|
|
|
|
CWE-270 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 270 (Weakness Base) | | Description | Summary The software does not properly manage privileges while it is switching between different
contexts that cross privilege boundaries. | | Potential Mitigations | Very carefully manage the setting, management and handling of privileges. Explicitly
manage trust zones in the software. Follow the principle of least privilege when assigning access rights to entities in a
software system. Consider following the principle of separation of privilege. Require multiple
conditions to be met before permitting access to a system resource. | | Observed Examples | | Reference | Description |
|---|
| CVE-2002-1688 | Web browser cross domain problem when user hits "back" button. | | CVE-2003-1026 | Web browser cross domain problem when user hits "back" button. | | CVE-2002-1770 | Cross-domain issue - third party product passes code to web browser, which executes
it in unsafe zone. | | CVE-2005-2263 | Run callback in different security context after it has been changed from untrusted
to trusted. * note that "context switch before actions are completed" is one type of problem
that happens frequently, espec. in browsers. |
| | Research Gaps | This concept needs more study. | | Relationships | | | Source Taxonomies | PLOVER - Privilege Context Switching Error | | Applicable Platforms | All | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 35 | Leverage Executable Code in Nonexecutable Files | | 17 | Accessing, Modifying or Executing Executable Files | | 30 | Hijacking a Privileged Thread of Execution |
|
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
