Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-274: Improper Handling of Insufficient Privileges

Weakness ID: 274
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms



+ Common Consequences

Technical Impact: Other; Alter execution logic

+ Observed Examples
System limits are not properly enforced after privileges are dropped.
Firewall crashes when it can't read a critical memory block that was protected by a malicious process.
Does not give admin sufficient privileges to overcome otherwise legitimate user actions.
+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory265Privilege / Sandbox Issues
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base269Improper Privilege Management
Research Concepts1000
ChildOfWeakness ClassWeakness Class703Improper Check or Handling of Exceptional Conditions
Research Concepts (primary)1000
ChildOfCategoryCategory901SFP Primary Cluster: Privilege
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness ClassWeakness Class271Privilege Dropping / Lowering Errors
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base280Improper Handling of Insufficient Permissions or Privileges
Research Concepts1000
+ Relationship Notes

Overlaps dropped privileges, insufficient permissions.

This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.

+ Theoretical Notes

Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).

+ Causal Nature


+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInsufficient privileges
+ Maintenance Notes

CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.

+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated Maintenance_Notes, Theoretical_Notes
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Insufficient Privileges
2009-05-27Failure to Handle Insufficient Privileges

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017