CWE-732— Incorrect Permission Assignment for Critical Resource

viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.

A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the privileges of the admi…

drbd8 allows local users to bypass intended restrictions for certain actions via netlink packets, similar to CVE-2009-3725.

PackageKit 0.6.17 allows installation of unsigned RPM packages as though they were signed which may allow installation of non-trusted packages and execution of arbitrary code.

Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.

Joomla! com_mailto 1.5.x through 1.5.13 has an automated mail timeout bypass.

The install-chef-suse.sh script shipped with crowbar before 2012-10-02 is creating files containing confidential data with insecure permissions, allowing local users to read confidential data.

Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php

ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entire server from client interface.

An issue exists AccountService 0.6.37 in the user_change_password_authorized_cb() function in user.c which could let a local users obtain encrypted passwords.

OpenStack nova base images permissions are world readable

ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'.

It was reported that watchman in openshift node-utils creates /var/run/watchman.pid and /var/log/watchman.ouput with world writable permission.

An issue was discovered in the DBI module before 1.632 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute.

An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of …

In Ubuntu's trust-store, if a user revokes location access from an application, the location is still available to the application because the application will honour incorrect, cached permissions. This is because the cache was not ordered…

The orbisius-child-theme-creator plugin before 1.2.8 for WordPress has incorrect access control for file modification via the wp-admin/admin-ajax.php?action=orbisius_ctc_theme_editor_ajax&sub_cmd=save_file theme_1, theme_1_file, or theme_1…

An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed.

An issue was discovered in Mattermost Server before 3.3.0. An attacker could use the WebSocket feature to send pop-up messages to users or change a post's appearance.

An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.

An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.

A permissions flaw was found in redis, which sets weak permissions on certain files and directories that could potentially contain sensitive information. A local, unprivileged user could possibly use this flaw to access unauthorized system…

A postinstall script in the dovecot rpm allows local users to read the contents of newly created SSL/TLS key files.

browser/extensions/api/dial/dial_registry.cc in Google Chrome before 54.0.2840.98 on macOS, before 54.0.2840.99 on Windows, and before 54.0.2840.100 on Linux neglects to copy a device ID before an erase() call, which causes the erase opera…

A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio' is used, such as when including microcode updates. Local attacker can use this to obtain…

It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to…

Ubiquiti UCRM versions 2.3.0 to 2.7.7 allow an authenticated user to read arbitrary files in the local file system. Note that by default, the local file system is isolated in a docker container. Successful exploitation requires valid crede…

Jenkins Speaks! Plugin, all current versions, allows users with Job/Configure permission to run arbitrary Groovy code inside the Jenkins JVM, effectively elevating privileges to Overall/Run Scripts.

Brave Software's Brave Browser, version 0.19.73 (and earlier) is vulnerable to an incorrect access control issue in the "JS fingerprinting blocking" component, resulting in a malicious website being able to access the fingerprinting-associ…

Nylas Mail Lives 2.2.2 uses 0755 permissions for $HOME/.nylas-mail, which allows local users to obtain sensitive authentication information via standard filesystem operations.

It was found in EAP 7 before 7.0.9 that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users l…

In the KeyStore service, there is a permissions bypass that allows access to protected resources. This could lead to local escalation of privilege with system execution privileges needed. User interaction is not needed for exploitation. Pr…

IBM Security Access Manager Appliance 8.0.0 and 9.0.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 128378.

Huawei OceanStor 2800 V3, V300R003C00, V300R003C20, OceanStor 5300 V3, V300R003C00, V300R003C10, V300R003C20, OceanStor 5500 V3, V300R003C00, V300R003C10, V300R003C20, OceanStor 5600 V3, V300R003C00, V300R003C10, V300R003C20, OceanStor 580…

IBM QRadar 7.3 and 7.3.1 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 133122.

In SapphireIMS 4097_1, a guest user can create a local administrator account on any system that has SapphireIMS installed, because of an Insecure Direct Object Reference (IDOR) in the local user creation function.

In SapphireIMS 4097_1, a guest user is able to change the password of an administrative user by utilizing an Insecure Direct Object Reference (IDOR) in the "Account Password Reset" functionality.

Improper Permissions Handling in the Portal on FiberHome LM53Q1 VH519R05C01S38 devices (intended for obtaining information about Internet Usage, Changing Passwords, etc.) allows remote attackers to look for the information without authenti…

The arq_updater binary in Arq 5.10 and earlier for Mac allows local users to write to arbitrary files and consequently gain root privileges via a crafted update URL, as demonstrated by file:///tmp/blah/Arq.zip.

The standardrestorer binary in Arq 5.10 and earlier for Mac allows local users to write to arbitrary files and consequently gain root privileges via a crafted restore path.

IBM MQ Managed File Transfer Agent 8.0 and 9.0 sets insecure permissions on certain files it creates. A local attacker could exploit this vulnerability to modify or delete data contained in the files with an unknown impact. IBM X-Force ID:…

BMC Remedy 9.1SP3 is affected by authenticated code execution. Authenticated users that have the right to create reports can use BIRT templates to run code.

Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticated users to execute arbitrary OS commands by modifying the leasetrigger field in the odhcpd configuration to specify an arbitrary program, as demonstrated by a program located …

The Gentoo net-im/jabberd2 package through 2.6.1 installs jabberd, jabberd2-c2s, jabberd2-router, jabberd2-s2s, and jabberd2-sm in /usr/bin owned by the jabber account, which might allow local users to gain privileges by leveraging access …

The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of /var/run/jabber to the jabber account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification before a…

The Gentoo app-backup/burp package before 2.1.32 sets the ownership of the PID file directory to the burp account, which might allow local users to kill arbitrary processes by leveraging access to this account for PID file modification bef…

The Gentoo app-backup/burp package before 2.1.32 has incorrect group ownership of the /etc/burp directory, which might allow local users to obtain read and write access to arbitrary files by leveraging access to a certain account for a bur…

Splunk Enterprise 6.6.x, when configured to run as root but drop privileges to a specific non-root account, allows local users to gain privileges by leveraging access to that non-root account to modify $SPLUNK_HOME/etc/splunk-launch.conf a…

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case.

An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.