Common Weakness Enumeration

CWE-276

Allowed

Incorrect Default Permissions

Abstraction: Base · Status: Draft

During installation, installed file permissions are set to allow anyone to modify those files.

2035 vulnerabilities reference this CWE, most recent first.

GHSA-57F6-PVX8-HWJ6

Vulnerability from github – Published: 2026-06-26 20:44 – Updated: 2026-06-26 20:44
VLAI
Summary
turso-cli persists Turso platform JWT with world-readable (0o644) file permissions
Details

Summary

turso-cli persists the user's Turso platform JWT to settings.json using Viper's default configPermissions of 0o644, leaving the credential file world-readable on standard Linux and macOS systems. Any other local UID on the host can read the file and recover the platform JWT, which grants full Turso platform access scoped to the user's organizations.

Impact

The token in settings.json grants the holder full Turso platform access — create or destroy databases, rotate credentials, exfiltrate data, change billing settings — for any organization the user belongs to.

Because the file is world-readable, the credential is reachable by:

  • Cron jobs or daemons running as a different system user on the same host
  • Sandboxed CI runners with a mounted home directory
  • Containers with a bind-mounted host home
  • Co-tenants on a shared multi-user developer or jumpbox host

The file path resolves through configdir.LocalConfig("turso"):

  • macOS: ~/Library/Application Support/turso/settings.json
  • Linux: ~/.config/turso/settings.json (or $XDG_CONFIG_HOME/turso/settings.json)

It contains the platform JWT in plaintext JSON alongside organization and username fields.

Comparable CLIs (gh, aws, docker, gcloud, plus close peers planetscale, neon, upstash) write credential files at 0o600 explicitly, so this is a deviation from the cross-vendor baseline rather than a deliberate trade-off.

Details

The OAuth callback handler stores the platform JWT via the settings layer:

// internal/cmd/auth.go:205-214
jwt, err := callbackServer.Result()
...
settings.SetToken(jwt)

SetToken writes through Viper:

// internal/settings/settings.go:124-127
func (s *Settings) SetToken(token string) {
    viper.Set("token", token)
    s.changed = true
}

Persistence runs through viper.WriteConfig:

// internal/settings/settings.go:96-101
func TryToPersistChanges() error {
    if err := viper.WriteConfig(); err != nil {
        return fmt.Errorf("failed to persist turso settings file: %w", err)
    }
    return nil
}

Viper v1.21.0 (pinned in turso-cli go.mod) initializes configPermissions to os.FileMode(0o644) at viper.go:198 and passes that mode straight to os.OpenFile at viper.go:1688. Without a call to viper.SetConfigPermissions(0o600), the resulting settings.json is created at 0o644.

A grep over the auth-config write path under internal/ returns zero hits for Chmod, 0o600, or 0600, confirming there is no follow-up tightening of the file mode anywhere on the persistence path.

Proof of concept

Minimal reproducer using the same Viper version turso-cli pins (github.com/spf13/viper v1.21.0):

package main

import (
    "fmt"
    "os"
    "path/filepath"

    "github.com/spf13/viper"
)

func main() {
    dir, _ := os.MkdirTemp("", "viperpoc-*")
    defer os.RemoveAll(dir)

    viper.SetConfigName("settings")
    viper.SetConfigType("json")
    viper.AddConfigPath(dir)

    viper.Set("token", "FAKE_TURSO_JWT_xxxxxxxxxxxxxxxxxxxx")
    viper.Set("organization", "exampleorg")
    viper.SafeWriteConfig()

    st, _ := os.Stat(filepath.Join(dir, "settings.json"))
    fmt.Printf("mode: %o\n", st.Mode()&0o777)
}

$ go run main.go mode: 644

The same SafeWriteConfig / WriteConfig calls turso-cli uses produce the same 0o644 mode in a real turso auth login flow.

