CWE-276: Incorrect Default Permissions
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
During installation, installed file permissions are set to allow anyone to modify those files.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Application Data Modify Application Data
潜在缓解措施
阶段: Architecture and Design Operation
描述: The architecture needs to access and modification attributes for files to only those users who actually require those actions.
阶段: Architecture and Design
策略: Separation of Privilege
检测方法
方法: Automated Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: High
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: SOAR Partial
方法: Automated Static Analysis
有效性: SOAR Partial
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2005-1941
Executables installed world-writable.
参考: CVE-2002-1713
Home directories installed world-readable.
参考: CVE-2001-1550
World-writable log files allow information loss; world-readable file has cleartext passwords.
参考: CVE-2002-1711
World-readable directory.
参考: CVE-2002-1844
Windows product uses insecure permissions when installing on Solaris (genesis: port error).
参考: CVE-2001-0497
Insecure permissions for a shared secret key file. Overlaps cryptographic problem.
参考: CVE-1999-0426
Default permissions of a device allow IP spoofing.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
| Installation | - |
| Operation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Insecure Default Permissions | - |
| CERT C Secure Coding | FIO06-C | Create files with appropriate access permissions | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | FIO01-J | Create files with appropriate access permission | - |
| ISA/IEC 62443 | Part 2-4 | Req SP.03.08 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 2.1 | - |
关键信息
CWE ID: CWE-276
抽象级别: Base
结构: Simple
状态: Draft
利用可能性: Medium