CWE-276— Incorrect Default Permissions
1,613 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-276page 15 of 33
- CVE-2022-20299MEDIUMCVSS 5.5EG 5.52022-08-12
In ContentService, there is a possible way to check if the given account exists on the device due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not…
- CVE-2022-20300MEDIUMCVSS 5.5EG 5.52022-08-12
In Content, there is a possible way to check if the given account exists on the device due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed…
- CVE-2022-20301MEDIUMCVSS 5.5EG 5.52022-08-12
In Content, there is a possible way to check if an account exists on the device due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for ex…
- CVE-2022-20303MEDIUMCVSS 5.5EG 5.52022-08-12
In ContentService, there is a possible way to determine if an account is on the device without GET_ACCOUNTS permission due to a missing permission check. This could lead to local information disclosure with User execution privileges needed…
- CVE-2022-20305LOWCVSS 3.3EG 3.32022-08-12
In ContentService, there is a possible disclosure of available account types due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for explo…
- CVE-2022-20310LOWCVSS 3.3EG 3.32022-08-12
In Telecomm, there is a possible disclosure of registered self managed phone accounts due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed …
- CVE-2022-20311LOWCVSS 3.3EG 3.32022-08-12
In Telecomm, there is a possible disclosure of registered self managed phone accounts due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed …
- CVE-2022-20312MEDIUMCVSS 5.5EG 5.52022-08-12
In WifiP2pManager, there is a possible toobtain WiFi P2P MAC address without user consent due to missing permission check. This could lead to local information disclosure without additional execution privileges needed. User interaction is …
- CVE-2022-20315LOWCVSS 3.3EG 3.32022-08-12
In ActivityManager, there is a possible disclosure of installed packages due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for …
- CVE-2022-20322MEDIUMCVSS 5.5EG 5.52022-08-12
In PackageManager, there is a possible installed package disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for explo…
- CVE-2022-20327LOWCVSS 2.8EG 2.82022-08-12
In Wi-Fi, there is a possible way to retrieve the WiFi SSID without location permissions due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is needed f…
- CVE-2022-20328LOWCVSS 3.3EG 3.32022-08-12
In PackageManager, there is a possible way to determine whether an app is installed due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not …
- CVE-2022-20341MEDIUMCVSS 5.5EG 5.52022-08-12
In ConnectivityService, there is a possible bypass of network permissions due to a missing permission check. This could lead to local information disclosure of tethering interfaces with no additional execution privileges needed. User inter…
- CVE-2022-20348HIGHCVSS 7.8EG 7.82022-08-10
In updateState of LocationServicesWifiScanningPreferenceController.java, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileg…
- CVE-2022-20349HIGHCVSS 7.8EG 7.82022-08-10
In WifiScanningPreferenceController and BluetoothScanningPreferenceController, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution pr…
- CVE-2022-20352MEDIUMCVSS 5.5EG 5.52022-08-10
In addProviderRequestListener of LocationManagerService.java, there is a possible way to learn which packages request location information due to a missing permission check. This could lead to local information disclosure with no additiona…
- CVE-2022-20358LOWCVSS 3.3EG 3.32022-08-10
In startSync of AbstractThreadedSyncAdapter.java, there is a possible way to access protected content of content providers due to a missing permission check. This could lead to local information disclosure with User execution privileges ne…
- CVE-2022-20360HIGHCVSS 7.8EG 7.82022-08-10
In setChecked of SecureNfcPreferenceController.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed f…
- CVE-2022-20435HIGHCVSS 7.8EG 7.82022-10-11
There is a Unauthorized service in the system service, may cause the system reboot. Since the component does not have permission check and permission protection, resulting in EoP problem.Product: AndroidVersions: Android SoCAndroid ID: A-2…
- CVE-2022-20436HIGHCVSS 7.8EG 7.82022-10-11
There is an unauthorized service in the system service. Since the component does not have permission check, resulting in Local Elevation of privilege.Product: AndroidVersions: Android SoCAndroid ID: A-242248369
- CVE-2022-20441HIGHCVSS 7.8EG 7.82022-11-08
In navigateUpTo of Task.java, there is a possible way to launch an unexported intent handler due to a logic error in the code. This could lead to local escalation of privilege if the targeted app has an intent trampoline, with no additiona…
- CVE-2022-20448MEDIUMCVSS 5.5EG 5.52022-11-08
In buzzBeepBlinkLocked of NotificationManagerService.java, there is a possible way to share data across users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. Use…
- CVE-2022-20452HIGHCVSS 7.8EG 7.82022-11-08
In initializeFromParcelLocked of BaseBundle.java, there is a possible method arbitrary code execution due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interacti…
- CVE-2022-20456HIGHCVSS 7.8EG 7.82023-01-26
In AutomaticZenRule of AutomaticZenRule.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User int…
- CVE-2022-20465MEDIUMCVSS 4.6EG 4.62022-11-08
