Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CVEs (1,508)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-31072 1Octokit Project 1Octokit Nov 21, 2024 Jun 15, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-r...Show more Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octokit 4.25.0. Two workarounds are available. Users can use the previous version of the gem, v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.Show less
CVE-2022-31071 1Octopoller Project 1Octopoller Nov 21, 2024 Jun 15, 2022 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 Octopoller is a micro gem for polling and retrying. Version 0.2.0 of the octopoller gem was published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-...Show more Octopoller is a micro gem for polling and retrying. Version 0.2.0 of the octopoller gem was published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octopoller 0.3.0. Two workarounds are available. Users can use the previous version of the gem, v0.1.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.Show less
CVE-2022-32562 1Couchbase 1Couchbase Server Nov 21, 2024 Jun 13, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Couchbase Server before 7.0.4. Operations may succeed on a collection using stale RBAC permission.
CVE-2021-46811 1Huawei 3Emui HarmonyosMagic Ui Nov 21, 2024 Jun 13, 2022 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 HwSEServiceAPP has a vulnerability in permission management. Successful exploitation of this vulnerability may cause disclosure of the Card Production Life Cycle (CPLC) information.
CVE-2022-25804 1Igel 1Universal Management Suite Nov 21, 2024 Jun 9, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. Insecure permissions for the serverconfig registry key (under JavaSoft\Prefs\de\igel\rm\config in HKEY_LOCAL_MACHINE\SOFTWARE) allow an unpri...Show more An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. Insecure permissions for the serverconfig registry key (under JavaSoft\Prefs\de\igel\rm\config in HKEY_LOCAL_MACHINE\SOFTWARE) allow an unprivileged local attacker to read the encrypted dbuser and dbpassword values for the UMS superuser.Show less
CVE-2022-30747 1Samsung 1Smartthings Nov 21, 2024 Jun 7, 2022 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent.
CVE-2022-31500 1Knime 1Knime Analytics Platform Nov 21, 2024 Jun 2, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In KNIME Analytics Platform below 4.6.0, the Windows installer sets improper filesystem permissions.
CVE-2022-29483 1Abb 1E Design Nov 21, 2024 Jun 2, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Incorrect Default Permissions vulnerability in ABB e-Design allows attacker to install malicious software executing with SYSTEM permissions violating confidentiality, integrity, and availability of the target machine.
CVE-2022-28702 1Abb 1E Design Nov 21, 2024 Jun 2, 2022 N/A· v4 5.5 MEDIUM· v3 4.9 MEDIUM· v2 Incorrect Default Permissions vulnerability in ABB e-Design allows attacker to install malicious software executing with SYSTEM permissions violating confidentiality, integrity, and availability of the target machine.
CVE-2022-29376 1Apachefriends 1Xampp Aug 15, 2025 May 23, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory.
CVE-2022-28999 1Bloodshed 1Dev C++ Nov 21, 2024 May 23, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Insecure permissions in the install directories and binaries of Dev-CPP v4.9.9.2 allows attackers to execute arbitrary code via overwriting the binary devcpp.exe.
CVE-2022-28932 1Dlink 1Dsl G2452dg Firmware Nov 21, 2024 May 23, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecure permissions.
CVE-2022-29178 1Cilium 1Cilium Nov 21, 2024 May 20, 2022 N/A· v4 8.2 HIGH· v3 4.6 MEDIUM· v2 Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissi...Show more Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 1000 can access the API of Cilium via Unix domain socket available on the host where Cilium is running. This could allow malicious users to compromise integrity as well as system availability on that host. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. A potential workaround is to modify Cilium's DaemonSet to run with a certain command, which can be found in the GitHub Security Advisory for this vulnerability.Show less
CVE-2022-29162 2Fedoraproject Linuxfoundation 2Fedora Runc Nov 21, 2024 May 17, 2022 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linu...Show more runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.Show less
CVE-2022-0997 1Fidelissecurity 2Deception Network Nov 21, 2024 May 17, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Improper file permissions in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected script files, which coul...Show more Improper file permissions in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected script files, which could result in arbitrary commands being run as root upon subsequent logon by a root user. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.Show less
CVE-2022-0486 1Fidelissecurity 2Deception Network Nov 21, 2024 May 17, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Improper file permissions in the CommandPost, Collector, Sensor, and Sandbox components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected files and enabl...Show more Improper file permissions in the CommandPost, Collector, Sensor, and Sandbox components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected files and enable escalation of privileges equivalent to the root user. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.Show less
CVE-2022-24890 1Nextcloud 1Talk Nov 21, 2024 May 17, 2022 N/A· v4 4.3 MEDIUM· v3 3.5 LOW· v2 Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removin...Show more Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.Show less
CVE-2022-30375 1Simple Social Networking Site Project 1Simple Social Networking Site Nov 21, 2024 May 13, 2022 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 Sourcecodester Simple Social Networking Site v1.0 is vulnerable to file deletion via /sns/classes/Master.php?f=delete_img.
CVE-2022-30367 1Air Cargo Management System Project 1Air Cargo Management System Nov 21, 2024 May 13, 2022 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 Air Cargo Management System v1.0 is vulnerable to file deletion via /acms/classes/Master.php?f=delete_img.
CVE-2022-23802 1Ijoomla 1Guru Nov 21, 2024 May 6, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Joomla Guru extension 5.2.5 is affected by: Insecure Permissions. The impact is: obtain sensitive information (remote). The component is: Access to private information and components, possibility to view other users' inf...Show more Joomla Guru extension 5.2.5 is affected by: Insecure Permissions. The impact is: obtain sensitive information (remote). The component is: Access to private information and components, possibility to view other users' information. Information disclosure Access to private information and components, possibility to view other users' information.Show less

Previous 1...444546...76 Next