logo

CWE-271 - Privilege Dropping / Lowering Errors

CWE-271 High

  • Abstraction:
  • Class
  • Structure:
  • Simple
  • Status:
  • Incomplete
Weakness Name

Privilege Dropping / Lowering Errors

Description

The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.

In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker.

Common Consequences

Scope: Access Control

Impact: Gain Privileges or Assume Identity

Notes: If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.

Scope: Access Control, Non-Repudiation

Impact: Gain Privileges or Assume Identity, Hide Activities

Notes: If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.

Related Weaknesses
  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2023-06-29

Free security scan for your website