In dismiss and related functions of KeyguardHostViewController.java and related files, there is a possible lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution pr…
- CVE-2022-20474HIGHCVSS 7.8EG 7.82022-12-13
In readLazyValue of Parcel.java, there is a possible loading of arbitrary code into the System Settings app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User int…
- CVE-2022-20475HIGHCVSS 7.8EG 7.82022-12-13
In test of ResetTargetTaskHelper.java, there is a possible hijacking of any app which sets allowTaskReparenting="true" due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges neede…
- CVE-2022-20495HIGHCVSS 7.8EG 7.82022-12-13
In getEnabledAccessibilityServiceList of AccessibilityManager.java, there is a possible way to hide an accessibility service due to a logic error in the code. This could lead to local escalation of privilege with no additional execution pr…
- CVE-2022-20511MEDIUMCVSS 5.5EG 5.52022-12-16
In getNearbyAppStreamingPolicy of DevicePolicyManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for expl…
- CVE-2022-20611HIGHCVSS 7.8EG 7.82022-12-13
In deletePackageVersionedInternal of DeletePackageHelper.java, there is a possible way to bypass carrier restrictions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges nee…
- CVE-2022-20732HIGHCVSS 7.8EG 7.82022-04-21
A vulnerability in the configuration file protections of Cisco Virtualized Infrastructure Manager (VIM) could allow an authenticated, local attacker to access confidential information and elevate privileges on an affected device. This vuln…
- CVE-2022-21204HIGHCVSS 7.8EG 7.82022-02-09
Improper permissions for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2022-21704MEDIUMCVSS 5.5EG 5.52022-01-19
log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensi…
- CVE-2022-22296MEDIUMCVSS 5.3EG 5.32022-01-24
Sourcecodester Hospital's Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manage_user endpoint. Simply change the value and data of other users can be displayed.
- CVE-2022-22424MEDIUMCVSS 5.5EG 5.52022-07-20
IBM QRadar SIEM 7.3, 7.4, and 7.5 could allow a local user to obtain sensitive information from the TLS key file due to incorrect file permissions. IBM X-Force ID: 223597.
- CVE-2022-22518MEDIUMCVSS 6.5EG 6.52022-04-07
A bug in CmpUserMgr component can lead to only partially applied security policies. This can result in enabled, anonymous access to components part of the applied security policy.
- CVE-2022-2270LOWCVSS 3.5EG 5.32022-07-01
An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to i…
- CVE-2022-22948MEDIUMCVSS 6.5EG 9.0⚠ KEV2022-03-29
The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.
- CVE-2022-23104MEDIUMCVSS 5.6EG 5.62022-02-24
WIN-911 2021 R1 and R2 are vulnerable to a permissions misconfiguration that may allow an attacker to locally write files to the program Operator Workspace directory, which holds DLL files and executables. A low-privilege attacker could wr…
- CVE-2022-23453HIGHCVSS 7.8EG 7.82023-02-01
Potential security vulnerabilities have been identified in HP Support Assistant. These vulnerabilities include privilege escalation, compromise of integrity, allowed communication with untrusted clients, and unauthorized modification of fi…
- CVE-2022-23454HIGHCVSS 7.8EG 7.82023-02-01
Potential security vulnerabilities have been identified in HP Support Assistant. These vulnerabilities include privilege escalation, compromise of integrity, allowed communication with untrusted clients, and unauthorized modification of fi…
- CVE-2022-2366MEDIUMCVSS 5.6EG 5.32022-07-12
Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate limitations in place or use manipulated IPs for audit logging via manipulating the request headers.
- CVE-2022-23802HIGHCVSS 7.5EG 7.52022-05-06
Joomla Guru extension 5.2.5 is affected by: Insecure Permissions. The impact is: obtain sensitive information (remote). The component is: Access to private information and components, possibility to view other users' information. Informati…
- CVE-2022-23922MEDIUMCVSS 5.6EG 5.62022-02-24
WIN-911 2021 R1 and R2 are vulnerable to a permissions misconfiguration that may allow an attacker to locally write files to the Program Announcer directory and elevate permissions whenever the program is executed.
- CVE-2022-23995MEDIUMCVSS 4.0EG 4.02022-02-11
Unprotected component vulnerability in StBedtimeModeAlarmReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to change bedtime mode without a proper permission.
- CVE-2022-23996MEDIUMCVSS 4.0EG 4.02022-02-11
Unprotected component vulnerability in StTheaterModeReceiver in Wear OS 3.0 prior to Firmware update Feb-2022 Release allows untrusted applications to enable bedtime mode without a proper permission.
- CVE-2022-24113HIGHCVSS 7.8EG 7.82022-02-04
Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acronis Cyber Prot…
- CVE-2022-24301MEDIUMCVSS 6.5EG 6.52022-02-02
In Minetest before 5.4.0, players can add or subtract items from a different player's inventory.
- CVE-2022-24337MEDIUMCVSS 6.5EG 6.52022-02-25
In JetBrains TeamCity before 2021.2, health items of pull requests were shown to users who lacked appropriate permissions.
- CVE-2022-24343MEDIUMCVSS 4.3EG 4.32022-02-25
In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.
Map vulnerabilities like CWE-276 to your infrastructure
EchelonGraph correlates every CVE — across CWE-276 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →