Placement of User into Incorrect Group| ID: 842 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software or the administrator places a user into an
incorrect group.
Extended DescriptionIf the incorrect group has more access or privileges than the intended
group, the user might be able to bypass intended security policy to access
unexpected resources or perform unexpected actions. The access-control
system might not be able to detect malicious usage of this group
membership.
Applicable PlatformsLanguage Class: Language-independent
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Gain privileges / assume
identity | |
Detection MethodsNone
Potential MitigationsNone
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-842 ChildOf CWE-286 | Weakness | CWE-1000CWE-699 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-1999-1193 : Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
- CVE-2010-3716 : Chain: drafted web request allows the creation of users with arbitrary group membership.
- CVE-2008-5397 : Chain: improper processing of configuration options causes users to contain unintended group memberships.
- CVE-2007-6644 : CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.
- CVE-2007-3260 : Product assigns members to the root group, allowing escalation of privileges.
- CVE-2002-0080 : Chain: daemon does not properly clear groups before dropping privileges.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:None
