Category-265: 权限/沙箱问题

admin 2021年12月4日16:23:57评论73 views字数 1412阅读4分42秒阅读模式

Category-265: 权限/沙箱问题

ID: 265
Status: Incomplete

Summary

Weaknesses in this category occur with improper enforcement of sandbox environments, or the improper handling, assignment, or management of privileges.

Membership

ID NAME
CWE-243 未改变工作目录时创建chroot Jail
CWE-250 带着不必要的权限执行
CWE-266 特权授予不正确
CWE-267 特权定义了不安全动作
CWE-268 特权链锁
CWE-269 特权管理不恰当
CWE-271 特权放弃/降低错误
CWE-274 不充分特权处理不恰当
CWE-501 违背信任边界
CWE-580 未定义super.clone()的clone()方法
CWE-610 资源在另一范围的外部可控制索引
CWE-648 特权API的不正确使用
CWE-766 关键变量被公开声明
CWE-767 通过公开方法可访问到关键的私有数据

Taxonomy Mappings

Mapped Taxonomy Name Node ID Fit Mapped Node Name
PLOVER Privilege / sandbox errors

Notes

Relationship

This can strongly overlap authorization errors.

Theoretical

A sandbox could be regarded as an explicitly defined sphere of control, in that the sandbox only defines a limited set of behaviors, which can only access a limited set of resources.

Theoretical

It could be argued that any privilege problem occurs within the context of a sandbox.

Research Gap

Many of the following concepts require deeper study. Most privilege problems are not classified at such a low level of detail, and terminology is very sparse. Certain classes of software, such as web browsers and software bug trackers, provide a rich set of examples for further research. Operating systems have matured to the point that these kinds of weaknesses are rare, but finer-grained models for privileges, capabilities, or roles might introduce subtler issues.

文章来源于互联网:scap中文网

相关推荐: CWE-1102 依赖于机器相关的数据表示

CWE-1102 依赖于机器相关的数据表示 Reliance on Machine-Dependent Data Representation 结构: Simple Abstraction: Base 状态: Incomplete 被利用可能性: unkown…

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月4日16:23:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Category-265: 权限/沙箱问题http://cn-sec.com/archives/613339.html

发表评论

匿名网友 填写信息