Remediation

One-line fix at the existing Viper configuration site in internal/settings/settings.go (around lines 48-50):

viper.SetConfigName("settings")
viper.SetConfigType("json")
viper.AddConfigPath(configPath)
viper.SetConfigPermissions(0o600) // restrict settings.json to owner only

Defense in depth:

  • Add os.Chmod(configFile, 0o600) after TryToPersistChanges, or on read (as PlanetScale does in internal/config/config.go — they Stat the token file and self-heal if Mode() &^ 0o600 is nonzero). viper.SetConfigPermissions applies only on file creation, so an existing wider-mode file is not tightened otherwise.
  • Add os.Chmod(configPath, 0o700) after configdir.MakePath(configPath) (line 43) to close the equivalent gap on the enclosing directory, which is otherwise created under the default umask.

Patch: https://github.com/tursodatabase/turso-cli/commit/ffb914849216ef5a86353b3fa6cee66f33af3b66

Workarounds

Until upgraded, users can tighten the existing files manually:

# Linux
chmod 600 ~/.config/turso/settings.json
chmod 700 ~/.config/turso

# macOS
chmod 600 "$HOME/Library/Application Support/turso/settings.json"
chmod 700 "$HOME/Library/Application Support/turso"

This must be repeated after any operation that recreates the file (e.g. turso auth login) until the patched version is installed.

