Improper Handling of Insufficient Privileges |
Weakness ID: 274 (Weakness Base) | Status: Draft |
Description Summary
The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.
Reference | Description |
---|---|
CVE-2001-1564 | System limits are not properly enforced after privileges are dropped. |
CVE-2005-3286 | Firewall crashes when it can't read a critical memory block that was protected by a malicious process. |
CVE-2005-1641 | Does not give admin sufficient privileges to overcome otherwise legitimate user actions. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 265 | Privilege / Sandbox Issues | Development Concepts (primary)699 |
ChildOf | ![]() | 269 | Improper Privilege Management | Research Concepts1000 |
ChildOf | ![]() | 703 | Failure to Handle Exceptional Conditions | Research Concepts (primary)1000 |
PeerOf | ![]() | 271 | Privilege Dropping / Lowering Errors | Research Concepts1000 |
CanAlsoBe | ![]() | 280 | Improper Handling of Insufficient Permissions or Privileges | Research Concepts1000 |
Overlaps dropped privileges, insufficient permissions. |
This has a layering relationship with Unchecked Error Condition and Unchecked Return Value. |
Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource). |
CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Maintenance Notes, Relationships, Relationship Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Maintenance Notes, Theoretical Notes | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Description, Name | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Insufficient Privileges | |||
2009-05-27 | Failure to Handle Insufficient Privileges | |||