Incorrect User Management
Incomplete Class
Structure: Simple
Description
The product does not properly manage a user within its environment.
Users can be assigned to the wrong group (class) of permissions resulting in unintended access rights to sensitive objects.
Common Consequences 1
Scope: Other
Impact: Varies by Context
Observed Examples 2
CVE-2022-36109Containerization product does not record a user's supplementary group ID, allowing bypass of group restrictions.
CVE-1999-1193Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Operation
Related Weaknesses
ChildOf:
Improper Access Control (CWE-284)
Taxonomy Mapping
- PLOVER
Notes
MaintenanceThe relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (Improper Control of a Resource Through its Lifetime) and protection mechanism failures (Protection Mechanism Failure).
MaintenanceThis item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or "configuration". It also might be better expressed as a category than a weakness.