CWE-273: Improper Check for Dropped Privileges

BaseIncompleteExploit Likelihood: Medium

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

View on MITRE
Back to CWE Lookup

Extended Description

If the drop fails, the product will continue to run with the raised privileges, which might provide additional access to unprivileged users.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-273: Improper Check for Dropped Privileges?+

CWE-273: Improper Check for Dropped Privileges is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. If the drop fails, the product will continue to run with the raised privileges, which might provide additional access to unprivileged users.

What are the security consequences of Improper Check for Dropped Privileges?+

If exploited, CWE-273 (Improper Check for Dropped Privileges) it can compromise Access Control and Non-Repudiation, leading to outcomes such as Gain Privileges or Assume Identity and Hide Activities.

How do you prevent or mitigate Improper Check for Dropped Privileges?+

Recommended mitigations for CWE-273 include: In Windows, make sure that the process token has the SeImpersonatePrivilege(Microsoft Server 2003). Code that relies on impersonation for security must ensure that the impersonation succeeded, i.e., that a proper privilege demotion happened.

Which programming languages are affected by Improper Check for Dropped Privileges?+

CWE-273 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improper Check for Dropped Privileges?+

MITRE documents real CVEs mapped to CWE-273, including CVE-2006-4447 and CVE-2006-2916. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-273 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More