Improper Access Control
Incomplete Pillar
Structure: Simple
Description
The software fails to properly limit who can access a resource, allowing unauthorized users or systems to interact with it.
Access control is a security cornerstone built on three pillars: verifying identity (authentication), checking permissions (authorization), and logging actions (accountability). When any of these fails, attackers can steal data, escalate privileges, run commands, or hide their activity. Weaknesses typically arise in two ways: first, through faulty specification, where resources are misconfigured (like world-writable files) or users are given incorrect privileges. Second, through faulty enforcement, where errors in the code allow users to bypass the intended security rules, even if the policy was correctly defined.
Common Consequences 1
Scope: Other
Impact: Varies by Context
Potential Mitigations 2
Phase: Architecture and DesignOperation
Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Phase: Architecture and Design
Strategy: Separation of Privilege
Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Observed Examples 9
CVE-2022-24985A form hosting website only checks the session authentication status for a single form, making it possible to bypass authentication when there are multiple forms
CVE-2022-29238Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.
CVE-2022-23607Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect
CVE-2021-21972Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (Missing Authentication for Critical Function), then uses .. path traversal sequences (Relative Path Traversal) in the file to access unexpected files, as exploited in the wild per CISA KEV.
CVE-2021-37415IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.
CVE-2021-35033Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port
CVE-2020-10263Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access
CVE-2020-13927Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV.
CVE-2010-4624Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.
References 3
Writing Secure Code
Michael Howard and David LeBlanc
Microsoft Press
04-12-2002
ID: REF-7
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
Supplemental Details - 2022 CWE Top 25
MITRE
28-06-2022
https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25_supplemental.html#problematicMappingDetails(2024-11-17)
ID: REF-1287
Applicable Platforms
Technologies:
Not Technology-Specific : UndeterminedICS/OT : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Operation
Related Attack Patterns
- 19Data Processing Errors
- 441Unintended Proxy or Intermediary ('Confused Deputy')
- 478Missing Default Case in Multiple Condition Expression
- 479Signal Handler Use of a Non-reentrant Function
- 502Deserialization of Untrusted Data
- 503DEPRECATED: Byte/Object Code
- 536Servlet Runtime Error Message Containing Sensitive Information
- 546Suspicious Comment
- 550Server-generated Error Message Containing Sensitive Information
- 551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
- 552Files or Directories Accessible to External Parties
- 556ASP.NET Misconfiguration: Use of Identity Impersonation
- 558Use of getlogin() in Multithreaded Application
- 562Return of Stack Variable Address
- 563Assignment to Variable without Use
- 564SQL Injection: Hibernate
- 578EJB Bad Practices: Use of Class Loader
Alternate Terms
Authorization
The terms "access control" and "authorization" are often used interchangeably, although many people have distinct definitions. The CWE usage of "access control" is intended as a general term for the various mechanisms that restrict which users can access which resources, and "authorization" is more narrowly defined. It is unlikely that there will be community consensus on the use of these terms.Affected Resources
- File or Directory
Taxonomy Mapping
- PLOVER
- WASC
- 7 Pernicious Kingdoms
Notes
Maintenance
This entry needs more work. Possible sub-categories include:
- Trusted group includes undesired entities (partially covered by Incorrect User Management)
- Group can perform undesired actions
- ACL parse error does not fail closed