Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-10279 4Aliasrobotics Enabled RoboticsMobile Industrial Robotics+1 more 10Er Flex Firmware Er Lite FirmwareEr One Firmware+7 more Nov 21, 2024 Jun 24, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MiR robot controllers (central computation unit) makes use of Ubuntu 16.04.2 an operating system, Thought for desktop uses, this operating system presents insecure defaults for robots. These insecurities include a way fo...Show more MiR robot controllers (central computation unit) makes use of Ubuntu 16.04.2 an operating system, Thought for desktop uses, this operating system presents insecure defaults for robots. These insecurities include a way for users to escalate their access beyond what they were granted via file creation, access race conditions, insecure home directory configurations and defaults that facilitate Denial of Service (DoS) attacks.Show less
CVE-2020-8933 2Google Opensuse 2Guest Oslogin Leap Nov 21, 2024 Jun 22, 2020 9.3 CRITICAL· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using the membership to...Show more A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using the membership to the "lxd" group, an attacker can attach host devices and filesystems. Within an lxc container, it is possible to attach the host OS filesystem and modify /etc/sudoers to then gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "lxd" user from the OS Login entry.Show less
CVE-2020-8907 2Google Opensuse 2Guest Oslogin Leap Nov 21, 2024 Jun 22, 2020 9.3 CRITICAL· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership t...Show more A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "docker" group, an attacker with this role is able to run docker and mount the host OS. Within docker, it is possible to modify the host OS filesystem and modify /etc/groups to gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "docker" user from the OS Login entry.Show less
CVE-2020-8903 2Google Opensuse 2Guest Oslogin Leap Nov 21, 2024 Jun 22, 2020 7.3 HIGH· v4 7.8 HIGH· v3 6.9 MEDIUM· v2 A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership t...Show more A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "adm" group, users with this role are able to read the DHCP XID from the systemd journal. Using the DHCP XID, it is then possible to set the IP address and hostname of the instance to any value, which is then stored in /etc/hosts. An attacker can then point metadata.google.internal to an arbitrary IP address and impersonate the GCE metadata server which make it is possible to instruct the OS Login PAM module to grant administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "adm" user from the OS Login entry.Show less
CVE-2020-3626 1Qualcomm 36Apq8053 Firmware Apq8096au FirmwareApq8098 Firmware+33 more Nov 21, 2024 Jun 22, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Any application can bind to it and exercise the APIs due to no protection for AIDL uimlpaservice in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon W...Show more Any application can bind to it and exercise the APIs due to no protection for AIDL uimlpaservice in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ8096AU, APQ8098, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCA6574AU, QCS605, QM215, Rennell, Saipan, SDA660, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130Show less
CVE-2017-18915 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.
CVE-2019-20889 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation.
CVE-2019-20882 1Mattermost 1Mattermost Server Nov 21, 2024 Jun 19, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an open team.
CVE-2020-14019 1Rtslib Fb Project 1Rtslib Fb Nov 21, 2024 Jun 19, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/target/saveconfig.json because shutil.copyfile (instead of shutil.copy) is used, and thus permissions are not preserved.
CVE-2020-10782 1Redhat 1Ansible Tower Nov 21, 2024 Jun 18, 2020 N/A· v4 6.5 MEDIUM· v3 2.1 LOW· v2 An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wron...Show more An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality. This is fixed in Ansible version 3.7.1.Show less
CVE-2019-9943 1Openmicroscopy 1Omero.server Nov 21, 2024 Jun 17, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In ome.services.graphs.GraphTraversal.findObjectDetails in Open Microscopy Environment OMERO.server 5.1.0 through 5.6.0, permissions on OMERO model objects may be circumvented during certain operations such as move and d...Show more In ome.services.graphs.GraphTraversal.findObjectDetails in Open Microscopy Environment OMERO.server 5.1.0 through 5.6.0, permissions on OMERO model objects may be circumvented during certain operations such as move and delete, because group permissions are mishandled.Show less
CVE-2020-14156 1Openbmc Project 1Openbmc Nov 21, 2024 Jun 15, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 user_channel/passwd_mgr.cpp in OpenBMC phosphor-host-ipmid before 2020-04-03 does not ensure that /etc/ipmi-pass has strong file permissions.
CVE-2020-0215 1Google 1Android Nov 21, 2024 Jun 11, 2020 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 In onCreate of ConfirmConnectActivity.java, there is a possible leak of Bluetooth information due to a permissions bypass. This could lead to local escalation of privilege that exposes a pairing Bluetooth MAC address wit...Show more In onCreate of ConfirmConnectActivity.java, there is a possible leak of Bluetooth information due to a permissions bypass. This could lead to local escalation of privilege that exposes a pairing Bluetooth MAC address with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-9 Android-10 Android-11 Android-8.0 Android-8.1 Android ID: A-140417248Show less
CVE-2020-0209 1Google 1Android Nov 21, 2024 Jun 11, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In multiple functions of AccountManager.java, there is a possible permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for ex...Show more In multiple functions of AccountManager.java, there is a possible permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145206842Show less
CVE-2020-0208 1Google 1Android Nov 21, 2024 Jun 11, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In multiple functions of AccountManager.java, there is a possible permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for ex...Show more In multiple functions of AccountManager.java, there is a possible permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145207098Show less
CVE-2020-0133 1Google 1Android Nov 21, 2024 Jun 11, 2020 N/A· v4 7.3 HIGH· v3 4.4 MEDIUM· v2 In MockLocationAppPreferenceController.java, it is possible to mock the GPS location of the device due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User...Show more In MockLocationAppPreferenceController.java, it is possible to mock the GPS location of the device due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145136060Show less
CVE-2020-9817 1Apple 1Mac Os X Nov 21, 2024 Jun 9, 2020 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in macOS Catalina 10.15.5. A malicious application may be able to gain root privileges.
CVE-2020-13885 1Citrix 1Workspace App Nov 21, 2024 Jun 8, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Citrix Workspace App before 1912 on Windows has Insecure Permissions which allows local users to gain privileges during the uninstallation of the application.
CVE-2020-13884 1Citrix 1Workspace App Nov 21, 2024 Jun 8, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Citrix Workspace App before 1912 on Windows has Insecure Permissions and an Unquoted Path vulnerability which allows local users to gain privileges during the uninstallation of the application.
CVE-2020-8954 1Openbrowser Project 1Openbrowser Nov 21, 2024 Jun 8, 2020 N/A· v4 5.4 MEDIUM· v3 5.8 MEDIUM· v2 OpenSearch Web browser 1.0.4.9 allows Intent Scheme Hijacking.[a link that opens another app in the browser can be manipulated]

Previous 1...616263...76 Next