CWE-556 - ASP.NET Misconfiguration: Use of Identity Impersonation
- Abstraction:Variant
- Structure:Simple
- Status:Incomplete
- Release Date:2006-07-19
- Latest Modification Date:2023-06-29
Weakness Name
ASP.NET Misconfiguration: Use of Identity Impersonation
Description
Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.
The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration.
Common Consequences
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Related Weaknesses
Genetic data site openSNP to close and delete data over privacy concerns
Verizon Call Filter API flaw exposed customers' incoming call history
GitHub expands security tools after 39 million secrets leaked in 2024
Royal Mail investigates data leak claims, no impact on operations
Police shuts down KidFlix child sexual exploitation platform
The Reality Behind Security Control Failures—And How to Prevent Them
Counterfeit Android devices found preloaded With Triada malware
Google Fixed Cloud Run Vulnerability Allowing Unauthorized Image Access via IAM Misuse
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
CWE-1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
CWE-574 EJB Bad Practices: Use of Synchronization Primitives
CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input
CWE-703 Improper Check or Handling of Exceptional Conditions
MediumCWE-301 Reflection Attack in an Authentication Protocol
CWE-792 Incomplete Filtering of One or More Instances of Special Elements
CWE-1293 Missing Source Correlation of Multiple Independent Data
CWE-781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code