Resources

  • Patch commit: https://github.com/tursodatabase/turso-cli/commit/ffb914849216ef5a86353b3fa6cee66f33af3b66
  • Viper configPermissions default: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L198
  • Viper write path: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L1688
  • CWE-276: https://cwe.mitre.org/data/definitions/276.html
  • CWE-732: https://cwe.mitre.org/data/definitions/732.html
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.25"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tursodatabase/turso-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:44:39Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`turso-cli` persists the user\u0027s Turso platform JWT to `settings.json` using Viper\u0027s default `configPermissions` of `0o644`, leaving the credential file world-readable on standard Linux and macOS systems. Any other local UID on the host can read the file and recover the platform JWT, which grants full Turso platform access scoped to the user\u0027s organizations.\n\n### Impact\n\nThe token in `settings.json` grants the holder full Turso platform access \u2014 create or destroy databases, rotate credentials, exfiltrate data, change billing settings \u2014 for any organization the user belongs to.\n\nBecause the file is world-readable, the credential is reachable by:\n\n- Cron jobs or daemons running as a different system user on the same host\n- Sandboxed CI runners with a mounted home directory\n- Containers with a bind-mounted host home\n- Co-tenants on a shared multi-user developer or jumpbox host\n\nThe file path resolves through `configdir.LocalConfig(\"turso\")`:\n\n- macOS: `~/Library/Application Support/turso/settings.json`\n- Linux: `~/.config/turso/settings.json` (or `$XDG_CONFIG_HOME/turso/settings.json`)\n\nIt contains the platform JWT in plaintext JSON alongside `organization` and `username` fields.\n\nComparable CLIs (`gh`, `aws`, `docker`, `gcloud`, plus close peers `planetscale`, `neon`, `upstash`) write credential files at `0o600` explicitly, so this is a deviation from the cross-vendor baseline rather than a deliberate trade-off.\n\n### Details\n\nThe OAuth callback handler stores the platform JWT via the settings layer:\n\n```go\n// internal/cmd/auth.go:205-214\njwt, err := callbackServer.Result()\n...\nsettings.SetToken(jwt)\n```\n\n`SetToken` writes through Viper:\n\n```go\n// internal/settings/settings.go:124-127\nfunc (s *Settings) SetToken(token string) {\n    viper.Set(\"token\", token)\n    s.changed = true\n}\n```\n\nPersistence runs through `viper.WriteConfig`:\n\n```go\n// internal/settings/settings.go:96-101\nfunc TryToPersistChanges() error {\n    if err := viper.WriteConfig(); err != nil {\n        return fmt.Errorf(\"failed to persist turso settings file: %w\", err)\n    }\n    return nil\n}\n```\n\nViper v1.21.0 (pinned in `turso-cli` `go.mod`) initializes `configPermissions` to `os.FileMode(0o644)` at `viper.go:198` and passes that mode straight to `os.OpenFile` at `viper.go:1688`. Without a call to `viper.SetConfigPermissions(0o600)`, the resulting `settings.json` is created at `0o644`.\n\nA `grep` over the auth-config write path under `internal/` returns zero hits for `Chmod`, `0o600`, or `0600`, confirming there is no follow-up tightening of the file mode anywhere on the persistence path.\n\n### Proof of concept\n\nMinimal reproducer using the same Viper version `turso-cli` pins (`github.com/spf13/viper v1.21.0`):\n\n```go\npackage main\n\nimport (\n    \"fmt\"\n    \"os\"\n    \"path/filepath\"\n\n    \"github.com/spf13/viper\"\n)\n\nfunc main() {\n    dir, _ := os.MkdirTemp(\"\", \"viperpoc-*\")\n    defer os.RemoveAll(dir)\n\n    viper.SetConfigName(\"settings\")\n    viper.SetConfigType(\"json\")\n    viper.AddConfigPath(dir)\n\n    viper.Set(\"token\", \"FAKE_TURSO_JWT_xxxxxxxxxxxxxxxxxxxx\")\n    viper.Set(\"organization\", \"exampleorg\")\n    viper.SafeWriteConfig()\n\n    st, _ := os.Stat(filepath.Join(dir, \"settings.json\"))\n    fmt.Printf(\"mode: %o\\n\", st.Mode()\u00260o777)\n}\n```\n$ go run main.go mode: 644\n\nThe same `SafeWriteConfig` / `WriteConfig` calls `turso-cli` uses produce the same `0o644` mode in a real `turso auth login` flow.\n\n### Remediation\n\nOne-line fix at the existing Viper configuration site in `internal/settings/settings.go` (around lines 48-50):\n\n```go\nviper.SetConfigName(\"settings\")\nviper.SetConfigType(\"json\")\nviper.AddConfigPath(configPath)\nviper.SetConfigPermissions(0o600) // restrict settings.json to owner only\n```\n\nDefense in depth:\n\n- Add `os.Chmod(configFile, 0o600)` after `TryToPersistChanges`, or on read (as PlanetScale does in `internal/config/config.go` \u2014 they `Stat` the token file and self-heal if `Mode() \u0026^ 0o600` is nonzero).  `viper.SetConfigPermissions` applies only on file creation, so an existing wider-mode file is not tightened otherwise.\n- Add `os.Chmod(configPath, 0o700)` after `configdir.MakePath(configPath)` (line 43) to close the equivalent gap on the enclosing directory, which is otherwise created under the default umask.\n\nPatch: https://github.com/tursodatabase/turso-cli/commit/ffb914849216ef5a86353b3fa6cee66f33af3b66\n\n### Workarounds\n\nUntil upgraded, users can tighten the existing files manually:\n\n```sh\n# Linux\nchmod 600 ~/.config/turso/settings.json\nchmod 700 ~/.config/turso\n\n# macOS\nchmod 600 \"$HOME/Library/Application Support/turso/settings.json\"\nchmod 700 \"$HOME/Library/Application Support/turso\"\n```\n\nThis must be repeated after any operation that recreates the file (e.g.\n`turso auth login`) until the patched version is installed.\n\n### Resources\n\n- Patch commit: https://github.com/tursodatabase/turso-cli/commit/ffb914849216ef5a86353b3fa6cee66f33af3b66\n- Viper `configPermissions` default: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L198\n- Viper write path: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L1688\n- CWE-276: https://cwe.mitre.org/data/definitions/276.html\n- CWE-732: https://cwe.mitre.org/data/definitions/732.html",
  "id": "GHSA-57f6-pvx8-hwj6",
  "modified": "2026-06-26T20:44:39Z",
  "published": "2026-06-26T20:44:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tursodatabase/turso-cli/security/advisories/GHSA-57f6-pvx8-hwj6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tursodatabase/turso-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "turso-cli persists Turso platform JWT with world-readable (0o644) file permissions"
}

