Category: Privilege Issues
Incomplete
Summary
Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-243 | Creation of chroot Jail Without Changing Working Directory | This vulnerability occurs when a program creates a chroot jail but fails to change its current working directory afterward. Because the process's working directory remains outside the jail, attackers can use relative paths to access files and directories that should be restricted. |
| CWE-250 | Execution with Unnecessary Privileges | This vulnerability occurs when software runs with higher permissions than it actually needs to perform its tasks. This excessive privilege creates security risks by opening doors to new attacks or making existing weaknesses more dangerous. |
| CWE-266 | Incorrect Privilege Assignment | This vulnerability occurs when a system mistakenly grants a user, process, or entity a specific permission or privilege they should not have. This error creates an unintended level of access, allowing the actor to perform actions beyond their intended authority. |
| CWE-267 | Privilege Defined With Unsafe Actions | This vulnerability occurs when a system grants a user, role, or process a specific permission that can be misused to perform dangerous, unintended actions. The permission itself is correctly assigned, but its scope is too broad or allows for unsafe operations. |
| CWE-268 | Privilege Chaining | Privilege chaining occurs when an attacker combines two separate permissions or capabilities, neither of which is dangerous on its own, to perform a harmful action that neither permission should individually allow. |
| CWE-270 | Privilege Context Switching Error | This vulnerability occurs when an application fails to properly manage user permissions while moving between different security contexts, potentially allowing unauthorized actions. |
| CWE-272 | Least Privilege Violation | This vulnerability occurs when software fails to reduce its elevated system privileges after completing a sensitive operation, leaving it with unnecessary and dangerous access rights. |
| CWE-273 | Improper Check for Dropped Privileges | This vulnerability occurs when an application tries to lower its system privileges but fails to verify that the operation was successful. |
| CWE-274 | Improper Handling of Insufficient Privileges | This vulnerability occurs when an application fails to properly manage situations where it lacks the necessary permissions to execute an action. This flawed handling can lead to crashes, data corruption, or unintended security bypasses. |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | This vulnerability occurs when a system fails to properly manage situations where it lacks the necessary permissions to perform an action or access a resource. This flawed handling can force the application into unintended states or error paths, potentially leading to crashes, data corruption, or security bypasses. |
| CWE-501 | Trust Boundary Violation | This vulnerability occurs when an application incorrectly stores or processes trusted and untrusted data together within the same structure, such as an object, array, or message. |
| CWE-580 | clone() Method Without super.clone() | This vulnerability occurs when a class's clone() method creates a new object directly instead of calling super.clone(). |
| CWE-648 | Incorrect Use of Privileged APIs | This vulnerability occurs when software incorrectly uses functions that require special permissions. Attackers can exploit these mistakes to gain unauthorized access, elevate their privileges, or steal sensitive data. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.