Improper Privilege ManagementID: 269 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Base |
Description
The software does not properly assign, modify, track, or check
privileges for an actor, creating an unintended sphere of control for that
actor.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Gain privileges / assume
identity | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and DesignOperation | | Very carefully manage the setting, management, and handling of
privileges. Explicitly manage trust zones in the software. | | |
Architecture and Design | Separation of Privilege | Follow the principle of least privilege when assigning access rights
to entities in a software system. | | |
| | Consider following the principle of separation of privilege. Require
multiple conditions to be met before permitting access to a system
resource. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-269 ChildOf CWE-901 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2001-1555 : Terminal privileges are not reset when a user logs out.
- CVE-2001-1514 : Does not properly pass security context to child processes in certain cases, allows privilege escalation.
- CVE-2001-0128 : Does not properly compute roles.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Privilege Management Error | |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 16: Executing Code With Too Much Privilege." Page
243'. Published on 2010.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 9, "Dropping Privileges Permanently", Page
479.'. Published on 2006.