malicious app may be able to gain root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T23:15:20Z",
    "severity": "HIGH"
  },
  "details": "This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A malicious app may be able to gain root privileges.",
  "id": "GHSA-56x3-c3f3-5345",
  "modified": "2025-11-03T21:33:19Z",
  "published": "2025-04-01T00:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24234"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122373"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122374"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122375"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/10"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/8"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-56XM-5973-MJQ5

Vulnerability from github – Published: 2024-07-10 21:30 – Updated: 2024-09-05 18:30
VLAI
Details

Bypass of GACS Policy Configuration settings in Citrix Workspace app for HTML5

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-10T21:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Bypass of GACS Policy Configuration settings in Citrix Workspace app for HTML5",
  "id": "GHSA-56xm-5973-mjq5",
  "modified": "2024-09-05T18:30:49Z",
  "published": "2024-07-10T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6148"
    },
    {
      "type": "WEB",
      "url": "https://support.citrix.com/article/CTX678037"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-572V-35QP-6587

Vulnerability from github – Published: 2023-01-20 21:30 – Updated: 2023-02-01 15:30
VLAI
Details

An incorrect default permissions vulnerability in Lenovo Leyun cloud music application could allow denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-20T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An incorrect default permissions vulnerability in Lenovo Leyun cloud music application could allow denial of service.",
  "id": "GHSA-572v-35qp-6587",
  "modified": "2023-02-01T15:30:19Z",
  "published": "2023-01-20T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1109"
    },
    {
      "type": "WEB",
      "url": "https://iknow.lenovo.com.cn/detail/dc_204380.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-579W-6RQJ-43GC

Vulnerability from github – Published: 2025-11-12 21:31 – Updated: 2025-11-12 21:31
VLAI
Details

An improper default permission vulnerability was reported in Lenovo Dock Manager that, under certain conditions during installation, could allow an authenticated local user to redirect log files with elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T20:15:45Z",
    "severity": "MODERATE"
  },
  "details": "An improper default permission vulnerability was reported in Lenovo Dock Manager that, under certain conditions during installation, could allow an authenticated local user to redirect log files with elevated privileges.",
  "id": "GHSA-579w-6rqj-43gc",
  "modified": "2025-11-12T21:31:09Z",
  "published": "2025-11-12T21:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8421"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-198729"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-57CG-PMV4-V925

Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2024-11-26 15:31
VLAI
Details

In ICMPv6 Neighbor Discovery (ND), the ID is always 0. When pf is configured to allow ND and block incoming Echo Requests, a crafted Echo Request packet after a Neighbor Solicitation (NS) can trigger an Echo Reply. The packet has to come from the same host as the NS and have a zero as identifier to match the state created by the Neighbor Discovery and allow replies to be generated.

ICMPv6 packets with identifier value of zero bypass firewall rules written on the assumption that the incoming packets are going to create a state in the state table.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-12T13:38:39Z",
    "severity": "MODERATE"
  },
  "details": "In ICMPv6 Neighbor Discovery (ND), the ID is always 0.  When pf is configured to allow ND and block incoming Echo Requests, a crafted Echo Request packet after a Neighbor Solicitation (NS) can trigger an Echo Reply.  The packet has to come from the same host as the NS and have a zero as identifier to match the state created by the Neighbor Discovery and allow replies to be generated.\n\nICMPv6 packets with identifier value of zero bypass firewall rules written on the assumption that the incoming packets are going to create a state in the state table.",
  "id": "GHSA-57cg-pmv4-v925",
  "modified": "2024-11-26T15:31:00Z",
  "published": "2024-08-12T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6640"
    },
    {
      "type": "WEB",
      "url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:05.pf.asc"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240816-0008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

The architecture needs to access and modification attributes for files to only those users who actually require those actions.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.