CWE-1220: Insufficient Granularity of Access Control
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
常见后果
影响范围: Confidentiality Integrity Availability Access Control
技术影响: Modify Memory Read Memory Execute Unauthorized Code or Commands Gain Privileges or Assume Identity Bypass Protection Mechanism Other
潜在缓解措施
阶段: Architecture and Design Implementation Testing
有效性: High
观察示例
参考: CVE-2022-24985
A form hosting website only checks the session authentication status for a single form, making it possible to bypass authentication when there are multiple forms
参考: CVE-2021-36934
An operating system has an overly permission Access Control List onsome system files, including those related to user passwords
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | Such issues could be introduced during hardware architecture and design and identified later during Testing or System Configuration phases. |
| Implementation | Such issues could be introduced during hardware implementation and identified later during Testing or System Configuration phases. |