1. Home
  2. Weaknesses
  3. CWE-732

CWE-732: Incorrect Permission Assignment for Critical Resource

ID CWE-732
Abstraction Class
Structure Simple
Status Draft
Number of CVEs 1272
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.

Modes of Introduction

Phase Note
Architecture and Design
Implementation REALIZATION: This weakness is caused during implementation of an architectural security tactic. The developer might make certain assumptions about the environment in which the product operates - e.g., that the software is running on a single-user system, or the software is only accessible to trusted administrators. When the software is running in a different environment, the permissions become a problem.
Installation The developer may set loose permissions in order to minimize problems when the user first runs the program, then create documentation stating that permissions should be tightened. Since system administrators and users do not always read the documentation, this can result in insecure permissions being left unchanged.
Operation

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific
Technology Not Technology-Specific
Technology Cloud Computing

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-285 Improper Authorization Class Simple Draft
CWE-1000 Research Concepts Draft CWE-668 Exposure of Resource to Wrong Sphere Class Simple Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs CWE-732
CAPEC-17 Using Malicious Files CWE-732
CAPEC-60 Reusing Session IDs (aka Session Replay) CWE-732
CAPEC-61 Session Fixation CWE-732
CAPEC-62 Cross Site Request Forgery CWE-732
CAPEC-122 Privilege Abuse CWE-732
CAPEC-127 Directory Indexing CWE-732
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels CWE-732
CAPEC-206 Signing Malicious Code CWE-732
CAPEC-234 Hijacking a privileged process CWE-732
CAPEC-642 Replace Binaries CWE-732

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date