CWE-620 Detail

CWE-620

Unverified Password Change
Draft
2007-05-07
00h00 +00:00
2023-06-29
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Unverified Password Change

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

CWE Description

This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.

General Informations

Modes Of Introduction

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity

Observed Examples

References Description

CVE-2007-0681

Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.

CVE-2000-0944

Web application password change utility doesn't check the original password.

Potential Mitigations

Phases : Architecture and Design
When prompting for a password change, force the user to provide the original password in addition to the new password.
Phases : Architecture and Design
Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

References

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

Submission

Name Organization Date Date release Version
CWE Content Team MITRE 2007-05-07 +00:00 2007-05-07 +00:00 Draft 6

Modifications

Name Organization Date Comment
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
Veracode 2008-08-15 +00:00 Suggested OWASP Top Ten 2004 mapping
CWE Content Team MITRE 2008-09-08 +00:00 updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-11-24 +00:00 updated Observed_Examples
CWE Content Team MITRE 2009-05-27 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2009-12-28 +00:00 updated Other_Notes, Weakness_Ordinalities
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, Observed_Examples, References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-06-23 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Modes_of_Introduction, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships, Type
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes