CWE-271 - Privilege Dropping / Lowering Errors
- Abstraction:Class
- Structure:Simple
- Status:Incomplete
- Release Date:2006-07-19
- Latest Modification Date:2023-06-29
Weakness Name
Privilege Dropping / Lowering Errors
Description
The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker.
Common Consequences
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: If privileges are not dropped, neither are access rights of the user. Often these rights can be prevented from being dropped.
Scope: Access Control, Non-Repudiation
Impact: Gain Privileges or Assume Identity, Hide Activities
Notes: If privileges are not dropped, in some cases the system may record actions as the user which is being impersonated rather than the impersonator.
Related Weaknesses
Oracle denies breach after hacker claims theft of 6 million data records
Oracle Health breach compromises patient data at US hospitals
CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825)
Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp
CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites
New SuperBlack ransomware exploits Fortinet auth bypass flaws
Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825)
RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
HighPath Traversal
InformationalInformation Disclosure - Suspicious Comments in XML via WebSocket
InformationalNon-Storable Content
InformationalUser Controllable HTML Element Attribute (Potential XSS)
MediumDirectory Browsing