CWE-732: Incorrect Permission Assignment for Critical Resource
ID
CWE-732
Abstraction
Class
Structure
Simple
Status
Draft
Number of CVEs
1277
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
When a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data. For example, consider a misconfigured storage account for the cloud that can be read or written by a public or anonymous user.
Modes of Introduction
Phase | Note |
---|---|
Architecture and Design | |
Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. The developer might make certain assumptions about the environment in which the product operates - e.g., that the software is running on a single-user system, or the software is only accessible to trusted administrators. When the software is running in a different environment, the permissions become a problem. |
Installation | The developer may set loose permissions in order to minimize problems when the user first runs the program, then create documentation stating that permissions should be tightened. Since system administrators and users do not always read the documentation, this can result in insecure permissions being left unchanged. |
Operation |
Applicable Platforms
Type | Class | Name | Prevalence |
---|---|---|---|
Language | Not Language-Specific | ||
Technology | Not Technology-Specific | ||
Technology | Cloud Computing |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org# ID | Name | Weaknesses |
---|---|---|
CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs | CWE-732 |
CAPEC-17 | Using Malicious Files | CWE-732 |
CAPEC-60 | Reusing Session IDs (aka Session Replay) | CWE-732 |
CAPEC-61 | Session Fixation | CWE-732 |
CAPEC-62 | Cross Site Request Forgery | CWE-732 |
CAPEC-122 | Privilege Abuse | CWE-732 |
CAPEC-127 | Directory Indexing | CWE-732 |
CAPEC-180 | Exploiting Incorrectly Configured Access Control Security Levels | CWE-732 |
CAPEC-206 | Signing Malicious Code | CWE-732 |
CAPEC-234 | Hijacking a privileged process | CWE-732 |
CAPEC-642 | Replace Binaries | CWE-732 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |
Loading...