Improper Privilege Management
Weakness ID: 269 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The software does not properly assign, modify, or track privileges for an actor, creating an unintended sphere of control for that actor.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Likelihood of Exploit

Medium

+ Observed Examples
ReferenceDescription
CVE-2001-1555Terminal privileges are not reset when a user logs out.
CVE-2001-1514Does not properly pass security context to child processes in certain cases, allows privilege escalation.
CVE-2001-0128Does not properly compute roles.
+ Potential Mitigations

Very carefully manage the setting, management and handling of privileges. Explicitly manage trust zones in the software.

Follow the principle of least privilege when assigning access rights to entities in a software system.

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory265Privilege / Sandbox Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts1000
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class250Execution with Unnecessary Privileges
Research Concepts1000
ParentOfWeakness BaseWeakness Base266Incorrect Privilege Assignment
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base267Privilege Defined With Unsafe Actions
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base268Privilege Chaining
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base270Privilege Context Switching Error
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class271Privilege Dropping / Lowering Errors
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base274Improper Handling of Insufficient Privileges
Research Concepts1000
ParentOfWeakness BaseWeakness Base648Incorrect Use of Privileged APIs
Research Concepts (primary)1000
+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERPrivilege Management Error
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
58Restful Privilege Elevation
+ Maintenance Notes

The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-396).

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE TeamInternal
Moved this entry higher up in the Research view.
2008-09-08CWE Content TeamMITREInternal
updated Description, Maintenance Notes, Name, Relationships, Taxonomy Mappings, Weakness Ordinalities
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-12-28CWE Content TeamMITREInternal
updated Potential Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-09-09Privilege Management Error
2009-05-27Insecure Privilege Management