Common Weakness Enumeration

CWE-277

Allowed

Insecure Inherited Permissions

Abstraction: Variant · Status: Draft

A product defines a set of insecure permissions that are inherited by objects that are created by the program.

116 vulnerabilities reference this CWE, most recent first.

GHSA-J83C-HH5W-39VJ

Vulnerability from github – Published: 2024-05-16 21:32 – Updated: 2024-05-16 21:32
VLAI
Details

Insecure inherited permissions in some Intel(R) XTU software before version 7.14.0.15 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T21:16:04Z",
    "severity": "MODERATE"
  },
  "details": "Insecure inherited permissions in some Intel(R) XTU software before version 7.14.0.15 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-j83c-hh5w-39vj",
  "modified": "2024-05-16T21:32:02Z",
  "published": "2024-05-16T21:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21835"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01066.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JHHR-8858-58W9

Vulnerability from github – Published: 2024-07-19 18:31 – Updated: 2024-08-01 15:32
VLAI
Details

Insecure Permissions vulnerability in lin-CMS v.0.2.0 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41601"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277",
      "CWE-378"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-19T17:15:03Z",
    "severity": "HIGH"
  },
  "details": "Insecure Permissions vulnerability in lin-CMS v.0.2.0 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component.",
  "id": "GHSA-jhhr-8858-58w9",
  "modified": "2024-08-01T15:32:06Z",
  "published": "2024-07-19T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41601"
    },
    {
      "type": "WEB",
      "url": "https://github.com/topsky979/Security-Collections/tree/main/CVE-2024-41601"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQF7-WH3W-W6M5

Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:59
VLAI
Details

Insecure inherited permissions in the Intel(R) NUC Software Studio Service installer before version 1.17.38.0 may allow an authenticated user to potentially enable escalation of privilege via local access

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T14:15:13Z",
    "severity": "HIGH"
  },
  "details": "Insecure inherited permissions in the Intel(R) NUC Software Studio Service installer before version 1.17.38.0 may allow an authenticated user to potentially enable escalation of privilege via local access",
  "id": "GHSA-jqf7-wh3w-w6m5",
  "modified": "2024-04-04T03:59:28Z",
  "published": "2023-05-10T15:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38103"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00854.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M4JX-M5HG-QRXX

Vulnerability from github – Published: 2025-05-31 03:30 – Updated: 2025-06-04 01:30
VLAI
Summary
django-helpdesk Allows Sensitive Data Exposure
Details

django-helpdesk before 1.0.0 allows Sensitive Data Exposure because of os.umask(0) in models.py.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-helpdesk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-25111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-04T01:30:23Z",
    "nvd_published_at": "2025-05-31T01:15:19Z",
    "severity": "MODERATE"
  },
  "details": "django-helpdesk before 1.0.0 allows Sensitive Data Exposure because of os.umask(0) in models.py.",
  "id": "GHSA-m4jx-m5hg-qrxx",
  "modified": "2025-06-04T01:30:24Z",
  "published": "2025-05-31T03:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25111"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django-helpdesk/django-helpdesk/issues/591"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django-helpdesk/django-helpdesk/pull/1120"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django-helpdesk/django-helpdesk/commit/f872ec252769bee5a88b06d07d3634e580c67bcc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django-helpdesk/django-helpdesk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django-helpdesk/django-helpdesk/releases/tag/v1.0.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-helpdesk/PYSEC-2025-44.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "django-helpdesk Allows Sensitive Data Exposure"
}

GHSA-MF7C-35MQ-75PJ

Vulnerability from github – Published: 2022-05-14 03:24 – Updated: 2022-07-06 19:45
VLAI
Summary
Insecure Inherited Permissions in Apache Hadoop
Details

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.7.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.hadoop:hadoop-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-alpha"
            },
            {
              "fixed": "2.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-6811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T19:45:49Z",
    "nvd_published_at": "2017-04-11T14:59:00Z",
    "severity": "HIGH"
  },
  "details": "In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.",
  "id": "GHSA-mf7c-35mq-75pj",
  "modified": "2022-07-06T19:45:49Z",
  "published": "2022-05-14T03:24:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6811"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/9ba3c12bbdfd5b2cae60909e48f92608e00c8d99196390b8cfeca307@%3Cgeneral.hadoop.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insecure Inherited Permissions in  Apache Hadoop"
}

