CWE-284: Improper Access Control
ID
CWE-284
Abstraction
Pillar
Structure
Simple
Status
Incomplete
Number of CVEs
2574
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Access control involves the use of several protection mechanisms such as:
- Authentication (proving the identity of an actor)
- Authorization (ensuring that a given actor can access a resource), and
- Accountability (tracking of activities that were performed)
When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc.
There are two distinct behaviors that can introduce access control weaknesses:
- Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator.
- Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies.
Modes of Introduction
| Phase | Note |
|---|---|
| Architecture and Design | |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| Operation |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Technology | Not Technology-Specific | ||
| Technology | ICS/OT |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-19 | Embedding Scripts within Scripts | CWE-284 |
| CAPEC-441 | Malicious Logic Insertion | CWE-284 |
| CAPEC-478 | Modification of Windows Service Configuration | CWE-284 |
| CAPEC-479 | Malicious Root Certificate | CWE-284 |
| CAPEC-502 | Intent Spoof | CWE-284 |
| CAPEC-503 | WebView Exposure | CWE-284 |
| CAPEC-536 | Data Injected During Configuration | CWE-284 |
| CAPEC-546 | Incomplete Data Deletion in a Multi-Tenant Environment | CWE-284 |
| CAPEC-550 | Install New Service | CWE-284 |
| CAPEC-551 | Modify Existing Service | CWE-284 |
| CAPEC-552 | Install Rootkit | CWE-284 |
| CAPEC-556 | Replace File Extension Handlers | CWE-284 |
| CAPEC-558 | Replace Trusted Executable | CWE-284 |
| CAPEC-562 | Modify Shared File | CWE-284 |
| CAPEC-563 | Add Malicious File to Shared Webroot | CWE-284 |
| CAPEC-564 | Run Software at Logon | CWE-284 |
| CAPEC-578 | Disable Security Software | CWE-284 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |
Loading...