CWE-842 将用户置入不正确的用户组

  • A+
所属分类:CWE(弱点枚举)

CWE-842 将用户置入不正确的用户组

Placement of User into Incorrect Group

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The software or the administrator places a user into an incorrect group.

扩展描述

If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 286 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 286 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control Gain Privileges or Assume Identity

分析过的案例

标识 说明 链接
CVE-1999-1193 Operating system assigns user to privileged wheel group, allowing the user to gain root privileges. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1193
CVE-2010-3716 Chain: drafted web request allows the creation of users with arbitrary group membership. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3716
CVE-2008-5397 Chain: improper processing of configuration options causes users to contain unintended group memberships. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397
CVE-2007-6644 CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6644
CVE-2007-3260 Product assigns members to the root group, allowing escalation of privileges. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3260
CVE-2002-0080 Chain: daemon does not properly clear groups before dropping privileges. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0080

文章来源于互联网:scap中文网

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: