CWE-274 不充分特权处理不恰当

Improper Handling of Insufficient Privileges

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 703 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 269 cwe_View_ID: 1000

• cwe_Nature: PeerOf cwe_CWE_ID: 271 cwe_View_ID: 1000

• cwe_Nature: CanAlsoBe cwe_CWE_ID: 280 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
Other	['Other', 'Alter Execution Logic']

分析过的案例

标识	说明	链接
CVE-2001-1564	System limits are not properly enforced after privileges are dropped.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1564
CVE-2005-3286	Firewall crashes when it can't read a critical memory block that was protected by a malicious process.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3286
CVE-2005-1641	Does not give admin sufficient privileges to overcome otherwise legitimate user actions.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1641

Notes

Relationship
Overlaps dropped privileges, insufficient permissions.
Relationship
This has a layering relationship with Unchecked Error Condition and Unchecked Return Value.
Maintenance
CWE-280 and CWE-274 are too similar. It is likely that CWE-274 will be deprecated in the future.
Theoretical
Within the context of vulnerability theory, privileges and permissions are two sides of the same coin. Privileges are associated with actors, and permissions are associated with resources. To perform access control, at some point the software makes a decision about whether the actor (and the privileges that have been assigned to that actor) is allowed to access the resource (based on the permissions that have been specified for that resource).

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Insufficient privileges

文章来源于互联网:scap中文网