CWE-732 1684 個 CVE MITRE 定義 ↗

CWE-732:Incorrect Permission Assignment for Critical Resource

概覽

CWE-732(Incorrect Permission Assignment for Critical Resource)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Not Technology-Specific Undetermined
technology Cloud Computing Often

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-49445 2026-07-15 Cilium is a networking, observability, and security solution. Prior to 1.17.14, 1.18.8, and 1.19.2, when Cilium L7 functionality is enabled, the embedded or standalone Envoy instance creates a world-a…
CVE-2026-15779 2026-07-15 A flaw was found in samba's pam_winbind. When mkhomedir is enabled, pam_winbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On …
CVE-2026-53486 2026-07-14 The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory,…
CVE-2026-62195 2026-07-13 OpenClaw versions 2026.5.20 before 2026.6.6 contain an authorization bypass vulnerability in the MCP loopback feature that allows lower-trust callers to execute owner-only tools. Attackers can bypass …
CVE-2026-62194 2026-07-13 OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended …
CVE-2026-59148 2026-07-09 Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes…
CVE-2026-59946 2026-07-08 Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause …
CVE-2026-9085 2026-07-05 Incorrect Permission Assignment for Critical Resource, Improper Access Control vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus-Parental-Control allows DNS Spoofing. Th…
CVE-2026-58424 2026-07-03 Permanent Fork PR Workflow Approval Gate Bypass
CVE-2026-44268 2026-07-03 Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 throu…
CVE-2026-13079 2026-07-02 A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client for Windows allows a local attacker to escalate their privileges to NT AUTHORITY\SYSTEM on the machine where the…
CVE-2026-13769 2026-07-01 Overly permissive file permissions in AWS CLI before 1.44.78 (v1) and 2.34.29 (v2) on Unix-like systems where the umask has not been configured to restrict file permissions (the default on most system…
CVE-2026-58174 2026-06-30 Hermes WebUI before 0.51.521 validates the workspace of an imported session under the active named profile but constructs the Session object without setting its profile in the /api/session/import hand…
CVE-2026-43721 2026-06-29 This issue was addressed through improved state management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to silently hijack c…
CVE-2026-55441 2026-06-26 mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files (mise.toml, .tool-versions) through trust_check, but task-include files are l…
CVE-2026-9651 2026-06-25 CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privilege…
CVE-2026-32315 2026-06-24 motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with …
CVE-2026-54327 2026-06-23 Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this f…
CVE-2026-12957 2026-06-23 Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted w…
CVE-2026-49340 2026-06-19 gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, a logic error in `ServeCreateOrUpdatePlaylist` allows any authenticated Subsonic user (in…

曾用名

  • Insecure Permission Assignment for Resource (2009-01-12)
  • Insecure Permission Assignment for Critical Resource (2009-05-27)

內容提交

名稱
CWE Content Team
組織
MITRE
日期
2008-09-08
版本
1.0
評論
new weakness-focused entry for Research view.

內容修訂

日期 名稱 版本 重要性 評論
2009-01-12 CWE Content Team 1.2 updated Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships
2009-03-10 CWE Content Team 1.3 updated Potential_Mitigations, Related_Attack_Patterns
2009-05-27 CWE Content Team 1.4 updated Name
2009-12-28 CWE Content Team 1.7 updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, References
2010-02-16 CWE Content Team 1.8 updated Relationships
2010-04-05 CWE Content Team 1.8.1 updated Potential_Mitigations, Related_Attack_Patterns
2010-06-21 CWE Content Team 1.9 updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships
2010-09-27 CWE Content Team 1.10 updated Potential_Mitigations, Relationships
2010-12-13 CWE Content Team 1.11 updated Potential_Mitigations
2011-03-29 CWE Content Team 1.12 updated Demonstrative_Examples, Description, Relationships
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27 CWE Content Team 2.0 updated Relationships
2011-09-13 CWE Content Team 2.1 updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2013-07-17 CWE Content Team 2.5 updated References
2014-07-30 CWE Content Team 2.8 updated Detection_Factors, Relationships
2017-01-19 CWE Content Team 2.10 updated Related_Attack_Patterns, Relationships
2017-11-08 CWE Content Team 3.0 updated Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
2019-01-03 CWE Content Team 3.2 updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings
2019-06-20 CWE Content Team 3.3 updated Relationships
2019-09-19 CWE Content Team 3.4 updated Maintenance_Notes, Relationships
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Description, Detection_Factors, Modes_of_Introduction, Relationships
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-07-20 CWE Content Team 4.5 updated Observed_Examples, Relationships
2022-10-13 CWE Content Team 4.9 updated Demonstrative_Examples, Observed_Examples, References
2023-01-31 CWE Content Team 4.10 updated Applicable_Platforms, Description, References
2023-04-27 CWE Content Team 4.11 updated Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2025-09-09 CWE Content Team 4.18 updated Detection_Factors, References
2025-12-11 CWE Content Team 4.19 updated Relationships, Weakness_Ordinalities
cvelogic Threat Intelligence