Privilege Defined With Unsafe Actions
Weakness ID: 267 (Weakness Base)Status: Incomplete
+ Description

Description Summary

A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms



+ Observed Examples
CVE-2002-1981Roles have access to dangerous procedures (Accessible entities).
CVE-2002-1671Untrusted object/method gets access to clipboard (Accessible entities).
CVE-2004-2204Gain privileges using functions/tags that should be restricted (Accessible entities).
CVE-2000-0315Traceroute program allows unprivileged users to modify source address of packet (Accessible entities).
CVE-2004-0380Bypass domain restrictions using a particular file that references unsafe URI schemes (Accessible entities).
CVE-2002-1154Script does not restrict access to an update command, leading to resultant disk consumption and filled error logs (Accessible entities).
CVE-2002-1145"public" database user can use stored procedure to modify data controlled by the database owner (Unsafe privileged actions).
CVE-2000-0506User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions).
CVE-2002-2042Allows attachment to and modification of privileged processes (Unsafe privileged actions).
CVE-2000-1212User with privilege can edit raw underlying object using unprotected method (Unsafe privileged actions).
CVE-2005-1742Inappropriate actions allowed by a particular role(Unsafe privileged actions).
CVE-2001-1480Untrusted entity allowed to access the system clipboard (Unsafe privileged actions).
CVE-2001-1551Extra Linux capability allows bypass of system-specified restriction (Unsafe privileged actions).
CVE-2001-1166User with debugging rights can read entire process (Unsafe privileged actions).
CVE-2005-1816Non-root admins can add themselves or others to the root admin group (Unsafe privileged actions).
CVE-2005-2173Users can change certain properties of objects to perform otherwise unauthorized actions (Unsafe privileged actions).
CVE-2005-2027Certain debugging commands not restricted to just the administrator, allowing registry modification and infoleak (Unsafe privileged actions).
+ Potential Mitigations

Very carefully manage the setting, management and handling of privileges. Explicitly manage trust zones in the software.

Follow the principle of least privilege when assigning access rights to entities in a software system.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory265Privilege / Sandbox Issues
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base269Improper Privilege Management
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant623Unsafe ActiveX Control Marked Safe For Scripting
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUnsafe Privilege
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
58Restful Privilege Elevation
+ Maintenance Notes

This overlaps authorization and access control problems.

Note: there are 2 separate sub-categories here:

- privilege incorrectly allows entities to perform certain actions

- object is incorrectly accessible to entities with a given privilege

+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Maintenance Notes, Relationships, Taxonomy Mappings
2008-11-24CWE Content TeamMITREInternal
updated Relationships
2009-12-28CWE Content TeamMITREInternal
updated Potential Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Unsafe Privilege