Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-31748 1Wondershare 1Mobiletrans Jan 31, 2025 May 24, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure permissions in MobileTrans v4.0.11 allows attackers to escalate privileges to local admin via replacing the executable file.
CVE-2023-31454 1Apache 1Inlong Nov 21, 2024 May 22, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can bind any cluster, even if he...Show more Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can bind any cluster, even if he is not the cluster owner. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it.[1] https://github.com/apache/inlong/pull/7947 https://github.com/apache/inlong/pull/7947 Show less
CVE-2023-31453 1Apache 1Inlong Nov 21, 2024 May 22, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, e...Show more Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the owner of the deleted subscription. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949 Show less
CVE-2023-33251 1Lightbend 1Akka Http Jan 31, 2025 May 21, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar is...Show more When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar issue to CVE-2022-41946.Show less
CVE-2023-1692 1Huawei 2Emui Harmonyos Jan 21, 2025 May 20, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The window management module lacks permission verification.Successful exploitation of this vulnerability may affect confidentiality.
CVE-2023-31871 1Opentext 1Documentum Content Server Jan 22, 2025 May 18, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 OpenText Documentum Content Server before 23.2 has a flaw that allows for privilege escalation from a non-privileged Documentum user to root. The software comes prepackaged with a root owned SUID binary dm_secure_writer....Show more OpenText Documentum Content Server before 23.2 has a flaw that allows for privilege escalation from a non-privileged Documentum user to root. The software comes prepackaged with a root owned SUID binary dm_secure_writer. The binary has security controls in place preventing creation of a file in a non-owned directory, or as the root user. However, these controls can be carefully bypassed to allow for an arbitrary file write as root.Show less
CVE-2023-33004 1Jenkins 1Tag Profiler Jan 23, 2025 May 16, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A missing permission check in Jenkins Tag Profiler Plugin 0.2 and earlier allows attackers with Overall/Read permission to reset profiler statistics.
CVE-2023-32992 1Jenkins 1Saml Single Sign On Jan 23, 2025 May 16, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or p...Show more Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.Show less
CVE-2023-32990 1Jenkins 1Azure Vm Agents Jan 23, 2025 May 16, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified cr...Show more A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.Show less
CVE-2023-32986 1Jenkins 1File Parameters Jan 23, 2025 May 16, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or repla...Show more Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.Show less
CVE-2023-32979 1Jenkins 1Email Extension Jan 23, 2025 May 16, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ dir...Show more Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.Show less
CVE-2023-32303 1Planet 1Planet Nov 21, 2024 May 12, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the us...Show more Planet is software that provides satellite data. The secret file stores the user's Planet API authentication information. It should only be accessible by the user, but before version 2.0.1, its permissions allowed the user's group and non-group to read the file as well. This issue was patched in version 2.0.1. As a workaround, set the secret file permissions to only user read/write by hand. Show less
CVE-2023-28522 1Ibm 1Api Connect Nov 21, 2024 May 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM API Connect V10 could allow an authenticated user to perform actions that they should not have access to. IBM X-Force ID: 250585.
CVE-2023-31445 1Cassianetworks 1Access Controller Nov 21, 2024 May 11, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail...Show more Cassia Access controller before 2.1.1.2203171453, was discovered to have a unprivileged -information disclosure vulnerability that allows read-only users have the ability to enumerate all other users and discover e-mail addresses, phone numbers, and privileges of all other users.Show less
CVE-2022-46656 1Intel 1Nuc Pro Software Suite Nov 21, 2024 May 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure inherited permissions for the Intel(R) NUC Pro Software Suite before version 2.0.0.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-41771 1Intel 1Quickassist Technology Nov 21, 2024 May 10, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Incorrect permission assignment for critical resource in some Intel(R) QAT drivers for Windows before version 1.9.0 may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-41699 1Intel 1Quickassist Technology Nov 21, 2024 May 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Incorrect permission assignment for critical resource in some Intel(R) QAT drivers for Windows before version 1.9.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-41658 1Intel 1Vtune Profiler Nov 21, 2024 May 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure inherited permissions in the Intel(R) VTune(TM) Profiler software before version 2023.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2022-38103 1Intel 1Nuc Software Studio Service Nov 21, 2024 May 10, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Insecure inherited permissions in the Intel(R) NUC Software Studio Service installer before version 1.17.38.0 may allow an authenticated user to potentially enable escalation of privilege via local access
CVE-2023-29092 1Samsung 4Exynos 1080 Firmware Exynos 5123 FirmwareExynos 5300 Firmware+1 more Jan 28, 2025 May 9, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue was discovered in Exynos Mobile Processor and Modem for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, and Exynos 1080. Binding of a wrong resource can occur due to improper handling of parameters while bindi...Show more An issue was discovered in Exynos Mobile Processor and Modem for Exynos Modem 5123, Exynos Modem 5300, Exynos 980, and Exynos 1080. Binding of a wrong resource can occur due to improper handling of parameters while binding a network interface.Show less

Previous 1...282930...84 Next