Vulnerabilities > Incorrect Permission Assignment for Critical Resource
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-10-27 | CVE-2017-5118 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Blink in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, failed to correctly propagate CSP restrictions to javascript scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page. | 4.3 |
| 2017-10-26 | CVE-2017-15906 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. | 5.3 |
| 2017-10-23 | CVE-2017-7146 | Incorrect Permission Assignment for Critical Resource vulnerability in Apple Iphone OS An issue was discovered in certain Apple products. | 5.3 |
| 2017-10-19 | CVE-2017-15611 | Incorrect Permission Assignment for Critical Resource vulnerability in Octopus Deploy In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges. | 6.5 |
| 2017-10-12 | CVE-2017-9514 | Incorrect Permission Assignment for Critical Resource vulnerability in Atlassian Bamboo Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. | 8.8 |
| 2017-10-05 | CVE-2017-1000096 | Incorrect Permission Assignment for Critical Resource vulnerability in Jenkins Pipeline: Groovy Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. | 8.8 |
| 2017-10-05 | CVE-2017-1000095 | Incorrect Permission Assignment for Critical Resource vulnerability in Jenkins Script Security 1.34 The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). | 6.5 |
| 2017-10-04 | CVE-2017-9792 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Impala 2.8.0/2.9.0 In Apache Impala (incubating) before 2.10.0, a malicious user with "ALTER" permissions on an Impala table can access any other Kudu table data by altering the table properties to make it "external" and then changing the underlying table mapping to point to other Kudu tables. | 6.5 |
| 2017-09-26 | CVE-2017-9958 | Incorrect Permission Assignment for Critical Resource vulnerability in Schneider-Electric U.Motion Builder 1.2.1 An improper access control vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which an improper handling of the system configuration can allow an attacker to execute arbitrary code under the context of root. | 7.8 |
| 2017-09-25 | CVE-2017-14730 | Incorrect Permission Assignment for Critical Resource vulnerability in Elasticsearch Logstash The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to a $LS_USER account for creation of a hard link. | 7.8 |