Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CVEs (1,663)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-2478 1Gitlab 1Gitlab Jan 29, 2025 May 8, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain condit...Show more An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious runner to any project.Show less
CVE-2021-40331 1Apache 1Ranger Nov 21, 2024 May 5, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ran...Show more An Incorrect Permission Assignment for Critical Resource vulnerability was found in the Apache Ranger Hive Plugin. Any user with SELECT privilege on a database can alter the ownership of the table in Hive when Apache Ranger Hive Plugin is enabled This issue affects Apache Ranger Hive Plugin: from 2.0.0 through 2.3.0. Users are recommended to upgrade to version 2.4.0 or later. Show less
CVE-2023-28068 1Dell 1Command \| Monitor Nov 21, 2024 May 5, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Dell Command Monitor, versions 10.9 and prior, contains an improper folder permission vulnerability. A local authenticated malicious user can potentially exploit this vulnerability leading to privilege escalation by wri...Show more Dell Command Monitor, versions 10.9 and prior, contains an improper folder permission vulnerability. A local authenticated malicious user can potentially exploit this vulnerability leading to privilege escalation by writing to a protected directory when Dell Command Monitor is installed to a non-default path Show less
CVE-2023-30399 1Garo 3Wallbox Glb Firmware Wallbox Gtb FirmwareWallbox Gtc Firmware Jan 29, 2025 May 4, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Insecure permissions in the settings page of GARO Wallbox GLB/GTB/GTC before v189 allows attackers to redirect users to a crafted update package link via a man-in-the-middle attack.
CVE-2023-25438 1Genomedics 1Millegpg Jan 29, 2025 May 4, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue was discovered in Genomedics MilleGP5 5.9.2, allows remote attackers to execute arbitrary code and gain escalated privileges via modifying specific files.
CVE-2023-0834 1Hypr 1Workforce Access Nov 21, 2024 Apr 28, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Incorrect Permission Assignment for Critical Resource vulnerability in HYPR Workforce Access on MacOS allows Privilege Escalation.This issue affects Workforce Access: from 6.12 before 8.1.
CVE-2023-0207 1Nvidia 1Sbios Nov 21, 2024 Apr 22, 2023 N/A· v4 4.4 MEDIUM· v3 N/A· v2 NVIDIA DGX-2 SBIOS contains a vulnerability where an attacker may modify the ServerSetup NVRAM variable at runtime by executing privileged code. A successful exploit of this vulnerability may lead to denial of service.
CVE-2023-28123 1Ui 1Desktop Feb 5, 2025 Apr 19, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 A permission misconfiguration in UI Desktop for Windows (Version 0.59.1.71 and earlier) could allow an user to hijack VPN credentials while UID VPN is starting.This vulnerability is fixed in Version 0.62.3 and later.
CVE-2023-30606 1Discourse 1Discourse Nov 21, 2024 Apr 18, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the `SiteSetting` class, notably `#clear_cache!` and `#notify_changed!`,...Show more Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the `SiteSetting` class, notably `#clear_cache!` and `#notify_changed!`, which when done on a multisite instance, can affect the entire cluster resulting in a denial of service. Users not running in multisite environments are not affected. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2023-22294 1Tribe29 1Checkmk Nov 21, 2024 Apr 18, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Privilege escalation in Tribe29 Checkmk Appliance before 1.6.4 allows authenticated site users to escalate privileges via incorrectly set permissions.
CVE-2023-28960 1Juniper 1Junos Os Evolved Nov 21, 2024 Apr 17, 2023 N/A· v4 8.2 HIGH· v3 N/A· v2 An Incorrect Permission Assignment for Critical Resource vulnerability in Juniper Networks Junos OS Evolved allows a local, authenticated low-privileged attacker to copy potentially malicious files into an existing Docke...Show more An Incorrect Permission Assignment for Critical Resource vulnerability in Juniper Networks Junos OS Evolved allows a local, authenticated low-privileged attacker to copy potentially malicious files into an existing Docker container on the local system. A follow-on administrator could then inadvertently start the Docker container leading to the malicious files being executed as root. This issue only affects systems with Docker configured and enabled, which is not enabled by default. Systems without Docker started are not vulnerable to this issue. This issue affects Juniper Networks Junos OS Evolved: 20.4 versions prior to 20.4R3-S5-EVO; 21.2 versions prior to 21.2R3-EVO; 21.3 versions prior to 21.3R3-EVO; 21.4 versions prior to 21.4R2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 19.2R1-EVO.Show less
CVE-2023-30512 1Linuxfoundation 1Cubefs Feb 7, 2025 Apr 12, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 CubeFS through 3.2.1 allows Kubernetes cluster-level privilege escalation. This occurs because DaemonSet has cfs-csi-cluster-role and can thus list all secrets, including the admin secret.
CVE-2023-1939 1Devolutions 1Remote Desktop Manager Feb 10, 2025 Apr 11, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 No access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to...Show more No access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface.Show less
CVE-2022-43946 1Fortinet 1Forticlient Nov 21, 2024 Apr 11, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Multiple vulnerabilities including an incorrect permission assignment for critical resource [CWE-732] vulnerability and a time-of-check time-of-use (TOCTOU) race condition [CWE-367] vulnerability in Fortinet FortiClientW...Show more Multiple vulnerabilities including an incorrect permission assignment for critical resource [CWE-732] vulnerability and a time-of-check time-of-use (TOCTOU) race condition [CWE-367] vulnerability in Fortinet FortiClientWindows before 7.0.7 allows attackers on the same file sharing network to execute commands via writing data into a windows pipe.Show less
CVE-2023-24626 1Gnu 1Screen May 9, 2025 Apr 8, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of servi...Show more socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.Show less
CVE-2022-43309 1Supermicro 146H11dsi Nt Firmware H11dsi FirmwareH11dst B Firmware+143 more Feb 11, 2025 Apr 7, 2023 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Supermicro X11SSL-CF HW Rev 1.01, BMC firmware v1.63 was discovered to contain insecure permissions.
CVE-2023-0944 1Imaworldhealth 1Bhima Feb 13, 2025 Apr 5, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to ID...Show more Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user.Show less
CVE-2023-0225 1Samba 1Samba Feb 18, 2025 Apr 3, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A flaw was found in Samba. An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.
CVE-2022-43773 1Hitachi 1Vantara Pentaho Business Analytics Server Nov 21, 2024 Apr 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled.
CVE-2023-1516 1Robodk 1Robodk Nov 21, 2024 Mar 28, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 RoboDK versions 5.5.3 and prior contain an insecure permission assignment to critical directories vulnerability, which could allow a local user to escalate privileges and write files to the RoboDK process and achieve...Show more RoboDK versions 5.5.3 and prior contain an insecure permission assignment to critical directories vulnerability, which could allow a local user to escalate privileges and write files to the RoboDK process and achieve code execution. Show less

Previous 1...293031...84 Next