Incorrect Default Permissions |
Weakness ID: 276 (Weakness Variant) | Status: Draft |
Description Summary
The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.
Reference | Description |
---|---|
CVE-2005-1941 | Executables installed world-writable. |
CVE-2002-1713 | Home directories installed world-readable. |
CVE-2001-1550 | World-writable log files allow information loss; world-readable file has cleartext passwords. |
CVE-2002-1711 | World-readable directory. |
CVE-2002-1844 | Windows product uses insecure permissions when installing on Solaris (genesis: port error). |
CVE-2001-0497 | Insecure permissions for a shared secret key file. Overlaps cryptographic problem. |
CVE-1999-0426 | Default permissions of a device allow IP spoofing. |
Very carefully manage the setting, management and handling of permissions. Explicitly manage trust zones in the software. |
Phase: Architecture and Design Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 275 | Permission Issues | Development Concepts (primary)699 |
ChildOf | ![]() | 732 | Incorrect Permission Assignment for Critical Resource | Research Concepts (primary)1000 |
ChildOf | ![]() | 743 | CERT C Secure Coding Section 09 - Input Output (FIO) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Insecure Default Permissions | ||
CERT C Secure Coding | FIO06-C | Create files with appropriate access permissions |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Description, Name | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-05-27 | Insecure Default Permissions | |||