Description
The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.
Potential Impact
Other
Other, Alter Execution Logic
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2001-1564 | System limits are not properly enforced after privileges are dropped. |
| CVE-2005-3286 | Firewall crashes when it can't read a critical memory block that was protected by a malicious process. |
| CVE-2005-1641 | Does not give admin sufficient privileges to overcome otherwise legitimate user actions. |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Insufficient privileges
Frequently Asked Questions
What is CWE-274?
CWE-274 (Improper Handling of Insufficient Privileges) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.
How can CWE-274 be exploited?
Attackers can exploit CWE-274 (Improper Handling of Insufficient Privileges) to other, alter execution logic. This weakness is typically introduced during the Implementation, Operation phase of software development.
How do I prevent CWE-274?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-274?
CWE-274 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.