CWE-842
Placement of User into Incorrect Group
Incomplete
2011-03-30
00h00 +00:00
00h00 +00:00
2023-06-29
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Placement of User into Incorrect Group
The product or the administrator places a user into an incorrect group.
Description du CWE
If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.
Informations générales
Modes d'introduction
ImplementationOperation
Plateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Access Control | Gain Privileges or Assume Identity |
Exemples observés
| Références | Description |
|---|---|
CVE-1999-1193 | Operating system assigns user to privileged wheel group, allowing the user to gain root privileges. |
CVE-2010-3716 | Chain: drafted web request allows the creation of users with arbitrary group membership. |
CVE-2008-5397 | Chain: improper processing of configuration options causes users to contain unintended group memberships. |
CVE-2007-6644 | CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model. |
CVE-2007-3260 | Product assigns members to the root group, allowing escalation of privileges. |
CVE-2002-0080 | Chain: daemon does not properly clear groups before dropping privileges. |
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 1.12 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.