CWE-842: Placement of User into Incorrect Group
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product or the administrator places a user into an incorrect group.
扩展描述
If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.
常见后果
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
观察示例
参考: CVE-1999-1193
Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
参考: CVE-2010-3716
Chain: drafted web request allows the creation of users with arbitrary group membership.
参考: CVE-2008-5397
Chain: improper processing of configuration options causes users to contain unintended group memberships.
参考: CVE-2007-6644
CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.
参考: CVE-2007-3260
Product assigns members to the root group, allowing escalation of privileges.
参考: CVE-2002-0080
Chain: daemon does not properly clear groups before dropping privileges.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
| Operation | - |