Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  

CWE CATEGORY: Authorize Actors

Category ID: 1011
Status: Draft
+ Summary
Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degredation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
+ Membership
MemberOfViewView1008Architectural Concepts
HasMemberBaseBase15External Control of System or Configuration Setting
HasMemberBaseBase114Process Control
HasMemberVariantVariant219Sensitive Data Under Web Root
HasMemberVariantVariant220Sensitive Data Under FTP Root
HasMemberBaseBase266Incorrect Privilege Assignment
HasMemberBaseBase267Privilege Defined With Unsafe Actions
HasMemberBaseBase268Privilege Chaining
HasMemberClassClass269Improper Privilege Management
HasMemberBaseBase270Privilege Context Switching Error
HasMemberClassClass271Privilege Dropping / Lowering Errors
HasMemberBaseBase272Least Privilege Violation
HasMemberBaseBase273Improper Check for Dropped Privileges
HasMemberBaseBase274Improper Handling of Insufficient Privileges
HasMemberVariantVariant276Incorrect Default Permissions
HasMemberVariantVariant277Insecure Inherited Permissions
HasMemberVariantVariant279Incorrect Execution-Assigned Permissions
HasMemberBaseBase280Improper Handling of Insufficient Permissions or Privileges
HasMemberBaseBase281Improper Preservation of Permissions
HasMemberClassClass282Improper Ownership Management
HasMemberBaseBase283Unverified Ownership
HasMemberClassClass284Improper Access Control
HasMemberClassClass285Improper Authorization
HasMemberClassClass286Incorrect User Management
HasMemberClassClass300Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
HasMemberBaseBase341Predictable from Observable State
HasMemberClassClass359Exposure of Private Information ('Privacy Violation')
HasMemberBaseBase403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
HasMemberBaseBase419Unprotected Primary Channel
HasMemberBaseBase420Unprotected Alternate Channel
HasMemberBaseBase425Direct Request ('Forced Browsing')
HasMemberCompositeComposite426Untrusted Search Path
HasMemberBaseBase434Unrestricted Upload of File with Dangerous Type
HasMemberVariantVariant527Exposure of CVS Repository to an Unauthorized Control Sphere
HasMemberVariantVariant528Exposure of Core Dump File to an Unauthorized Control Sphere
HasMemberVariantVariant529Exposure of Access Control List Files to an Unauthorized Control Sphere
HasMemberVariantVariant530Exposure of Backup File to an Unauthorized Control Sphere
HasMemberBaseBase538File and Directory Information Exposure
HasMemberBaseBase551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
HasMemberBaseBase552Files or Directories Accessible to External Parties
HasMemberVariantVariant566Authorization Bypass Through User-Controlled SQL Primary Key
HasMemberBaseBase639Authorization Bypass Through User-Controlled Key
HasMemberClassClass642External Control of Critical State Data
HasMemberVariantVariant647Use of Non-Canonical URL Paths for Authorization Decisions
HasMemberBaseBase653Insufficient Compartmentalization
HasMemberBaseBase656Reliance on Security Through Obscurity
HasMemberClassClass668Exposure of Resource to Wrong Sphere
HasMemberClassClass669Incorrect Resource Transfer Between Spheres
HasMemberClassClass671Lack of Administrator Control over Security
HasMemberClassClass673External Influence of Sphere Definition
HasMemberBaseBase708Incorrect Ownership Assignment
HasMemberClassClass732Incorrect Permission Assignment for Critical Resource
HasMemberBaseBase770Allocation of Resources Without Limits or Throttling
HasMemberVariantVariant782Exposed IOCTL with Insufficient Access Control
HasMemberBaseBase827Improper Control of Document Type Definition
HasMemberClassClass862Missing Authorization
HasMemberClassClass863Incorrect Authorization
HasMemberBaseBase921Storage of Sensitive Data in a Mechanism without Access Control
HasMemberClassClass923Improper Restriction of Communication Channel to Intended Endpoints
HasMemberBaseBase939Improper Authorization in Handler for Custom URL Scheme
HasMemberVariantVariant942Overly Permissive Cross-domain Whitelist
+ References
[REF-9] Santos, J. C. S., Tarrit, K. and Mirakhorli, M.. "A Catalog of Security Architecture Weaknesses.". 2017 IEEE International Conference on Software Architecture (ICSA). 2017. <>.
[REF-10] Santos, J. C. S., Peruma, A., Mirakhorli, M., Galster, M. and Sejfia, A.. "Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird.". pages 69 - 78. 2017 IEEE International Conference on Software Architecture (ICSA). 2017. <>.
+ Content History
Modification DateModifierOrganization
2017-07-25CWE Content TeamMITRE
New Entry

More information is available — Please select a different filter.
Page Last Updated: January 18, 2018