CAPEC-122
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Descriptions du CAPEC
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
Informations du CAPEC
Conditions préalables
The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources.
Compétences requises
Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges.Ressources nécessaires
None: No specialized resources are required to execute this type of attack. The ability to access the target is required.Atténuations
Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.Faiblesses connexes
| Nom de la faiblesse | |
|---|---|
CWE-269 |
Improper Privilege Management The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
CWE-732 |
Incorrect Permission Assignment for Critical Resource The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
CWE-1317 |
Improper Access Control in Fabric Bridge The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks. |
Soumission
| Nom | Organisation | Date | Date de publication |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Resources_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Consequences, Example_Instances, Likelihood_Of_Attack, Mitigations, Skills_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Extended_Description, Skills_Required | |
| CAPEC Content Team | The MITRE Corporation | Updated Taxonomy_Mappings |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.