1. Home
  2. CWE Database
  3. CWE-284
Pillar · Foundational

CWE-284: Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-284 · Pillar Level ·10 CVEs ·2 Mitigations

Description

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Access control involves the use of several protection mechanisms such as: When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses:

Potential Impact

Other

Varies by Context

Demonstrative Examples

This code temporarily raises the program's privileges to allow creation of a new user folder.
Bad
def makeNewUserDir(username):
                        if invalidUsername(username):
                              
                                 
                                 #avoid CWE-22 and CWE-78
                                 print('Usernames cannot contain invalid characters')return False
                           
                           try:raisePrivileges()os.mkdir('/home/' + username)lowerPrivileges()
                           except OSError:print('Unable to create new user directory for user:' + username)return False
                           return True
While the program only raises its privilege level to create the folder and immediately lowers it again, if the call to os.mkdir() throws an exception, the call to lowerPrivileges() will not occur. As a result, the program is indefinitely operating in a raised privilege state, possibly allowing further exploitation to occur.
This function runs an arbitrary SQL query on a given database, returning the result of the query.
Bad
function runEmployeeQuery($dbName, $name){mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName);
                        //Use a prepared statement to avoid CWE-89
                        $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name');$preparedStatement->execute(array(':name' => $name));return $preparedStatement->fetchAll();}
                     /.../
                     
                     $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);
While this code is careful to avoid SQL Injection, the function does not confirm the user sending the query is authorized to do so. An attacker may be able to obtain sensitive employee information from the database.
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Multiple vendors did not use any authentication or used client-side authentication for critical functionality in their OT products.

Mitigations & Prevention

Architecture and DesignOperation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Architecture and Design

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least

Real-World CVE Examples

CVE IDDescription
CVE-2023-26463Chain: IPSec VPN product uses the same variable for multiple purposes in the same function (CWE-1109), leading to incorrect access control (CWE-284) and expired pointer dereference (CWE-825)
CVE-2022-24985A form hosting website only checks the session authentication status for a single form, making it possible to bypass authentication when there are multiple forms
CVE-2022-29238Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in thos
CVE-2022-23607Python-based HTTP library did not scope cookies to a particular domain such that "supercookies" could be sent to any domain on redirect
CVE-2021-21972Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpecte
CVE-2021-37415IT management product does not perform authentication for some REST API requests, as exploited in the wild per CISA KEV.
CVE-2021-35033Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port
CVE-2020-10263Bluetooth speaker does not require authentication for the debug functionality on the UART port, allowing root shell access
CVE-2020-13927Default setting in workflow management product allows all API requests without authentication, as exploited in the wild per CISA KEV.
CVE-2010-4624Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.

Taxonomy Mappings

  • PLOVER: — Access Control List (ACL) errors
  • WASC: 2 — Insufficient Authorization
  • 7 Pernicious Kingdoms: — Missing Access Control

Frequently Asked Questions

What is CWE-284?

CWE-284 (Improper Access Control) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Pillar-level weakness. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

How can CWE-284 be exploited?

Attackers can exploit CWE-284 (Improper Access Control) to varies by context. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-284?

Key mitigations include: Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

What is the severity of CWE-284?

CWE-284 is classified as a Pillar-level weakness (Foundational abstraction). It has been observed in 10 real-world CVEs.