Category: Permission Issues
Draft
Summary
Weaknesses in this category are related to improper assignment or handling of permissions.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-276 | Incorrect Default Permissions | This vulnerability occurs when software installation scripts set overly permissive file or directory access rights by default. Instead of restricting write access to authorized users or processes, the installation allows unintended actors to modify, delete, or corrupt critical application files. |
| CWE-277 | Insecure Inherited Permissions | This vulnerability occurs when an application sets default file or directory permissions that are too permissive, and these insecure settings are automatically passed down to new files or objects the program creates. |
| CWE-278 | Insecure Preserved Inherited Permissions | This vulnerability occurs when a software product copies or extracts files while unintentionally preserving insecure permissions from their original source, such as an archive, without the user's knowledge or consent. |
| CWE-279 | Incorrect Execution-Assigned Permissions | This vulnerability occurs when a running application incorrectly changes an object's access permissions, overriding the security settings that a user or administrator intentionally configured. |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | This vulnerability occurs when a system fails to properly manage situations where it lacks the necessary permissions to perform an action or access a resource. This flawed handling can force the application into unintended states or error paths, potentially leading to crashes, data corruption, or security bypasses. |
| CWE-281 | Improper Preservation of Permissions | This vulnerability occurs when a system fails to correctly maintain file or object permissions during operations like copying, sharing, or restoring data. As a result, these resources can end up with weaker, more permissive security settings than the original owner intended. |
| CWE-618 | Exposed Unsafe ActiveX Method | This vulnerability occurs when an ActiveX control, designed for web browsers, exposes methods that bypass the browser's built-in security restrictions. These unsafe methods can perform actions outside the browser's intended security boundaries, such as those defined by zones or domains. |
| CWE-766 | Critical Data Element Declared Public | This vulnerability occurs when a critical piece of data—like a variable, field, or class member—is mistakenly declared as public when it should be kept private according to the application's security design. |
| CWE-767 | Access to Critical Private Variable via Public Method | This vulnerability occurs when a class exposes a public method that directly accesses or alters a private variable. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
Consider mapping to weaknesses that are members of this Category.