1. Home
  2. CWE Database
  3. CWE-279
Variant · Low-Medium

CWE-279: Incorrect Execution-Assigned Permissions

While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.

CWE-279 · Variant Level ·3 CVEs ·2 Mitigations

Description

While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.

Potential Impact

Confidentiality, Integrity

Read Application Data, Modify Application Data

Mitigations & Prevention

Architecture and DesignOperation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Architecture and Design

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2002-0265Log files opened read/write.
CVE-2003-0876Log files opened read/write.
CVE-2002-1694Log files opened read/write.

CWE-732: Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modi...

Taxonomy Mappings

  • PLOVER: — Insecure execution-assigned permissions
  • CERT C Secure Coding: FIO06-C — Create files with appropriate access permissions
  • The CERT Oracle Secure Coding Standard for Java (2011): FIO01-J — Create files with appropriate access permission

Frequently Asked Questions

What is CWE-279?

CWE-279 (Incorrect Execution-Assigned Permissions) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.

How can CWE-279 be exploited?

Attackers can exploit CWE-279 (Incorrect Execution-Assigned Permissions) to read application data, modify application data. This weakness is typically introduced during the Implementation, Architecture and Design, Operation phase of software development.

How do I prevent CWE-279?

Key mitigations include: Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

What is the severity of CWE-279?

CWE-279 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 3 real-world CVEs.