Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CWE-732: Insecure Directory Permissions #4222

Closed
omordyk opened this issue Jan 9, 2025 · 0 comments · Fixed by #4223
Closed

CWE-732: Insecure Directory Permissions #4222

omordyk opened this issue Jan 9, 2025 · 0 comments · Fixed by #4223
Assignees
@omordyk
Labels
security

Comments

@omordyk
Copy link
Contributor

omordyk commented Jan 9, 2025
edited
Loading

Description:
CWE-732: Insecure Directory Permissions
A sensitive sink functions were discovered. It causes a High severity Insecure Directory Permissions vulnerability.

The permission mode is passed as an integer to the os.MkdirAll function, which can lead to unintended permissions. The issue stems from how the permissions are specified in Go. The resulting permissions may be interpreted incorrectly.
To prevent unintended permissions, you should specify the mode in octal format.

List of problem places:

cluster_install_files.go:154
css.go:340
certificate.go:44
dependency.go:241
policy_file.go:916
resource_manager.go:97
utils.go:402
cluster_install_files.go:444
utils.go:421

https://cwe.mitre.org/data/definitions/732.html
@omordyk omordyk self-assigned this Jan 9, 2025
omordyk added a commit that referenced this issue Jan 9, 2025
@omordyk
#4222 - CWE-732: Insecure Directory Permissions vulnerabilities
1a19086 
Signed-off-by: Oleksandr Mordyk <[email protected]>
@omordyk omordyk mentioned this issue Jan 9, 2025
Merged
12 tasks
@omordyk omordyk linked a pull request Jan 9, 2025 that will close this issue
CWE-732: Insecure Directory Permissions #4223
Merged
12 tasks
omordyk added a commit that referenced this issue Jan 9, 2025
@omordyk
#4222 - CWE-732: Insecure Directory Permissions vulnerabilities
4b108aa 
Signed-off-by: Oleksandr Mordyk <[email protected]>
LiilyZhang pushed a commit to LiilyZhang/anax that referenced this issue Jan 30, 2025
@omordyk @LiilyZhang
open-horizon#4222 - CWE-732: Insecure Directory Permissions vulnerabi…
a4d8b56 
…lities

Signed-off-by: Oleksandr Mordyk <[email protected]>
LiilyZhang added a commit that referenced this issue Jan 31, 2025
@LiilyZhang
Merge pull request #4231 from LiilyZhang/zhangl/cp4222
c1817fc 
#4222 - CWE-732: Insecure Directory Permissions vulnerabi…
LiilyZhang pushed a commit to LiilyZhang/anax that referenced this issue Mar 3, 2025
@omordyk @LiilyZhang
open-horizon#4222 - CWE-732: Insecure Directory Permissions vulnerabi…
74bcb97 
…lities

Signed-off-by: Oleksandr Mordyk <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@omordyk omordyk

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

CWE-732: Insecure Directory Permissions open-horizon/anax
1 participant
@omordyk