CWE-284: Improper Access Control

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

Access control involves the use of several protection mechanisms such as:

  • Authentication (proving the identity of an actor)
  • Authorization (ensuring that a given actor can access a resource), and
  • Accountability (tracking of activities that were performed)

    When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc.

    There are two distinct behaviors that can introduce access control weaknesses:

    • Specification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator.
    • Enforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs within the program itself, in that it does not actually enforce the intended security policy that the administrator specifies.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-269: Improper Privilege Management
Go to
CWE-282: Improper Ownership Management
Go to
CWE-285: Improper Authorization
Go to
CWE-286: Incorrect User Management
Go to
CWE-287: Improper Authentication
Go to
CWE-288: Authentication Bypass Using an Alternate Path or Channel
Go to
CWE-346: Origin Validation Error
Go to
CWE-639: Authorization Bypass Through User-Controlled Key
Go to
CWE-749: Exposed Dangerous Method or Function
Go to
CWE-862: Missing Authorization
Go to
CWE-863: Incorrect Authorization
Go to
CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
Go to
CWE-1191: On-Chip Debug and Test Interface With Improper Access Control
Go to
CWE-1220: Insufficient Granularity of Access Control
Go to
CWE-1224: Improper Restriction of Write-Once Bit Fields
Go to
CWE-1231: Improper Prevention of Lock Bit Modification
Go to
CWE-1233: Security-Sensitive Hardware Controls with Missing Lock Bit Protection
Go to
CWE-1242: Inclusion of Undocumented Features or Chicken Bits
Go to
CWE-1252: CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
Go to
CWE-1257: Improper Access Control Applied to Mirrored or Aliased Memory Regions
Go to
CWE-1259: Improper Restriction of Security Token Assignment
Go to
CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges
Go to
CWE-1262: Improper Access Control for Register Interface
Go to
CWE-1263: Improper Physical Access Control
Go to
CWE-1267: Policy Uses Obsolete Encoding
Go to
CWE-1268: Policy Privileges are not Assigned Consistently Between Control and Data Agents
Go to
CWE-1270: Generation of Incorrect Security Tokens
Go to
CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code
Go to
CWE-1276: Hardware Child Block Incorrectly Connected to Parent System
Go to
CWE-1280: Access Control Check Implemented After Asset is Accessed
Go to
CWE-1283: Mutable Attestation or Measurement Reporting Data
Go to
CWE-1290: Incorrect Decoding of Security Identifiers
Go to
CWE-1292: Incorrect Conversion of Security Identifiers
Go to
CWE-1294: Insecure Security Identifier Mechanism
Go to
CWE-1296: Incorrect Chaining or Granularity of Debug Components
Go to
CWE-1304: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
Go to
CWE-1311: Improper Translation of Security Attributes by Fabric Bridge
Go to
CWE-1312: Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
Go to
CWE-1313: Hardware Allows Activation of Test or Debug Logic at Runtime
Go to
CWE-1315: Improper Setting of Bus Controlling Capability in Fabric End-point
Go to
CWE-1316: Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
Go to
CWE-1317: Improper Access Control in Fabric Bridge
Go to
CWE-1320: Improper Protection for Outbound Error Messages and Alert Signals
Go to
CWE-1323: Improper Management of Sensitive Trace Data
Go to
CWE-1334: Unauthorized Error Injection Can Degrade Hardware Redundancy
Go to

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 21, 2024 16:14