CWE-664 Detail

CWE-664

Name

Improper Control of a Resource Through its Lifetime

Status

Draft

Published

2008-04-11
00h00 +00:00

Modified

2023-10-26
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

CWE Description

Resources often have explicit instructions on how to be created, used and destroyed. When code does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states.

Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction."

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Other	Other

Observed Examples

References	Description
CVE-2018-1000613	Cryptography API uses unsafe reflection when deserializing a private key
CVE-2022-21668	Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190).

Potential Mitigations

Phases : Testing
Use Static analysis tools to check for unreleased resources.

Vulnerability Mapping Notes

Justification : This CWE entry is high-level when lower-level children are available.
Comment : Consider children or descendants of this entry instead.

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-196	Session Credential Falsification through Forging An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
CAPEC-21	Exploitation of Trusted Identifiers An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-60	Reusing Session IDs (aka Session Replay) This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-61	Session Fixation The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.
CAPEC-62	Cross Site Request Forgery An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.

NotesNotes

More work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.

Submission

Name	Organization	Date	Date release	Version
CWE Content Team	MITRE	2008-04-11 +00:00	2008-04-11 +00:00	Draft 9

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Potential_Mitigations, Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Description, Maintenance_Notes, Relationships, Type
CWE Content Team	MITRE	2009-03-10 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2009-05-27 +00:00	updated Description, Name, Relationships
CWE Content Team	MITRE	2009-07-27 +00:00	updated Relationships
CWE Content Team	MITRE	2010-02-16 +00:00	updated Relationships
CWE Content Team	MITRE	2010-12-13 +00:00	updated Description, Relationships
CWE Content Team	MITRE	2011-03-29 +00:00	updated Relationships
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Relationships
CWE Content Team	MITRE	2012-05-11 +00:00	updated Related_Attack_Patterns, Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2013-02-21 +00:00	updated Relationships
CWE Content Team	MITRE	2013-07-17 +00:00	updated Relationships
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2015-12-07 +00:00	updated Relationships
CWE Content Team	MITRE	2017-01-19 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2018-03-27 +00:00	updated Relationships
CWE Content Team	MITRE	2019-01-03 +00:00	updated Relationships
CWE Content Team	MITRE	2019-06-20 +00:00	updated Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Applicable_Platforms, Relationships, Type
CWE Content Team	MITRE	2020-06-25 +00:00	updated Relationships
CWE Content Team	MITRE	2020-08-20 +00:00	updated Relationships
CWE Content Team	MITRE	2020-12-10 +00:00	updated Relationships
CWE Content Team	MITRE	2021-03-15 +00:00	updated Maintenance_Notes, Relationships
CWE Content Team	MITRE	2022-10-13 +00:00	updated Relationships
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description, Relationships
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes, Relationships
CWE Content Team	MITRE	2023-10-26 +00:00	updated Observed_Examples