Category: Privilege Issues
Incomplete
Summary
Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-243 | Creation of chroot Jail Without Changing Working Directory | The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail. |
| CWE-250 | Execution with Unnecessary Privileges | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
| CWE-266 | Incorrect Privilege Assignment | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-267 | Privilege Defined With Unsafe Actions | A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity. |
| CWE-268 | Privilege Chaining | Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination. |
| CWE-270 | Privilege Context Switching Error | The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. |
| CWE-272 | Least Privilege Violation | The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. |
| CWE-273 | Improper Check for Dropped Privileges | The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. |
| CWE-274 | Improper Handling of Insufficient Privileges | The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses. |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
| CWE-501 | Trust Boundary Violation | The product mixes trusted and untrusted data in the same data structure or structured message. |
| CWE-580 | clone() Method Without super.clone() | The product contains a clone() method that does not call super.clone() to obtain the new object. |
| CWE-648 | Incorrect Use of Privileged APIs | The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.