Incorrect Privilege Assignment |
Weakness ID: 266 (Weakness Base) | Status: Draft |
Description Summary
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Example 1
Evidence of privilege change:
(Bad Code)
Example Language: C
seteuid(0);
/* do some stuff */
seteuid(getuid());
(Bad Code)
Example Language: Java
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
// privileged code goes here, for example:
System.loadLibrary("awt");
return null;
// nothing to return
}
Reference | Description |
---|---|
CVE-1999-1193 | untrusted user placed in unix "wheel" group |
CVE-2005-2741 | Product allows users to grant themselves certain rights that can be used to escalate privileges. |
CVE-2005-2496 | Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. |
CVE-2004-0274 | Product mistakenly assigns a particular status to an entity, leading to increased privileges. |
Very carefully manage the setting, management and handling of privileges. Explicitly manage trust zones in the software. |
Follow the principle of least privilege when assigning access rights to entities in a software system. |
Ordinality | Description |
---|---|
Resultant | (where the weakness is typically related to the presence of some other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 265 | Privilege / Sandbox Issues | Development Concepts (primary)699 |
ChildOf | Weakness Base | 269 | Improper Privilege Management | Research Concepts (primary)1000 |
ChildOf | Category | 634 | Weaknesses that Affect System Processes | Resource-specific Weaknesses (primary)631 |
ChildOf | Category | 723 | OWASP Top Ten 2004 Category A2 - Broken Access Control | Weaknesses in OWASP Top Ten (2004) (primary)711 |
CanAlsoBe | Weakness Class | 286 | Incorrect User Management | Research Concepts1000 |
ParentOf | Weakness Variant | 9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 520 | .NET Misconfiguration: Use of Impersonation | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 556 | ASP.NET Misconfiguration: Use of Identity Impersonation | Research Concepts (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Relationships, Taxonomy Mappings, Weakness Ordinalities | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations |