Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,658)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-11792 1Apache 1Impala Nov 21, 2024 Oct 24, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Apache Impala before 3.0.1, ALTER TABLE/VIEW RENAME required ALTER on the old table. This may pose a potential security risk, such as having ALTER on a table and ALL on a particular database allows a user to move the...Show more In Apache Impala before 3.0.1, ALTER TABLE/VIEW RENAME required ALTER on the old table. This may pose a potential security risk, such as having ALTER on a table and ALL on a particular database allows a user to move the table to a database with ALL, which will automatically grant that user with ALL privilege on that table due to the privilege inherited from the database.Show less
CVE-2018-17873 1Wifiranger 1Wifiranger Firmware Nov 21, 2024 Oct 23, 2018 N/A· v4 8.8 HIGH· v3 3.3 LOW· v2 An incorrect access control vulnerability in the FTP configuration of WiFiRanger devices with firmware version 7.0.8rc3 and earlier allows an attacker with adjacent network access to read the SSH Private Key and log in t...Show more An incorrect access control vulnerability in the FTP configuration of WiFiRanger devices with firmware version 7.0.8rc3 and earlier allows an attacker with adjacent network access to read the SSH Private Key and log in to the root account.Show less
CVE-2017-18348 1Splunk 1Splunk Nov 21, 2024 Oct 19, 2018 N/A· v4 7.0 HIGH· v3 6.9 MEDIUM· v2 Splunk Enterprise 6.6.x, when configured to run as root but drop privileges to a specific non-root account, allows local users to gain privileges by leveraging access to that non-root account to modify $SPLUNK_HOME/etc/s...Show more Splunk Enterprise 6.6.x, when configured to run as root but drop privileges to a specific non-root account, allows local users to gain privileges by leveraging access to that non-root account to modify $SPLUNK_HOME/etc/splunk-launch.conf and insert Trojan horse programs into $SPLUNK_HOME/bin, because the non-root setup instructions state that chown should be run across all of $SPLUNK_HOME to give non-root access.Show less
CVE-2018-11080 1Emc 1Secure Remote Services Nov 21, 2024 Oct 18, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contains Improper File Permission Vulnerabilities. The application contains multiple configuration files with world-readable permissions that could allow an...Show more Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contains Improper File Permission Vulnerabilities. The application contains multiple configuration files with world-readable permissions that could allow an authenticated malicious user to utilize the file contents to potentially elevate their privileges.Show less
CVE-2018-7924 1Huawei 1Anne Al00 Firmware Nov 21, 2024 Oct 17, 2018 N/A· v4 2.4 LOW· v3 2.1 LOW· v2 Anne-AL00 Huawei phones with versions earlier than 8.0.0.151(C00) have an information leak vulnerability. Due to improper permission settings for specific commands, attackers who can connect to a mobile phone via the USB...Show more Anne-AL00 Huawei phones with versions earlier than 8.0.0.151(C00) have an information leak vulnerability. Due to improper permission settings for specific commands, attackers who can connect to a mobile phone via the USB interface may exploit this vulnerability to obtain specific device information of the mobile phone.Show less
CVE-2018-13399 1Atlassian 2Crucible Fisheye Nov 21, 2024 Oct 16, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-17892 1Nuuo 1Nuuo Cms Nov 21, 2024 Oct 12, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 NUUO CMS all versions 3.1 and prior, The application implements a method of user account control that causes standard account security features to not be utilized as intended, which could allow user account compromise an...Show more NUUO CMS all versions 3.1 and prior, The application implements a method of user account control that causes standard account security features to not be utilized as intended, which could allow user account compromise and may allow for remote code execution.Show less
CVE-2018-1724 1Ibm 1Spectrum Lsf Nov 21, 2024 Oct 11, 2018 N/A· v4 5.3 MEDIUM· v3 4.6 MEDIUM· v2 IBM Spectrum LSF 9.1.1 9.1.2, 9.1.3, and 10.1 could allow a local user to change their job user at job submission time due to improper file permission settings. IBM X-Force ID: 147439.
CVE-2018-12173 1Intel 14Compute Module Hns2600bp Firmware Compute Module Hns2600bpr FirmwareServer Board S2600bp Firmware+11 more Nov 21, 2024 Oct 10, 2018 N/A· v4 7.6 HIGH· v3 7.2 HIGH· v2 Insufficient access protection in firmware in Intel Server Board, Intel Server System and Intel Compute Module before firmware version 00.01.0014 may allow an unauthenticated attacker to potentially execute arbitrary cod...Show more Insufficient access protection in firmware in Intel Server Board, Intel Server System and Intel Compute Module before firmware version 00.01.0014 may allow an unauthenticated attacker to potentially execute arbitrary code resulting in information disclosure, escalation of privilege and/or denial of service via local access.Show less
CVE-2018-12131 1Intel 3Client Nvme Datacenter NvmeRapid Storage Technology Nov 21, 2024 Oct 10, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Permissions in the driver pack installers for Intel NVMe before version 4.0.0.1007 and Intel RSTe before version 4.7.0.2083 may allow an authenticated user to potentially escalate privilege via local access.
