Common Weakness Enumeration

CWE-277

Allowed

Insecure Inherited Permissions

Abstraction: Variant · Status: Draft

A product defines a set of insecure permissions that are inherited by objects that are created by the program.

116 vulnerabilities reference this CWE, most recent first.

GHSA-838X-PRQR-QG3C

Vulnerability from github – Published: 2025-05-13 21:30 – Updated: 2025-05-13 21:30
VLAI
Details

Insecure inherited permissions in the NVM Update Utility for some Intel(R) Ethernet Network Adapter E810 Series before version 4.60 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T21:16:08Z",
    "severity": "MODERATE"
  },
  "details": "Insecure inherited permissions in the NVM Update Utility for some Intel(R) Ethernet Network Adapter E810 Series before version 4.60 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-838x-prqr-qg3c",
  "modified": "2025-05-13T21:30:56Z",
  "published": "2025-05-13T21:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20629"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01295.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-89C4-JR3C-XMFX

Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:59
VLAI
Details

Insecure inherited permissions in the HotKey Services for some Intel(R) NUC P14E Laptop Element software for Windows 10 before version 1.1.44 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-277"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T14:15:18Z",
    "severity": "HIGH"
  },
  "details": "Insecure inherited permissions in the HotKey Services for some Intel(R) NUC P14E Laptop Element software for Windows 10 before version 1.1.44 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-89c4-jr3c-xmfx",
  "modified": "2024-04-04T03:59:42Z",
  "published": "2023-05-10T15:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41687"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00802.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FRM-76C2-FQ2W

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-04-02 21:31
VLAI
Details

A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to gain root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27822"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:13:05Z",
    "severity": "HIGH"
  },
  "details": "A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to gain root privileges.",
  "id": "GHSA-9frm-76c2-fq2w",
  "modified": "2026-04-02T21:31:40Z",
  "published": "2024-05-14T15:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27822"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120903"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214106"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214106"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/May/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9M5J-4XX9-44J9

Vulnerability from github – Published: 2024-08-07 18:30 – Updated: 2026-03-20 21:18
VLAI
Summary
Pulp incorrectly assigns RBAC permissions in tasks that create objects
Details

A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pulpcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.56.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-7143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-07T19:45:30Z",
    "nvd_published_at": "2024-08-07T17:15:52Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn\u0027t dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.",
  "id": "GHSA-9m5j-4xx9-44j9",
  "modified": "2026-03-20T21:18:09Z",
  "published": "2024-08-07T18:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7143"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6765"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7143"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2300125"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pulp/pulpcore"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pulp/pulpcore/blob/93f241f34c503da0fbac94bdba739feda2636e12/pulpcore/tasking/_util.py#L108"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pulp/pulpcore/blob/main/CHANGES.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pulp incorrectly assigns RBAC permissions in tasks that create objects"
}

GHSA-9M7R-G8HG-X3VR

Vulnerability from github – Published: 2025-11-21 18:06 – Updated: 2026-05-14 20:54
VLAI
Summary
SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results
Details

Impact

If your schema includes the following characteristics:

  1. You have a permission defined in terms of a union (+)
  2. That union references the same relation on both sides, but one side arrows to a different permission

Then you might have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly.

A small concrete example:

relation doer_of_things: user | group#member
permission do_the_thing = doer_of_things + doer_of_things->admin

A CheckPermission on do_the_thing will return the correct permissionship, but a LookupResources on do_the_thing may miss resources.

A Comprehensive Example

If you have a schema with a structure like this:

definition special_user {}

definition user {
  relation special_user_mapping: special_user
  permission special_user = special_user_mapping
}
definition group {
   relation member: user
   permission membership = member + member->special_user
}

definition system {
  relation viewer: user | group#membership
  // This is the problematic permission
  permission view = viewer + viewer->special_user
}

And these relationships:

system:somesystem#viewer@group:somegroup#membership
group:somegroup#member@user:someuser1
user:someuser1#special_user_mapping@special_user:specialuser

And you call LookupResources with:

subject_type: user
subject_id: someuser1
permission: view
resource_type: system

You would expect to receive system:somesystem in the results, but you do not.

Note that this only applies to LookupResources; if you CheckPermission for that resource specifically, it will return HasPermission.

Patches

The issue is fixed in v1.47.1. Upgrading to this version will remediate this issue.

Workarounds

N/A

References

N/A

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/authzed/spicedb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.47.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-21T18:06:00Z",
    "nvd_published_at": "2025-11-21T22:16:33Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nIf your schema includes the following characteristics:\n\n1. You have a permission defined in terms of a union (`+`)\n1. That union references the same relation on both sides, but one side arrows to a different permission\n\nThen you might have missing `LookupResources` results when checking the permission. This only affects `LookupResources`; other APIs calculate permissionship correctly.\n\nA small concrete example:\n\n```\nrelation doer_of_things: user | group#member\npermission do_the_thing = doer_of_things + doer_of_things-\u003eadmin\n```\n\nA CheckPermission on `do_the_thing` will return the correct permissionship, but a LookupResources on `do_the_thing` may miss resources.\n\n#### A Comprehensive Example\n\nIf you have a schema with a structure like this:\n\n```\ndefinition special_user {}\n\ndefinition user {\n  relation special_user_mapping: special_user\n  permission special_user = special_user_mapping\n}\ndefinition group {\n   relation member: user\n   permission membership = member + member-\u003especial_user\n}\n\ndefinition system {\n  relation viewer: user | group#membership\n  // This is the problematic permission\n  permission view = viewer + viewer-\u003especial_user\n}\n```\n\nAnd these relationships:\n```\nsystem:somesystem#viewer@group:somegroup#membership\ngroup:somegroup#member@user:someuser1\nuser:someuser1#special_user_mapping@special_user:specialuser\n```\n\nAnd you call LookupResources with:\n```\nsubject_type: user\nsubject_id: someuser1\npermission: view\nresource_type: system\n```\n\nYou would expect to receive `system:somesystem` in the results, but you do not.\n\nNote that this only applies to `LookupResources`; if you `CheckPermission` for that resource specifically, it will return `HasPermission`.\n\n### Patches\n\nThe issue is fixed in v1.47.1. Upgrading to this version will remediate this issue.\n\n### Workarounds\nN/A\n\n### References\nN/A",
  "id": "GHSA-9m7r-g8hg-x3vr",
  "modified": "2026-05-14T20:54:49Z",
  "published": "2025-11-21T18:06:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65111"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/commit/8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authzed/spicedb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results"
}

