[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97389

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Placement of User into Incorrect Group

ID: 842Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Base





Description

The software or the administrator places a user into an incorrect group.

Extended Description

If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.

Applicable Platforms
Language Class: Language-independent

Time Of Introduction

  • Implementation
  • Operation

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
 
Gain privileges / assume identity
 
 

Detection Methods
None

Potential Mitigations
None

Relationships

Related CWETypeViewChain
CWE-842 ChildOf CWE-286 Weakness CWE-1000
CWE-699 
 

Demonstrative Examples
None

Observed Examples

  1. CVE-1999-1193 : Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
  2. CVE-2010-3716 : Chain: drafted web request allows the creation of users with arbitrary group membership.
  3. CVE-2008-5397 : Chain: improper processing of configuration options causes users to contain unintended group memberships.
  4. CVE-2007-6644 : CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.
  5. CVE-2007-3260 : Product assigns members to the root group, allowing escalation of privileges.
  6. CVE-2002-0080 : Chain: daemon does not properly clear groups before dropping privileges.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings
None

References:
None

© 2013 SecPod Technologies