Common Weakness Enumeration

CWE-276

Allowed

Incorrect Default Permissions

Abstraction: Base · Status: Draft

During installation, installed file permissions are set to allow anyone to modify those files.

2035 vulnerabilities reference this CWE, most recent first.

GHSA-7853-GQQM-VCWX

Vulnerability from github – Published: 2026-04-08 00:16 – Updated: 2026-04-08 00:16
VLAI
Summary
openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools
Details

Affected

openclaw-claude-bridge v1.1.0

Issue

v1.1.0 spawns the Claude Code CLI subprocess with --allowed-tools "" and the release notes + README claim this "disables all CLI tools" for sandboxing. This claim is incorrect.

Per the Claude Code CLI documentation, --allowed-tools (alias --allowedTools) is an auto-approve allowlist of tools that execute without permission prompts — NOT a restriction on which tools are available. The correct flag to restrict the available tool set is --tools:

--tools <tools...> Specify the list of available tools from the built-in set. Use "" to disable all tools, "default" to use all tools, or specify tool names (e.g. "Bash,Edit,Read").

Impact

  • All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess.
  • Actual execution behavior in --print non-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang).
  • Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.

The README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in --print mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway's process context.

Patches

Fixed in v1.1.1 (commit 8a296f5) by switching to --tools "". The environment variable was also renamed from CLAUDE_ALLOWED_TOOLS to CLAUDE_TOOLS to match the flag.

Workarounds

Setting CLAUDE_ALLOWED_TOOLS on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit dist/cli-bridge.js to replace --allowed-tools with --tools.

References

  • Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5
  • v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1
  • Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference

Credit

Found during a second-round code review.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw-claude-bridge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:16:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Affected\n\nopenclaw-claude-bridge v1.1.0\n\n## Issue\n\nv1.1.0 spawns the Claude Code CLI subprocess with `--allowed-tools \"\"` and the release notes + README claim this **\"disables all CLI tools\"** for sandboxing. This claim is incorrect.\n\nPer the Claude Code CLI documentation, `--allowed-tools` (alias `--allowedTools`) is an **auto-approve allowlist** of tools that execute without permission prompts \u2014 NOT a restriction on which tools are available. The correct flag to restrict the available tool set is `--tools`:\n\n\u003e `--tools \u003ctools...\u003e`  Specify the list of available tools from the built-in set. **Use `\"\"` to disable all tools**, `\"default\"` to use all tools, or specify tool names (e.g. `\"Bash,Edit,Read\"`).\n\n## Impact\n\n- All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess.\n- Actual execution behavior in `--print` non-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang).\n- Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.\n\nThe README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in `--print` mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway\u0027s process context.\n\n## Patches\n\nFixed in [v1.1.1](https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1) (commit 8a296f5) by switching to `--tools \"\"`. The environment variable was also renamed from `CLAUDE_ALLOWED_TOOLS` to `CLAUDE_TOOLS` to match the flag.\n\n## Workarounds\n\nSetting `CLAUDE_ALLOWED_TOOLS` on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit `dist/cli-bridge.js` to replace `--allowed-tools` with `--tools`.\n\n## References\n\n- Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5\n- v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1\n- Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference\n\n## Credit\n\nFound during a second-round code review.",
  "id": "GHSA-7853-gqqm-vcwx",
  "modified": "2026-04-08T00:16:09Z",
  "published": "2026-04-08T00:16:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SeaL773/openclaw-claude-bridge/security/advisories/GHSA-7853-gqqm-vcwx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SeaL773/openclaw-claude-bridge"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "openclaw-claude-bridge: sandbox is not effective - `--allowed-tools \"\"` does not restrict available tools"
}

GHSA-787C-98FQ-89H9

Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31
VLAI
Details

Incorrect default permissions for some AI Playground software before version v2.3.0 alpha may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T17:15:37Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect default permissions for some AI Playground software before version v2.3.0 alpha may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-787c-98fq-89h9",
  "modified": "2025-08-12T18:31:29Z",
  "published": "2025-08-12T18:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27559"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01352.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-788G-F8CX-72JV

Vulnerability from github – Published: 2026-02-07 00:30 – Updated: 2026-02-07 00:30
VLAI
Details

SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. Local unprivileged users can exploit missing executable files and weak service configurations to create a new administrative user and gain complete system access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-37160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-07T00:15:56Z",
    "severity": "HIGH"
  },
  "details": "SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. Local unprivileged users can exploit missing executable files and weak service configurations to create a new administrative user and gain complete system access.",
  "id": "GHSA-788g-f8cx-72jv",
  "modified": "2026-02-07T00:30:28Z",
  "published": "2026-02-07T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37160"
    },
    {
      "type": "WEB",
      "url": "https://veridium.net"
    },
    {
      "type": "WEB",
      "url": "https://veridium.net/sprintwork"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48070"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/sprintwork-local-privilege-escalation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-78HQ-926C-2XMR

Vulnerability from github – Published: 2026-05-19 18:32 – Updated: 2026-05-19 18:32
VLAI
Details

Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries across all subsequent script executions on the same worker pod to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM_TOKEN JWTs to gain workspace-admin access to victim workspaces across tenants.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-47107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-19T18:16:22Z",
    "severity": "CRITICAL"
  },
  "details": "Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries across all subsequent script executions on the same worker pod to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM_TOKEN JWTs to gain workspace-admin access to victim workspaces across tenants.",
  "id": "GHSA-78hq-926c-2xmr",
  "modified": "2026-05-19T18:32:14Z",
  "published": "2026-05-19T18:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47107"
    },
    {
      "type": "WEB",
      "url": "https://github.com/windmill-labs/windmill/pull/9194"
    },
    {
      "type": "WEB",
      "url": "https://github.com/windmill-labs/windmill/commit/f8467f38c8a053117ce62f96684cfb15ef792f08"
    },
    {
      "type": "WEB",
      "url": "https://github.com/windmill-labs/windmill/releases/tag/v1.703.2"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/windmill-incorrect-default-permissions-in-nsjail-configuration"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-78PR-2FH5-229X

Vulnerability from github – Published: 2025-02-20 12:31 – Updated: 2025-02-20 12:31
VLAI
Details

Dell Recover Point for Virtual Machines 6.0.X contains a Weak file system permission vulnerability. A low privileged Local attacker could potentially exploit this vulnerability, leading to impacting only non-sensitive resources in the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-20T12:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Dell Recover Point for Virtual Machines 6.0.X contains a Weak file system permission vulnerability. A low privileged Local attacker could potentially exploit this vulnerability, leading to impacting only non-sensitive resources in the system.",
  "id": "GHSA-78pr-2fh5-229x",
  "modified": "2025-02-20T12:31:16Z",
  "published": "2025-02-20T12:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21106"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000287503/dsa-2025-101-security-update-for-dell-recoverpoint-for-virtual-machines-multiple-component-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79G5-39QJ-GGVG

Vulnerability from github – Published: 2023-12-05 00:31 – Updated: 2023-12-08 18:30
VLAI
Details

In createPendingIntent of CredentialManagerUi.java, there is a possible way to access credentials from other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T23:15:23Z",
    "severity": "MODERATE"
  },
  "details": "In createPendingIntent of CredentialManagerUi.java, there is a possible way to access credentials from other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-79g5-39qj-ggvg",
  "modified": "2023-12-08T18:30:39Z",
  "published": "2023-12-05T00:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40076"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/base/+/9b68987df85b681f9362a3cadca6496796d23bbc"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79MR-QV5F-CQ65

Vulnerability from github – Published: 2026-03-03 21:31 – Updated: 2026-03-09 18:31
VLAI
Details

HP System Event Utility might allow denial of service with elevated arbitrary file writes. This potential vulnerability was remediated with HP System Event Utility version 3.2.16.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-03T20:16:49Z",
    "severity": "MODERATE"
  },
  "details": "HP System Event Utility might allow denial of service with elevated arbitrary file writes. This potential vulnerability was\n               remediated with HP System Event Utility version 3.2.16.",
  "id": "GHSA-79mr-qv5f-cq65",
  "modified": "2026-03-09T18:31:36Z",
  "published": "2026-03-03T21:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2915"
    },
    {
      "type": "WEB",
      "url": "https://support.hp.com/us-en/document/ish_14271963-14271996-16/hpsbgn04097"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-79P4-HP34-C4RW

Vulnerability from github – Published: 2022-12-26 21:30 – Updated: 2023-01-05 21:30
VLAI
Details

An issue was discovered in Illumos in Nexenta NexentaStor 4.0.5 and 5.1.2, and other products. The SMB server allows an attacker to have unintended access, e.g., an attacker with WRITE_XATTR can change permissions. This occurs because of a combination of three factors: ZFS extended attributes are used to implement NT named streams, the SMB protocol requires implementations to have open handle semantics similar to those of NTFS, and the SMB server passes along certain attribute requests to the underlying object (i.e., they are not considered to be requests that pertain to the named stream).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-26T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Illumos in Nexenta NexentaStor 4.0.5 and 5.1.2, and other products. The SMB server allows an attacker to have unintended access, e.g., an attacker with WRITE_XATTR can change permissions. This occurs because of a combination of three factors: ZFS extended attributes are used to implement NT named streams, the SMB protocol requires implementations to have open handle semantics similar to those of NTFS, and the SMB server passes along certain attribute requests to the underlying object (i.e., they are not considered to be requests that pertain to the named stream).",
  "id": "GHSA-79p4-hp34-c4rw",
  "modified": "2023-01-05T21:30:16Z",
  "published": "2022-12-26T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9579"
    },
    {
      "type": "WEB",
      "url": "https://www.illumos.org/issues/10506"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7C2R-J947-3P6P

Vulnerability from github – Published: 2026-04-13 06:30 – Updated: 2026-04-16 18:31
VLAI
Details

Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-13T06:16:06Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information.",
  "id": "GHSA-7c2r-j947-3p6p",
  "modified": "2026-04-16T18:31:21Z",
  "published": "2026-04-13T06:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21013"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026\u0026month=04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7C44-QGGM-PV6G

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. Low-privileged users are able to modify files that are included (aka sourced) by scripts executed by root.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-24T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Incorrect File Permissions in Nagios XI 5.7.5 and earlier and Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root. Low-privileged users are able to modify files that are included (aka sourced) by scripts executed by root.",
  "id": "GHSA-7c44-qggm-pv6g",
  "modified": "2022-05-24T19:03:04Z",
  "published": "2022-05-24T19:03:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28906"
    },
    {
      "type": "WEB",
      "url": "https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you"
    },
    {
      "type": "WEB",
      "url": "https://www.nagios.com/downloads/nagios-xi/change-log"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/162783/Nagios-XI-Fusion-Privilege-Escalation-Cross-Site-Scripting-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-1
Architecture and Design Operation

The architecture needs to access and modification attributes for files to only those users who actually require those actions.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-127: Directory Indexing

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.