CWE-286: Incorrect User Management

Description

The product does not properly manage a user within its environment.

Users can be assigned to the wrong group (class) of permissions resulting in unintended access rights to sensitive objects.

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

CVE: CVE-2022-36109

Containerization product does not record a user's supplementary group ID, allowing bypass of group restrictions.
CVE: CVE-1999-1193

Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.

N/A

N/A

Phase	Note
Architecture and Design	N/A
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation	N/A

N/A

Maintenance: The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-693).
Maintenance: This item needs more work. Possible sub-categories include: user in wrong group, and user with insecure profile or "configuration". It also might be better expressed as a category than a weakness.