GHSA-9R4W-694R-FM3F

Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-16 19:00
VLAI
Details

Incorrect default permissions in the installer software for some Intel(r) NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-277"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-11T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Incorrect default permissions in the installer software for some Intel(r) NUC Kit Wireless Adapter drivers for Windows 10 before version 22.40 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-9r4w-694r-fm3f",
  "modified": "2022-11-16T19:00:29Z",
  "published": "2022-11-11T19:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36377"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00747.html"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00908.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CPFP-M5QW-C4R3

Vulnerability from github – Published: 2024-08-15 18:31 – Updated: 2025-05-22 20:00
VLAI
Summary
Improper Preservation of Permissions in xxl-job
Details

Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.4.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.xuxueli:xxl-job-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-277",
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-15T22:19:00Z",
    "nvd_published_at": "2024-08-15T17:15:18Z",
    "severity": "HIGH"
  },
  "details": "Insecure Permissions vulnerability in xxl-job v.2.4.1 allows a remote attacker to execute arbitrary code via the Sub-Task ID component.",
  "id": "GHSA-cpfp-m5qw-c4r3",
  "modified": "2025-05-22T20:00:48Z",
  "published": "2024-08-15T18:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42681"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xuxueli/xxl-job/issues/3516"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xuxueli/xxl-job/commit/a2dc9011310628f3e18c3a5095e7e6a946d017bd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xuxueli/xxl-job"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Preservation of Permissions in xxl-job"
}

GHSA-CPFV-MR66-74V6

Vulnerability from github – Published: 2024-07-09 15:30 – Updated: 2024-08-01 15:31
VLAI
Details

Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects Firefox < 128.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6605"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T15:15:12Z",
    "severity": "HIGH"
  },
  "details": "Firefox Android allowed immediate interaction with permission prompts. This could be used for tapjacking. This vulnerability affects Firefox \u003c 128.",
  "id": "GHSA-cpfv-mr66-74v6",
  "modified": "2024-08-01T15:31:53Z",
  "published": "2024-07-09T15:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6605"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1836786"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-29"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F636-M6GC-99CH

Vulnerability from github – Published: 2024-04-03 18:30 – Updated: 2024-08-27 15:32
VLAI
Details

Macro Expert through 4.9.4 allows BUILTIN\Users:(OI)(CI)(M) access to the "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" folder and thus an unprivileged user can escalate to SYSTEM by replacing the MacroService.exe binary.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27674"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-277"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-03T17:15:55Z",
    "severity": "HIGH"
  },
  "details": "Macro Expert through 4.9.4 allows BUILTIN\\Users:(OI)(CI)(M) access to the \"%PROGRAMFILES(X86)%\\GrassSoft\\Macro Expert\" folder and thus an unprivileged user can escalate to SYSTEM by replacing the MacroService.exe binary.",
  "id": "GHSA-f636-m6gc-99ch",
  "modified": "2024-08-27T15:32:42Z",
  "published": "2024-04-03T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27674"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Alaatk/CVE-2024-27674/tree/main"
    },
    {
      "type": "WEB",
      "url": "https://www.macro-expert.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJ2M-7R3Q-J27X

Vulnerability from github – Published: 2023-07-11 03:30 – Updated: 2024-09-29 00:30
VLAI
Details

SAP SQL Anywhere - version 17.0, allows an attacker to prevent legitimate users from accessing the service by crashing the service. An attacker with low privileged account and access to the local system can write into the shared memory objects. This can be leveraged by an attacker to perform a Denial of Service. Further, an attacker might be able to modify sensitive data in shared memory objects.This issue only affects SAP SQL Anywhere on Windows. Other platforms are not impacted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-277",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-11T03:15:09Z",
    "severity": "HIGH"
  },
  "details": "SAP SQL Anywhere\u00a0- version 17.0, allows an attacker to prevent legitimate users from accessing the service by crashing the service. An attacker with low privileged account and access to the local system can write into the shared memory objects. This can be leveraged by an attacker to perform a Denial of Service. Further, an attacker might be able to modify sensitive data in shared memory objects.This issue only affects SAP SQL Anywhere on Windows. Other platforms are not impacted.\n\n",
  "id": "GHSA-fj2m-7r3q-j27x",
  "modified": "2024-09-29T00:30:55Z",
  "published": "2023-07-11T03:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33990"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3331029"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

No CAPEC attack patterns related to this CWE.