The software or the administrator places a user into an incorrect group. If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership. 1000 699 Weakness ChildOf 286 Implementation Operation Access_Control Gain privileges / assume identity CVE-1999-1193 Operating system assigns user to privileged wheel group, allowing the user to gain root privileges. CVE-2010-3716 Chain: drafted web request allows the creation of users with arbitrary group membership. CVE-2008-5397 Chain: improper processing of configuration options causes users to contain unintended group memberships. CVE-2007-6644 CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model. CVE-2007-3260 Product assigns members to the root group, allowing escalation of privileges. CVE-2002-0080 Chain: daemon does not properly clear groups before dropping privileges. MITRE 2011-03-24 CWE Content Team MITRE 2011-06-01 updated Common_Consequences