CWE-272 involves the failure to properly manage and enforce restrictions on access to resources, potentially leading to unauthorized data exposure and exploitation.

CWE-254: Authentication & Access Control Focus

CWE-748: Concerns Addressed by POSIX (POS) in CERT C Secure Coding Standard

CWE-859: Platform Security Weaknesses

CWE-901: Software Fault Pattern (SFP) Cluster: Privilege

CWE-1149: Vulnerabilities in SEI CERT Oracle Coding Standard for Java Platform Security

CWE-1396: Improper Access Control

Learn about CWE-272, the risks of inadequate access control, and best practices for secure system design and privilege management to prevent unauthorized access.

CWE-272: Inadequate Access Control - Prevention & Best Practices

Not dropping system privileges when it is reasonable to do so does not pose a vulnerability on its own. The principle of least privilege suggests that access should only be granted when absolutely necessary for the proper functioning of a system, and only for the minimum required duration. Granting additional privileges extends the time window in which an attacker can exploit the system with the same privileges. Whenever possible, limit the allocation of system privilege to small, concise segments of code that can be executed atomically.
When a program invokes a privileged function, such as chroot(), it must first obtain root privilege. Once the privileged operation is complete, the program should relinquish root privilege and revert to the privilege level of the user who invoked it.

CWE-272: Inadequate Access Control

Is your System Free of Underlying Vulnerabilities? Find Out Now

Is your System Free of Underlying Vulnerabilities?
Find Out Now