CWE-276 Incorrect Default Permissions
What this means
SiteShadow flagged default permissions that are too permissive (files created world-readable/world-writable, buckets or resources opened broadly by default).
Why it matters
Excessive permissions allow unintended access to sensitive data.
- Data exposure: other users/processes can read secrets or private data.
- Tampering: overly broad write permissions enable modification and persistence.
- These issues often hide until production or multi-tenant environments.
Safer examples
1) Use least-privilege permissions on creation
Create files with owner-only permissions unless sharing is explicitly intended.
2) Separate public and private resources
If something must be public (static assets), keep it isolated from sensitive storage.
3) Review defaults in IaC and frameworks
Many exposures happen because defaults were accepted without review (see CLOUD01).
How SiteShadow detects it (high level)
- Flags "open permissions" patterns in configs and code where resources are created.
- Highlights defaults that grant broader access than typical secure baselines.
References
- CWE-276: https://cwe.mitre.org/data/definitions/276.html
---