{"@ID": "269", "@Name": "Improper Privilege Management", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-269-Diagram.png", "Description": "The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "284", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}, {"Phase": "Operation"}]}, "Likelihood_Of_Exploit": "Medium", "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": "Gain Privileges or Assume Identity"}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-1", "Phase": ["Architecture and Design", "Operation"], "Description": "Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software."}, {"@Mitigation_ID": "MIT-48", "Phase": "Architecture and Design", "Strategy": "Separation of Privilege", "Description": "Follow the principle of least privilege when assigning access rights to entities in a software system."}, {"@Mitigation_ID": "MIT-49", "Phase": "Architecture and Design", "Strategy": "Separation of Privilege", "Description": "Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-126", "Intro_Text": "This code temporarily raises the program's privileges to allow creation of a new user folder.", "Example_Code": {"@Nature": "Bad", "@Language": "Python", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null], "xhtml:i": "#avoid CWE-22 and CWE-78", "#text": "print('Usernames cannot contain invalid characters')return False"}}, {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "raisePrivileges()os.mkdir('/home/' + username)lowerPrivileges()"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "print('Unable to create new user directory for user:' + username)return False"}], "xhtml:br": [null, null, null], "#text": "if invalidUsername(username):\n                           try:\n                           except OSError:\n                           return True"}}, "#text": "def makeNewUserDir(username):"}}, "Body_Text": "While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur."}, {"@Demonstrative_Example_ID": "DX-97", "Intro_Text": "The following example demonstrates the weakness.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null], "xhtml:i": "/* do some stuff */", "#text": "seteuid(0);\n                     \n                     \n                     seteuid(getuid());"}}}, {"@Demonstrative_Example_ID": "DX-142", "Intro_Text": "The following example demonstrates the weakness.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:i": ["// privileged code goes here, for example:", "// nothing to return"], "xhtml:br": [null, null, null, null], "#text": "System.loadLibrary(\"awt\");return null;"}, "#text": "public Object run() {}"}}, "#text": "AccessController.doPrivileged(new PrivilegedAction() {"}}}, {"@Demonstrative_Example_ID": "DX-127", "Intro_Text": "This code intends to allow only Administrators to print debug information about a system.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "#text": "ADMIN,USER,GUEST"}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "System.out.println(\"You are not authorized to perform this command\");break;"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "System.out.println(currentDebugState());break;"}], "xhtml:br": null, "#text": "case GUEST:\n                                       default:"}}, "#text": "switch(requestingUser.role){}"}}, {"@style": "margin-left:1em;", "#text": "System.out.println(\"You must be logged in to perform this command\");"}], "xhtml:br": null, "#text": "if(isAuthenticated(requestingUser)){}else{}"}}], "xhtml:br": [null, null], "#text": "public enum Roles {}\n                     public void printDebugInfo(User requestingUser){}"}}, "Body_Text": "While the intention was to only allow Administrators to print the debug information, the code as written only excludes those with the role of \"GUEST\". Someone with the role of \"ADMIN\" or \"USER\" will be allowed access, which goes against the original intent. An attacker may be able to use this debug information to craft an attack on the system."}, {"@Demonstrative_Example_ID": "DX-128", "Intro_Text": "This code allows someone with the role of \"ADMIN\" or \"OPERATOR\" to reset a user's password. The role of \"OPERATOR\" is intended to have less privileges than an \"ADMIN\", but still be able to help users with small issues such as forgotten passwords.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "#text": "ADMIN,OPERATOR,USER,GUEST"}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "System.out.println(\"You are not authorized to perform this command\");break;"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "System.out.println(\"You are not authorized to perform this command\");break;"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "setPassword(user,password);break;"}], "xhtml:br": [null, null], "#text": "case GUEST:\n                                       case USER:\n                                       default:}"}}, "#text": "switch(requestingUser.role){}"}}, {"@style": "margin-left:1em;", "#text": "System.out.println(\"You must be logged in to perform this command\");"}], "xhtml:br": null, "#text": "if(isAuthenticated(requestingUser)){\n                           else{}"}}], "xhtml:br": [null, null], "#text": "public enum Roles {}\n                     public void resetPassword(User requestingUser, User user, String password ){}"}}, "Body_Text": "This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2001-1555", "Description": "Terminal privileges are not reset when a user logs out.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-1555"}, {"Reference": "CVE-2001-1514", "Description": "Does not properly pass security context to child processes in certain cases, allows privilege escalation.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-1514"}, {"Reference": "CVE-2001-0128", "Description": "Does not properly compute roles.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-0128"}, {"Reference": "CVE-1999-1193", "Description": "untrusted user placed in unix \"wheel\" group", "Link": "https://www.cve.org/CVERecord?id=CVE-1999-1193"}, {"Reference": "CVE-2005-2741", "Description": "Product allows users to grant themselves certain rights that can be used to escalate privileges.