|
|
|
|
CWE-266: Incorrect Privilege Assignment | |
| | Incorrect Privilege Assignment |
|
| Weakness ID: 266 (Weakness Base) | | Status: Draft |
Description
Description Summary A product incorrectly assigns a privilege to a particular
actor, creating an unintended sphere of control for that
actor.
Time of Introduction
- Architecture and Design
- Implementation
Demonstrative Examples Example 1 Evidence of privilege change: (Bad Code) C seteuid(0); /* do some stuff */ seteuid(getuid()); (Bad Code) Java AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
// privileged code goes here, for example:
System.loadLibrary("awt");
return null;
// nothing to return
}
Observed Examples | Reference | Description |
| CVE-1999-1193 | untrusted user placed in unix "wheel"
group |
| CVE-2005-2741 | Product allows users to grant themselves certain
rights that can be used to escalate
privileges. |
| CVE-2005-2496 | Product uses group ID of a user instead of the
group, causing it to run with different privileges. This is resultant from
some other unknown issue. |
| CVE-2004-0274 | Product mistakenly assigns a particular status to
an entity, leading to increased privileges. |
Potential Mitigations | ID | Phase | Description |
| 1 | | Very carefully manage the setting, management and handling of
privileges. Explicitly manage trust zones in the software. |
| | Follow the principle of least privilege when assigning access rights
to entities in a software system. |
Weakness Ordinalities | Ordinality | Description |
Resultant | (where the
weakness is typically related to the presence of some other
weaknesses) |
Relationships Affected Resources Causal Nature Taxonomy Mappings | Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
| PLOVER | | | Incorrect Privilege Assignment |
Content History | Submissions |
|---|
| Submission Date | Submitter | Organization | Source |
|---|
| PLOVER | | Externally Mined | | | Modifications |
|---|
| Modification Date | Modifier | Organization | Source |
|---|
| 2008-07-01 | Eric Dalci | Cigital | External | | updated Time of Introduction | | 2008-09-08 | CWE Content Team | MITRE | Internal | | updated Description, Relationships, Taxonomy Mappings,
Weakness Ordinalities | | 2009-03-10 | CWE Content Team | MITRE | Internal | | updated Relationships |
|