CWE-842: Placement of User into Incorrect Group

Description

The product or the administrator places a user into an incorrect group.

Extended Description

If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

Observed Examples (CVEs)

CVE: CVE-1999-1193

Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
CVE: CVE-2010-3716

Chain: drafted web request allows the creation of users with arbitrary group membership.
CVE: CVE-2008-5397

Chain: improper processing of configuration options causes users to contain unintended group memberships.
CVE: CVE-2007-6644

CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.
CVE: CVE-2007-3260

Product assigns members to the root group, allowing escalation of privileges.
CVE: CVE-2002-0080

Chain: daemon does not properly clear groups before dropping privileges.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A
Operation	N/A

Common Consequences

Impact: Gain Privileges or Assume Identity — Notes:

Potential Mitigations

None listed.

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

N/A

Notes

No notes available.

← Back to CWE list