Détail du CWE-274

CWE-274

Improper Handling of Insufficient Privileges
Draft
2006-07-19
00h00 +00:00
2024-02-29
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Improper Handling of Insufficient Privileges

The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.

Informations générales

Modes d'introduction

Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Conséquences courantes

Portée Impact Probabilité
OtherOther, Alter Execution Logic

Exemples observés

Références Description

CVE-2001-1564

System limits are not properly enforced after privileges are dropped.

CVE-2005-3286

Firewall crashes when it can't read a critical memory block that was protected by a malicious process.

CVE-2005-1641

Does not give admin sufficient privileges to overcome otherwise legitimate user actions.

Méthodes de détection

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efficacité : High

Notes de cartographie des vulnérabilités

Justification : This CWE entry could be deprecated in a future version of CWE.
Commentaire : See maintenance notes.

NotesNotes

CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.
Overlaps dropped privileges, insufficient permissions.
This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.
Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the product makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).

Soumission

Nom Organisation Date Date de publication Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Nom Organisation Date Commentaire
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Description, Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team MITRE 2009-03-10 +00:00 updated Maintenance_Notes, Theoretical_Notes
CWE Content Team MITRE 2009-05-27 +00:00 updated Description, Name
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Relationship_Notes, Theoretical_Notes
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Relationships, Theoretical_Notes
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-02-29 +00:00 updated Mapping_Notes