|
|
|
|
CWE-276 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 276 (Weakness Variant) | | Description | Summary A program, upon installation, sets insecure permissions for an object. | | Likelihood of Exploit | Medium | | Weakness Ordinality | Primary (Weakness exists independent of other weaknesses) | | Causal Nature | Implicit (This is an implicit weakness) | | Potential Mitigations | Very carefully manage the setting, management and handling of permissions. Explicitly
manage trust zones in the software. Design: Ensure that appropriate compartmentalization is built into the system design
and that the compartmentalization serves to allow for and further reinforce privilege
separation functionality. Architects and designers should rely on the principle of least
privilege to decide when it is appropriate to use and to drop system privileges. | | Observed Examples | | Reference | Description |
|---|
| CVE-2005-1941 | Executables installed world-writable. | | CVE-2002-1713 | Home directories installed world-readable. | | CVE-2001-1550 | World-writable log files allow information loss; world-readable file has cleartext
passwords. | | CVE-2002-1711 | World-readable directory. | | CVE-2002-1844 | Windows product uses insecure permissions when installing on Solaris (genesis: port
error). | | CVE-2001-0497 | Insecure permissions for a shared secret key file. Overlaps cryptographic problem. | | CVE-1999-0426 | Default permissions of a device allow IP spoofing. |
| | Relationships | | | Source Taxonomies | PLOVER - Insecure Default Permissions | | Applicable Platforms | All | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 81 | Web Logs Tampering | | 1 | Accessing Functionality Not Properly Constrained by ACLs | | 19 | Embedding Scripts within Scripts |
|
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
