Improper Protection of Alternate Path

Draft Class

Structure: Simple

Description

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection MechanismGain Privileges or Assume Identity

Potential Mitigations 1

Phase: Architecture and Design

Deploy different layers of protection to implement security in depth.

Observed Examples 1

CVE-2022-29238Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Related Attack Patterns

127
Buffer Under-read
554
ASP.NET Misconfiguration: Not Using Input Validation Framework

Related Weaknesses

ChildOf:

Protection Mechanism Failure (CWE-693)

ChildOf:

Not Using Complete Mediation (CWE-638)

Taxonomy Mapping

PLOVER
Software Fault Patterns