Privilege Defined With Unsafe Actions |
Weakness ID: 267 (Weakness Base) | Status: Incomplete |
Description Summary
A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.
Reference | Description |
---|---|
CVE-2002-1981 | Roles have access to dangerous procedures (Accessible entities). |
CVE-2002-1671 | Untrusted object/method gets access to clipboard (Accessible entities). |
CVE-2004-2204 | Gain privileges using functions/tags that should be restricted (Accessible entities). |
CVE-2000-0315 | Traceroute program allows unprivileged users to modify source address of packet (Accessible entities). |
CVE-2004-0380 | Bypass domain restrictions using a particular file that references unsafe URI schemes (Accessible entities). |
CVE-2002-1154 | Script does not restrict access to an update command, leading to resultant disk consumption and filled error logs (Accessible entities). |
CVE-2002-1145 | "public" database user can use stored procedure to modify data controlled by the database owner (Unsafe privileged actions). |
CVE-2000-0506 | User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions). |
CVE-2002-2042 | Allows attachment to and modification of privileged processes (Unsafe privileged actions). |
CVE-2000-1212 | User with privilege can edit raw underlying object using unprotected method (Unsafe privileged actions). |
CVE-2005-1742 | Inappropriate actions allowed by a particular role(Unsafe privileged actions). |
CVE-2001-1480 | Untrusted entity allowed to access the system clipboard (Unsafe privileged actions). |
CVE-2001-1551 | Extra Linux capability allows bypass of system-specified restriction (Unsafe privileged actions). |
CVE-2001-1166 | User with debugging rights can read entire process (Unsafe privileged actions). |
CVE-2005-1816 | Non-root admins can add themselves or others to the root admin group (Unsafe privileged actions). |
CVE-2005-2173 | Users can change certain properties of objects to perform otherwise unauthorized actions (Unsafe privileged actions). |
CVE-2005-2027 | Certain debugging commands not restricted to just the administrator, allowing registry modification and infoleak (Unsafe privileged actions). |
Very carefully manage the setting, management and handling of privileges. Explicitly manage trust zones in the software. |
Follow the principle of least privilege when assigning access rights to entities in a software system. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 265 | Privilege / Sandbox Issues | Development Concepts (primary)699 |
ChildOf | Weakness Base | 269 | Improper Privilege Management | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 623 | Unsafe ActiveX Control Marked Safe For Scripting | Development Concepts (primary)699 Research Concepts (primary)1000 |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
58 | Restful Privilege Elevation |
This overlaps authorization and access control problems. |
Note: there are 2 separate sub-categories here: - privilege incorrectly allows entities to perform certain actions - object is incorrectly accessible to entities with a given privilege |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Maintenance Notes, Relationships, Taxonomy Mappings | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Unsafe Privilege | |||