GHSA-57P4-2X7W-PHR2

Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2025-08-22 12:30
VLAI
Details

Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit unprivileged users to write it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32743"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-01T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit unprivileged users to write it.",
  "id": "GHSA-57p4-2x7w-phr2",
  "modified": "2025-08-22T12:30:30Z",
  "published": "2022-09-02T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32743"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.samba.org/show_bug.cgi?id=14833"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTTOLTHUHOV4SHCHCB5TAA4FQVJAWN4P"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTTOLTHUHOV4SHCHCB5TAA4FQVJAWN4P"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202309-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57RX-38PP-C45G

Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2025-11-04 00:30
VLAI
Details

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could disclose sensitive information to a local user to do improper permission controls. IBM X-Force ID: 261195.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-27T19:15:11Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could disclose sensitive information to a local user to do improper permission controls.  IBM X-Force ID:  261195.",
  "id": "GHSA-57rx-38pp-c45g",
  "modified": "2025-11-04T00:30:50Z",
  "published": "2024-06-27T21:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38368"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/261195"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7158790"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Nov/0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57VH-RHQR-CFFH

Vulnerability from github – Published: 2023-12-09 09:30 – Updated: 2023-12-13 00:30
VLAI
Details

Insecure File Permissions in Support Assistant in NCP Secure Enterprise Client before 12.22 allow attackers to write to configuration files from low-privileged user accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-09T07:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Insecure File Permissions in Support Assistant in NCP Secure Enterprise Client before 12.22 allow attackers to write to configuration files from low-privileged user accounts.",
  "id": "GHSA-57vh-rhqr-cffh",
  "modified": "2023-12-13T00:30:37Z",
  "published": "2023-12-09T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28870"
    },
    {
      "type": "WEB",
      "url": "https://herolab.usd.de/en/security-advisories/usd-2022-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5828-HC43-9J7X

Vulnerability from github – Published: 2024-10-25 18:30 – Updated: 2024-10-25 21:31
VLAI
Details

OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /profile/updateProfile via the userId and email parameters. Authentication is required.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-25T16:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /profile/updateProfile via the userId and email parameters. Authentication is required.",
  "id": "GHSA-5828-hc43-9j7x",
  "modified": "2024-10-25T21:31:27Z",
  "published": "2024-10-25T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30355"
    },
    {
      "type": "WEB",
      "url": "https://cve.offsecguy.com/ovaledge/vulnerabilities/account-takeover#cve-2022-30355"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-583V-34RX-WGXX

Vulnerability from github – Published: 2025-10-23 03:32 – Updated: 2025-10-23 18:31
VLAI
Details

Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.This issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-23T01:15:37Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.This issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0.",
  "id": "GHSA-583v-34rx-wgxx",
  "modified": "2025-10-23T18:31:14Z",
  "published": "2025-10-23T03:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11575"
    },
    {
      "type": "WEB",
      "url": "https://www.mongodb.com/docs/atlas/release-notes/sql"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-589Q-75R3-MFQ4

Vulnerability from github – Published: 2022-05-24 17:23 – Updated: 2023-07-20 11:13
VLAI
Summary
Silverstripe has Incorrect Default Permissions
Details

SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., where viewing records exposed through admin/graphql requires administrator permissions). However, if custom GraphQL endpoints have been configured for a specific implementation (usually under /graphql), this vulnerability could also be exploited through unauthenticated requests. This vulnerability only applies to reading records; it does not allow unauthorised changing of records.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/recipe-cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0"
            },
            {
              "fixed": "4.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-6165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-20T11:13:08Z",
    "nvd_published_at": "2020-07-15T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SilverStripe 4.5.0 allows attackers to read certain records that should not have been placed into a result set. This affects silverstripe/recipe-cms. The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., where viewing records exposed through admin/graphql requires administrator permissions). However, if custom GraphQL endpoints have been configured for a specific implementation (usually under /graphql), this vulnerability could also be exploited through unauthenticated requests. This vulnerability only applies to reading records; it does not allow unauthorised changing of records.",
  "id": "GHSA-589q-75r3-mfq4",
  "modified": "2023-07-20T11:13:08Z",
  "published": "2022-05-24T17:23:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6165"
    },
    {
      "type": "WEB",
      "url": "https://docs.silverstripe.org/en/4/changelogs/4.5.3/?_ga=2.170693920.105499209.1689776417-708940272.1689776417"
    },
    {
      "type": "WEB",
      "url": "https://docs.silverstripe.org/en/4/changelogs/4.6.0/?_ga=2.170693920.105499209.1689776417-708940272.1689776417"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-6165.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases/CVE-2020-6165"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Silverstripe has Incorrect Default Permissions "
}

GHSA-58J4-VM73-HGVH

Vulnerability from github – Published: 2026-06-22 15:30 – Updated: 2026-06-22 15:30
VLAI
Details

Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriate permissions during the software’s default installation, whereby the main executable and other programme files located in C:\Program Files have excessive permissions for the ‘Everyone’ group. This could allow an unprivileged user to replace the main executable and/or its components with a malicious file, thereby enabling the execution of arbitrary code. In the worst-case scenario, if the malicious code is executed with elevated privileges (such as those of Administrator or SYSTEM), the attacker could escalate privileges and gain full control of the system, compromising both security and data integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T14:16:27Z",
    "severity": "HIGH"
  },
  "details": "Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriate permissions during the software\u2019s default installation, whereby the main executable and other programme files located in C:\\Program Files have excessive permissions for the \u2018Everyone\u2019 group. This could allow an unprivileged user to replace the main executable and/or its components with a malicious file, thereby enabling the execution of arbitrary code. In the worst-case scenario, if the malicious code is executed with elevated privileges (such as those of Administrator or SYSTEM), the attacker could escalate privileges and gain full control of the system, compromising both security and data integrity.",
  "id": "GHSA-58j4-vm73-hgvh",
  "modified": "2026-06-22T15:30:43Z",
  "published": "2026-06-22T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12602"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-permissions-arubasign-aruba"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-58JH-XRF3-5PP9

Vulnerability from github – Published: 2023-05-04 21:30 – Updated: 2024-04-04 03:48
VLAI
Details

An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for windows, which contains improper permissions within the default installation and allows attackers to execute arbitrary code and gain escalated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-04T20:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in GeoVision GV-Edge Recording Manager 2.2.3.0 for windows, which contains improper permissions within the default installation and allows attackers to execute arbitrary code and gain escalated privileges.",
  "id": "GHSA-58jh-xrf3-5pp9",
  "modified": "2024-04-04T03:48:08Z",
  "published": "2023-05-04T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23059"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/172141/GV-Edge-Recording-Manager-2.2.3.0-Privilege-Escalation.html"
    },
    {
      "type": "WEB",
      "url": "http://geovision.com"
    },
    {
      "type": "WEB",
      "url": "http://gv-edge.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58JP-6F6M-4V4F

Vulnerability from github – Published: 2026-05-20 18:31 – Updated: 2026-05-20 18:31
VLAI
Details

Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data.

This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-20T16:16:27Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data.\n\nThis issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.",
  "id": "GHSA-58jp-6f6m-4v4f",
  "modified": "2026-05-20T18:31:35Z",
  "published": "2026-05-20T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8487"
    },
    {
      "type": "WEB",
      "url": "https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

The architecture needs to access and modification attributes for files to only those users who actually require those actions.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.