Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,656)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-1000485 1Nylas Mail Lives Project 1Nylas Mail Nov 21, 2024 Jan 3, 2018 N/A· v4 7.8 HIGH· v3 2.1 LOW· v2 Nylas Mail Lives 2.2.2 uses 0755 permissions for $HOME/.nylas-mail, which allows local users to obtain sensitive authentication information via standard filesystem operations.
CVE-2017-1000461 1Brave 1Browser Nov 21, 2024 Jan 3, 2018 N/A· v4 4.7 MEDIUM· v3 4.3 MEDIUM· v2 Brave Software's Brave Browser, version 0.19.73 (and earlier) is vulnerable to an incorrect access control issue in the "JS fingerprinting blocking" component, resulting in a malicious website being able to access the fi...Show more Brave Software's Brave Browser, version 0.19.73 (and earlier) is vulnerable to an incorrect access control issue in the "JS fingerprinting blocking" component, resulting in a malicious website being able to access the fingerprinting-associated browser functionality (that the browser intends to block).Show less
CVE-2017-5260 1Cambiumnetworks 5Cnpilot E400 Firmware Cnpilot E410 FirmwareCnpilot E600 Firmware+2 more May 13, 2026 Dec 20, 2017 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, although the option to access the configuration file is not available in the normal web administrative console for the 'user' account, the configuratio...Show more In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, although the option to access the configuration file is not available in the normal web administrative console for the 'user' account, the configuration file is accessible via direct object reference (DRO) at http://<device-ip-or-hostname>/goform/down_cfg_file by this otherwise low privilege 'user' account.Show less
CVE-2017-1266 1Ibm 1Security Guardium May 13, 2026 Dec 20, 2017 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 IBM Security Guardium 10.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 124741.
CVE-2017-15877 1Sistemagpweb 1Gpweb May 13, 2026 Dec 19, 2017 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 Insecure Permissions vulnerability in db.php file in GPWeb 8.4.61 allows remote attackers to view the password and user database.
CVE-2017-1716 1Ibm 1Tivoli Workload Scheduler May 13, 2026 Dec 13, 2017 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 IBM Tivoli Workload Scheduler 8.6.0, 9.1.0, and 9.2.0 could disclose sensitive information to a local attacker due to improper permission settings. IBM X-Force ID: 134638.
CVE-2017-17568 1Scubez 1Posty Readymade Classifieds May 13, 2026 Dec 13, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Scubez Posty Readymade Classifieds has Incorrect Access Control for visiting admin/user_activate_submit.php (aka the backend PHP script), which might allow remote attackers to obtain sensitive information via a direct re...Show more Scubez Posty Readymade Classifieds has Incorrect Access Control for visiting admin/user_activate_submit.php (aka the backend PHP script), which might allow remote attackers to obtain sensitive information via a direct request.Show less
CVE-2017-13168 2Canonical Google 2Android Ubuntu Linux May 13, 2026 Dec 6, 2017 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android kernel. Android ID A-65023233.
CVE-2017-16895 1Arqbackup 1Arq May 13, 2026 Dec 1, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The (1) arq_updater, (2) arqcommitter, (3) standardrestorer, (4) arqglacierrestorer, and (5) arqs3glacierrestorer helper apps in Arq 5.x before 5.10 for Mac allow local users to gain root privileges via a crafted data pa...Show more The (1) arq_updater, (2) arqcommitter, (3) standardrestorer, (4) arqglacierrestorer, and (5) arqs3glacierrestorer helper apps in Arq 5.x before 5.10 for Mac allow local users to gain root privileges via a crafted data packet.Show less
CVE-2017-16933 1Icinga 1Icinga May 13, 2026 Nov 24, 2017 N/A· v4 7.0 HIGH· v3 6.9 MEDIUM· v2 etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the $ICINGA2_USER account for crea...Show more etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the $ICINGA2_USER account for creation of a link.Show less
CVE-2017-8158 1Huawei 1Fusioncompute May 13, 2026 Nov 22, 2017 N/A· v4 6.5 MEDIUM· v3 4.9 MEDIUM· v2 FusionCompute V100R005C00 and V100R005C10 have an improper authorization vulnerability due to improper permission settings for a certain file on the host machine. An authenticated attacker could create a large number of...Show more FusionCompute V100R005C00 and V100R005C10 have an improper authorization vulnerability due to improper permission settings for a certain file on the host machine. An authenticated attacker could create a large number of virtual machine (VM) processes to exhaust system resources. Successful exploit could make new VMs unavailable.Show less
CVE-2017-16882 1Icinga 1Icinga May 13, 2026 Nov 18, 2017 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a non-root account), w...Show more Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account, a related issue to CVE-2017-14312. This also affects bin/icingastats, bin/ido2db, and bin/log2ido.Show less
CVE-2017-1000221 1Apereo 1Opencast May 13, 2026 Nov 17, 2017 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the...Show more In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example, a user with the role ROLE_USER will have access to recordings published only for ROLE_USER_X.Show less
CVE-2017-1000125 1Codiad 1Codiad May 13, 2026 Nov 17, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Codiad(full version) is vulnerable to write anything to configure file in the installation resulting upload a webshell.
CVE-2017-0845 1Google 1Android May 13, 2026 Nov 16, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A denial of service vulnerability in the Android framework (syncstorageengine). Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-35028827.
CVE-2017-0831 1Google 1Android May 13, 2026 Nov 16, 2017 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 An elevation of privilege vulnerability in the Android framework (window manager). Product: Android. Versions: 8.0. Android ID: A-37442941.
CVE-2017-0830 1Google 1Android May 13, 2026 Nov 16, 2017 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 An elevation of privilege vulnerability in the Android framework (device policy client). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62623498.
CVE-2017-16834 1Pnp4nagios 1Pnp4nagios May 13, 2026 Nov 16, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an unprivileged account but root code execution depends on these files, which allows local users to gain privileges by leveraging access to this unprivile...Show more PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an unprivileged account but root code execution depends on these files, which allows local users to gain privileges by leveraging access to this unprivileged account.Show less
CVE-2017-15288 1Scala Lang 1Scala May 13, 2026 Nov 15, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local use...Show more The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.Show less
CVE-2017-3166 1Apache 1Hadoop May 13, 2026 Nov 13, 2017 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file wi...Show more In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.Show less

Previous 1...777879...83 Next