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2741"}, {"Reference": "CVE-2005-2496", "Description": "Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2496"}, {"Reference": "CVE-2004-0274", "Description": "Product mistakenly assigns a particular status to an entity, leading to increased privileges.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0274"}, {"Reference": "CVE-2007-4217", "Description": "FTP client program on a certain OS runs with setuid privileges and has a buffer overflow. Most clients do not need extra privileges, so an overflow is not a vulnerability for those clients.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-4217"}, {"Reference": "CVE-2007-5159", "Description": "OS incorrectly installs a program with setuid privileges, allowing users to gain privileges.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-5159"}, {"Reference": "CVE-2008-4638", "Description": "Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-4638"}, {"Reference": "CVE-2007-3931", "Description": "Installation script installs some programs as setuid when they shouldn't be.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-3931"}, {"Reference": "CVE-2002-1981", "Description": "Roles have access to dangerous procedures (Accessible entities).", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1981"}, {"Reference": "CVE-2002-1671", "Description": "Untrusted object/method gets access to clipboard (Accessible entities).", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1671"}, {"Reference": "CVE-2000-0315", "Description": "Traceroute program allows unprivileged users to modify source address of packet (Accessible entities).", "Link": "https://www.cve.org/CVERecord?id=CVE-2000-0315"}, {"Reference": "CVE-2000-0506", "Description": "User with capability can prevent setuid program from dropping privileges (Unsafe privileged actions).", "Link": "https://www.cve.org/CVERecord?id=CVE-2000-0506"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Privilege Management Error"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 2-4", "Entry_Name": "Req SP.03.08 BR"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 3-2", "Entry_Name": "Req CR 3.1"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 3-3", "Entry_Name": "Req SR 1.2"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 3-3", "Entry_Name": "Req SR 2.1"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SD-3"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SD-4"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SI-1"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-2", "Entry_Name": "Req CR 1.1"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-2", "Entry_Name": "Req CR 2.1"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "122"}, {"@CAPEC_ID": "233"}, {"@CAPEC_ID": "58"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-44", "@Section": "\"Sin 16: Executing Code With Too Much Privilege.\" Page 243"}, {"@External_Reference_ID": "REF-62", "@Section": "Chapter 9, \"Dropping Privileges Permanently\", Page 479"}, {"@External_Reference_ID": "REF-1287", "@Section": "Details of Problematic Mappings"}]}, "Mapping_Notes": {"Usage": "Discouraged", "Rationale": "CWE-269 is commonly misused. It can be conflated with \"privilege escalation,\" which is a technical impact that is listed in many low-information vulnerability reports [REF-1287]. It is not useful for trend analysis.", "Comments": "If an error or mistake allows privilege escalation, then use the CWE ID for that mistake. Avoid using CWE-269 when only phrases such as \"privilege escalation\" or \"gain privileges\" are available, as these indicate technical impact of the vulnerability - not the root cause weakness. If the root cause seems to be directly related to privileges, then examine the children of CWE-269 for additional hints.", "Reasons": {"Reason": [{"@Type": "Frequent Misuse"}, {"@Type": "Frequent Misinterpretation"}, {"@Type": "Abstraction"}]}, "Suggestions": {"Suggestion": [{"@CWE_ID": "250", "@Comment": "Execution with Unnecessary Privileges"}, {"@CWE_ID": "266", "@Comment": "assigning incorrect privilege"}, {"@CWE_ID": "267", "@Comment": "Privilege Defined With Unsafe Actions"}, {"@CWE_ID": "271", "@Comment": "dropping/lowering privileges incorrectly"}]}}, "Notes": {"Note": {"@Type": "Maintenance", "#text": "The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693)."}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Organization": "CWE Team", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "Moved this entry higher up in the Research view."}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-12-28", "Modification_Version": "1.7", "Modification_ReleaseDate": "2009-12-28", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Description, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-02-21", "Modification_Version": "2.4", "Modification_ReleaseDate": "2013-02-21", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-09-19", "Modification_Version": "3.4", "Modification_ReleaseDate": "2019-09-19", "Modification_Comment": "updated Demonstrative_Examples, Maintenance_Notes, Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-07-16", "Modification_Version": "4.15", "Modification_ReleaseDate": "2024-07-16", "Modification_Comment": "updated Diagram"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-11-19", "Modification_Version": "4.16", "Modification_ReleaseDate": "2024-11-19", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-01-21", "Modification_Version": "4.19.1", "Modification_ReleaseDate": "2026-01-21", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Mapping_Notes"}], "Contribution": [{"@Type": "Content", "Contribution_Name": "\"Mapping CWE to 62443\" Sub-Working Group", "Contribution_Organization": "CWE-CAPEC ICS/OT SIG", "Contribution_Date": "2023-06-29", "Contribution_Version": "4.12", "Contribution_ReleaseDate": "2023-06-29", "Contribution_Comment": "Suggested mappings to ISA/IEC 62443."}, {"@Type": "Content", "Contribution_Name": "Abhi Balakrishnan", "Contribution_Date": "2024-02-29", "Contribution_Version": "4.15", "Contribution_ReleaseDate": "2024-07-16", "Contribution_Comment": "Provided diagram to improve CWE usability"}], "Previous_Entry_Name": [{"@Date": "2008-09-09", "#text": "Privilege Management Error"}, {"@Date": "2009-05-27", "#text": "Insecure Privilege Management"}]}}