GHSA-MX8P-8F7V-R77C

Vulnerability from github – Published: 2024-05-16 21:32 – Updated: 2024-05-16 21:32
VLAI
Details

Insecure inherited permissions in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T21:15:58Z",
    "severity": "MODERATE"
  },
  "details": "Insecure inherited permissions in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-mx8p-8f7v-r77c",
  "modified": "2024-05-16T21:32:00Z",
  "published": "2024-05-16T21:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45736"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01037.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P59G-QJMC-6RF4

Vulnerability from github – Published: 2023-08-31 18:30 – Updated: 2024-04-04 07:20
VLAI
Details

Insecure Inherited Permissions vulnerability in Schweitzer Engineering Laboratories SEL-5033 AcSELerator RTAC Software on Windows allows Leveraging/Manipulating Configuration File Search Paths.

See Instruction Manual Appendix A [Cybersecurity] tag dated 20230522 for more details.

This issue affects SEL-5033 AcSELerator RTAC Software: before 1.35.151.21000.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-31T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Inherited Permissions vulnerability in Schweitzer Engineering Laboratories SEL-5033 AcSELerator RTAC Software on Windows allows Leveraging/Manipulating Configuration File Search Paths.\n\nSee Instruction Manual Appendix A [Cybersecurity] tag dated 20230522 for more details.\n \nThis issue affects SEL-5033 AcSELerator RTAC Software: before 1.35.151.21000.\n\n",
  "id": "GHSA-p59g-qjmc-6rf4",
  "modified": "2024-04-04T07:20:52Z",
  "published": "2023-08-31T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34391"
    },
    {
      "type": "WEB",
      "url": "https://dragos.com"
    },
    {
      "type": "WEB",
      "url": "https://selinc.com/support/security-notifications/external-reports"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PR3W-9H6R-G7J3

Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2023-11-14 21:31
VLAI
Details

Insecure inherited permissions in the installer for some Intel Server Configuration Utility software before version 16.0.9 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-14T19:15:28Z",
    "severity": "MODERATE"
  },
  "details": "Insecure inherited permissions in the installer for some Intel Server Configuration Utility software before version 16.0.9 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-pr3w-9h6r-g7j3",
  "modified": "2023-11-14T21:31:02Z",
  "published": "2023-11-14T21:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34997"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00925.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX98-39WC-6WWQ

Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 04:00
VLAI
Details

Insecure inherited permissions for the Intel(R) NUC Pro Software Suite before version 2.0.0.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T14:15:26Z",
    "severity": "HIGH"
  },
  "details": "Insecure inherited permissions for the Intel(R) NUC Pro Software Suite before version 2.0.0.3 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-px98-39wc-6wwq",
  "modified": "2024-04-04T04:00:17Z",
  "published": "2023-05-10T15:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46656"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00834.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3JJ-46PQ-826R

Vulnerability from github – Published: 2026-05-04 20:21 – Updated: 2026-05-19 15:56
VLAI
Summary
OpenClaw's ACP child sessions inherit subagent security envelope constraints
Details

Summary

ACP child sessions inherit subagent security envelope constraints.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.21
  • Fixed version: 2026.4.22

Impact

A restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions.

Fix

ACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions.

Fix Commit(s)

  • 31160dc069b7cc5d833b39c53736a41ad3befda2

Verification

  • The fix commit is contained in the public v2026.4.22 tag.
  • openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
  • Focused regression coverage for this path passed before publication.

OpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.4.21"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T20:21:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nACP child sessions inherit subagent security envelope constraints.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: \u003c= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nA restricted subagent spawning an ACP child session could fail to carry forward subagent-only constraints such as depth, child-count limits, control scope, or target-agent restrictions.\n\n## Fix\nACP spawn now resolves and persists child subagent envelope fields, enforces maximum depth and active-child caps, and applies the inherited control scope to child ACP sessions.\n\n## Fix Commit(s)\n- 31160dc069b7cc5d833b39c53736a41ad3befda2\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nOpenClaw thanks @zsxsoft, @qclawer, and @KeenSecurityLab for reporting.",
  "id": "GHSA-q3jj-46pq-826r",
  "modified": "2026-05-19T15:56:24Z",
  "published": "2026-05-04T20:21:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44997"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/31160dc069b7cc5d833b39c53736a41ad3befda2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-security-envelope-constraint-bypass-in-acp-child-sessions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s ACP child sessions inherit subagent security envelope constraints"
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

No CAPEC attack patterns related to this CWE.