CAPEC-122

Privilege Abuse
Alto
Medio
Draft
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerta para un CAPEC
Manténgase informado sobre cualquier cambio en un CAPEC específico.
Gestionar notificaciones

Descripciones CAPEC

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

Informaciones CAPEC

Prerrequisitos

The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.
The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources.

Habilidades requeridas

Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges.

Recursos requeridos

None: No specialized resources are required to execute this type of attack. The ability to access the target is required.

Mitigaciones

Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.

Debilidades relacionadas

CWE-ID Nombre de la debilidad

CWE-269

 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-732

 Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CWE-1317

 Improper Access Control in Fabric Bridge
The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.

Envío

Nombre Organización Fecha Fecha de lanzamiento
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modificaciones

Nombre Organización Fecha Comentario
CAPEC Content Team The MITRE Corporation 2015-12-07 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Resources_Required
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Consequences, Example_Instances, Likelihood_Of_Attack, Mitigations, Skills_Required
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Extended_Description, Skills_Required
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Taxonomy_Mappings
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.