QwikSec

Security Database

CVE

CWE

Training

CWE Database
/

CWE-269

Back to CWE list

CWE-269

Improper Privilege Management

Class
Draft

Description

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Parent Weaknesses (ChildOf)

CWE-284: Improper Access Control...

Common Consequences

Scope

Access Control

Impact

Gain Privileges or Assume Identity

Potential Mitigations

Architecture and Design
Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Architecture and Design

Follow the principle of least privilege when assigning access rights to entities in a software system.

Architecture and Design

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

CVE-2001-1555

Terminal privileges are not reset when a user logs out.

CVE-2001-1514

Does not properly pass security context to child processes in certain cases, allows privilege escalation.

CVE-2001-0128

Does not properly compute roles.

CVE-1999-1193

untrusted user placed in unix "wheel" group

CVE-2005-2741

Product allows users to grant themselves certain rights that can be used to escalate privileges.

CVE-2005-2496

Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue.

CVE-2004-0274

Product mistakenly assigns a particular status to an entity, leading to increased privileges.

CVE-2007-4217

FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients.

CVE-2007-5159

OS incorrectly installs a program with setuid privileges, allowing users to gain privileges.

CVE-2008-4638

Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).

+5 more examples

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now