1. Home
  2. CWE Database
  3. CWE-842
Base · Medium

CWE-842: Placement of User into Incorrect Group

The product or the administrator places a user into an incorrect group.

CWE-842 · Base Level ·6 CVEs

Description

The product or the administrator places a user into an incorrect group.

If the incorrect group has more access or privileges than the intended group, the user might be able to bypass intended security policy to access unexpected resources or perform unexpected actions. The access-control system might not be able to detect malicious usage of this group membership.

Potential Impact

Access Control

Gain Privileges or Assume Identity

Real-World CVE Examples

CVE IDDescription
CVE-1999-1193Operating system assigns user to privileged wheel group, allowing the user to gain root privileges.
CVE-2010-3716Chain: drafted web request allows the creation of users with arbitrary group membership.
CVE-2008-5397Chain: improper processing of configuration options causes users to contain unintended group memberships.
CVE-2007-6644CMS does not prevent remote administrators from promoting other users to the administrator group, in violation of the intended security model.
CVE-2007-3260Product assigns members to the root group, allowing escalation of privileges.
CVE-2002-0080Chain: daemon does not properly clear groups before dropping privileges.

CWE-286: Incorrect User Management

The product does not properly manage a user within its environment.

Frequently Asked Questions

What is CWE-842?

CWE-842 (Placement of User into Incorrect Group) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product or the administrator places a user into an incorrect group.

How can CWE-842 be exploited?

Attackers can exploit CWE-842 (Placement of User into Incorrect Group) to gain privileges or assume identity. This weakness is typically introduced during the Implementation, Operation phase of software development.

How do I prevent CWE-842?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-842?

CWE-842 is classified as a Base-level weakness (Medium abstraction). It has been observed in 6 real-world CVEs.