CWE-501: Trust Boundary Violation
Python’s trust boundaries rely on explicit process isolation, rather than in-process access control within a single interpreter.
Unlike Java, where we have in-process mechanisms like Oracle Access Management that can enforce access boundaries inside the same runtime, standard Python does not provide a built-in in-process access manager. In Python we need to implement different trust zones by starting python runtimes with individual POSIX/Machine users. The POSIX/Machine user access rights must be set in accordance to level of trust per zone.
Noncompliant STRIDE example - New User Sign-up Process
The example shows how new users sign up for a bank account. STRIDE illustrates trust boundaries in dotted red lines [OWASP, Conklin, Drake, 2023]. In the noncompliant example, we have all Python scripts running under the same POSIX user.
Breaking the outer perimeter allows the attacker to run commands under the same privileges as the rest of the system.
Compliant STRIDE example - New User Sign-up Process
The compliant solution has multiple layers of trust zones creating defense in depth. Each zone running their runtime environment under a different user. Crossing the red-dotted borders requires authentication and authorization.
Layering security allows to secure the more sensitive parts of the system.
Automated Detection
unknown
Related Vulnerabilities
| Product | CVE | Description | CVSS Rating | Comment |
|---|---|---|---|---|
| Zoom clients <= 5.13.5 | CVE-2023-28597 | v3.1:8.3 | A Python format string issue leading to information disclosure and potentially remote code execution. |
Related Guidelines
Bibliography
| [Python 2023] | Python Software Foundation. (2023). Classes - Private Variables. Available from: Python Documentation [accessed 13 September 2023] |
| [OWASP, Conklin, Drake, 2023] | CWE - CWE-134: Use of Externally-Controlled Format String (4.13) (mitre.org) |
| Oracle Docs | Administering Oracle Access Management [accessed 29 October 2025] |