CVE-2018-8411 1Microsoft 7Windows 10 Windows 7Windows 8.1+4 more Nov 21, 2024 Oct 10, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An elevation of privilege vulnerability exists when NTFS improperly checks access, aka "NTFS Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Win...Show more An elevation of privilege vulnerability exists when NTFS improperly checks access, aka "NTFS Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.Show less
CVE-2018-17775 1Seqrite 1End Point Security Nov 21, 2024 Oct 8, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Seqrite End Point Security v7.4 has "Everyone: (F)" permission for %PROGRAMFILES%\Seqrite\Seqrite, which allows local users to gain privileges by replacing an executable file with a Trojan horse.
CVE-2018-1750 1Ibm 1Security Key Lifecycle Manager Nov 21, 2024 Oct 8, 2018 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 IBM Security Key Lifecycle Manager 3.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 148511.
CVE-2018-11064 1Dell 2Emc Unity Operating Environment Emc Unityvsa Operating Environment Nov 21, 2024 Oct 5, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Dell EMC Unity OE versions 4.3.0.x and 4.3.1.x and UnityVSA OE versions 4.3.0.x and 4.3.1.x contains an Incorrect File Permissions vulnerability. A locally authenticated malicious user could potentially exploit this vuln...Show more Dell EMC Unity OE versions 4.3.0.x and 4.3.1.x and UnityVSA OE versions 4.3.0.x and 4.3.1.x contains an Incorrect File Permissions vulnerability. A locally authenticated malicious user could potentially exploit this vulnerability to alter multiple library files in service tools that might result in arbitrary code execution with elevated privileges. No user file systems are directly affected by this vulnerability.Show less
CVE-2018-15379 1Cisco 1Prime Infrastructure Nov 21, 2024 Oct 5, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow t...Show more A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.Show less
CVE-2018-0422 1Cisco 5Webex Business Suite 31 Webex Business Suite 32Webex Business Suite 33+2 more Nov 21, 2024 Oct 5, 2018 N/A· v4 7.3 HIGH· v3 6.9 MEDIUM· v2 A vulnerability in the folder permissions of Cisco Webex Meetings client for Windows could allow an authenticated, local attacker to modify locally stored files and execute code on a targeted device with the privilege le...Show more A vulnerability in the folder permissions of Cisco Webex Meetings client for Windows could allow an authenticated, local attacker to modify locally stored files and execute code on a targeted device with the privilege level of the user. The vulnerability is due to folder permissions that grant a user the permission to read, write, and execute files in the Webex folders. An attacker could exploit this vulnerability to write malicious files to the Webex client directory, affecting all other users of the targeted device. A successful exploit could allow a user to execute commands with elevated privileges. Attacks on single-user systems are less likely to occur, as the attack must be carried out by the user on the user's own system. Multiuser systems have a higher risk of exploitation because folder permissions have an impact on all users of the device. For an attacker to exploit this vulnerability successfully, a second user must execute the locally installed malicious file to allow remote code execution to occur.Show less
CVE-2018-17872 1Verint 2Collaboration Compliance Quality Management Platform Nov 21, 2024 Oct 4, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Verba Collaboration Compliance and Quality Management Platform before 9.2.1.5545 has Insecure Permissions.
CVE-2018-6261 1Nvidia 1Geforce Experience Nov 21, 2024 Oct 2, 2018 N/A· v4 7.0 HIGH· v3 4.4 MEDIUM· v2 NVIDIA GeForce Experience prior to 3.15 contains a vulnerability when GameStream is enabled which sets incorrect permissions on a file, which may to code execution, denial of service, or escalation of privileges by users...Show more NVIDIA GeForce Experience prior to 3.15 contains a vulnerability when GameStream is enabled which sets incorrect permissions on a file, which may to code execution, denial of service, or escalation of privileges by users with system access.Show less
CVE-2018-1420 1Ibm 1Websphere Portal Nov 21, 2024 Oct 1, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 resets access control settings to the out of the box configuration during Combined Cumulative Fix (CF) installation. This can lead to security miss-configuration of the install...Show more IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 resets access control settings to the out of the box configuration during Combined Cumulative Fix (CF) installation. This can lead to security miss-configuration of the installation. IBM X-Force ID: 138950.Show less
CVE-2018-17776 1Pcprotect 1Antivirus Nov 21, 2024 Sep 28, 2018 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 PCProtect Anti-Virus v4.8.35 has "Everyone: (F)" permission for %PROGRAMFILES(X86)%\PCProtect, which allows local users to gain privileges by replacing an executable file with a Trojan horse.

Previous 1...686970...83 Next