CAPEC-122 Detail

CAPEC-122

Name

Privilege Abuse

Likihood attacks

High

Typical Severity

Medium

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2022-09-29
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

Informations CAPEC

Prerequisites

The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.
The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources.

Skills Required

Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges.

Resources Required

None: No specialized resources are required to execute this type of attack. The ability to access the target is required.

Mitigations

Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.

Related Weaknesses

CWE-ID	Weakness Name
CWE-269	Improper Privilege Management The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-732	Incorrect Permission Assignment for Critical Resource The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CWE-1317	Improper Access Control in Fabric Bridge The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2015-12-07 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2017-08-04 +00:00	Updated Resources_Required
CAPEC Content Team	The MITRE Corporation	2019-04-04 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Consequences, Example_Instances, Likelihood_Of_Attack, Mitigations, Skills_Required
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2022-02-22 +00:00	Updated Description, Extended_Description, Skills_Required
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00	Updated Taxonomy_Mappings