CWE-556: ASP.NET Misconfiguration: Use of Identity Impersonation
Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.
Last updated
Overview
The use of impersonated credentials allows an ASP.NET application to run with either the privileges of the client on whose behalf it is executing or with arbitrary privileges granted in its configuration.
Real-world CVEs
1 recorded CVEs are caused by CWE-556 (ASP.NET Misconfiguration: Use of Identity Impersonation). The highest-severity and most recent are shown first.
Common consequences
What can happen when CWE-556 is exploited.
Gain Privileges or Assume Identity
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-556, grouped by where in the lifecycle they apply.
Use the least privilege principle.
Frequently asked questions
Common questions about CWE-556.
- What is CWE-556?
- Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.
- What CVEs are caused by CWE-556?
- 1 recorded CVEs are attributed to CWE-556, including CVE-2024-37081.
- How do you prevent CWE-556?
- Use the least privilege principle.
- What are the consequences of CWE-556?
- Exploiting CWE-556 can lead to: Gain Privileges or Assume Identity.
- Is CWE-556 actively exploited?
- 1 recorded CVEs are caused by CWE-556; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-556) (opens in a new tab)
- CWE-556 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-556
Get alerted the moment a new CWE-556 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.