Modes d'introduction
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation
Plateformes applicables
Langue
Class: Not Language-Specific (Undetermined)
Conséquences courantes
Portée |
Impact |
Probabilité |
Other | Other, Alter Execution Logic | |
Exemples observés
Références |
Description |
| System limits are not properly enforced after privileges are dropped. |
| Firewall crashes when it can't read a critical memory block that was protected by a malicious process. |
| Does not give admin sufficient privileges to overcome otherwise legitimate user actions. |
Méthodes de détection
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efficacité : High
Notes de cartographie des vulnérabilités
Justification : This CWE entry could be deprecated in a future version of CWE.
Commentaire : See maintenance notes.
NotesNotes
CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.
Overlaps dropped privileges, insufficient permissions.
This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.
Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).
Soumission
Nom |
Organisation |
Date |
Date de publication |
Version |
PLOVER |
|
2006-07-19 +00:00 |
2006-07-19 +00:00 |
Draft 3 |
Modifications
Nom |
Organisation |
Date |
Commentaire |
Eric Dalci |
Cigital |
2008-07-01 +00:00 |
updated Time_of_Introduction |
CWE Content Team |
MITRE |
2008-09-08 +00:00 |
updated Description, Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
CWE Content Team |
MITRE |
2009-03-10 +00:00 |
updated Maintenance_Notes, Theoretical_Notes |
CWE Content Team |
MITRE |
2009-05-27 +00:00 |
updated Description, Name |
CWE Content Team |
MITRE |
2011-06-01 +00:00 |
updated Common_Consequences |
CWE Content Team |
MITRE |
2012-05-11 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2017-11-08 +00:00 |
updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships |
CWE Content Team |
MITRE |
2021-03-15 +00:00 |
updated Relationship_Notes, Theoretical_Notes |
CWE Content Team |
MITRE |
2023-01-31 +00:00 |
updated Description, Relationships, Theoretical_Notes |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated Detection_Factors, Relationships, Time_of_Introduction |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes |
CWE Content Team |
MITRE |
2024-02-29 +00:00 |
updated Mapping_Notes |