Vulnerabilities > Incorrect Permission Assignment for Critical Resource
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-11-16 | CVE-2017-16834 | Incorrect Permission Assignment for Critical Resource vulnerability in Pnp4Nagios PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an unprivileged account but root code execution depends on these files, which allows local users to gain privileges by leveraging access to this unprivileged account. | 7.8 |
| 2017-11-15 | CVE-2017-15288 | Incorrect Permission Assignment for Critical Resource vulnerability in Scala-Lang Scala The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges. | 7.8 |
| 2017-11-13 | CVE-2017-3166 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Hadoop In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file. | 7.8 |
| 2017-11-10 | CVE-2017-16754 | Incorrect Permission Assignment for Critical Resource vulnerability in Boltcms Bolt Bolt before 3.3.6 does not properly restrict access to _profiler routes, related to EventListener/ProfilerListener.php and Provider/EventListenerServiceProvider.php. | 5.3 |
| 2017-11-09 | CVE-2017-16757 | Incorrect Permission Assignment for Critical Resource vulnerability in Hola VPN 1.34 Hola VPN 1.34 has weak permissions (Everyone:F) under %PROGRAMFILES%, which allows local users to gain privileges via a Trojan horse 7za.exe or hola.exe file. | 7.8 |
| 2017-11-08 | CVE-2017-16659 | Incorrect Permission Assignment for Critical Resource vulnerability in Anti-Spam Smtp Proxy Project Anti-Spam Smtp Proxy 1.9.8.13030 The Gentoo mail-filter/assp package 1.9.8.13030 and earlier allows local users to gain privileges by leveraging access to the assp user account to install a Trojan horse /usr/share/assp/assp.pl script. | 7.8 |
| 2017-11-06 | CVE-2017-16638 | Incorrect Permission Assignment for Critical Resource vulnerability in VDE Project VDE The Gentoo net-misc/vde package before version 2.3.2-r4 may allow members of the "qemu" group to gain root privileges by creating a hard link in a directory on which "chown" is called recursively by the OpenRC service script. | 9.8 |
| 2017-11-03 | CVE-2017-1000153 | Incorrect Permission Assignment for Critical Resource vulnerability in Mahara Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default email, Mahara fails to invalidate old link.Consequently the link in email can be used to gain access to the user's account. | 9.8 |
| 2017-11-03 | CVE-2017-1000134 | Incorrect Permission Assignment for Critical Resource vulnerability in Mahara Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable because group members can lose access to the group files they uploaded if another group member changes the access permissions on them. | 8.1 |
| 2017-10-27 | CVE-2017-15945 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products The installation scripts in the Gentoo dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera packages before 2017-09-29 have chown calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to the mysql account for creation of a link. | 7.8 |