CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-842: Placement of User into Incorrect Group

Weakness ID: 842
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software or the administrator places a user into an incorrect group.

Extended Description

If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.

+ Time of Introduction
  • Implementation
  • Operation
+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Gain privileges / assume identity

+ Observed Examples
ReferenceDescription
Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
Chain: drafted web request allows the creation of users with arbitrary group membership.
Chain: improper processing of configuration options causes users to contain unintended group memberships.
CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.
Product assigns members to the root group, allowing escalation of privileges.
Chain: daemon does not properly clear groups before dropping privileges.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class286Incorrect User Management
Development Concepts (primary)699
Research Concepts (primary)1000
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2011-03-24MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017