CWE-708 Detail

CWE-708

Name

Incorrect Ownership Assignment

Status

Incomplete

Published

2008-09-09
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Incorrect Ownership Assignment

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

CWE Description

This may allow the resource to be manipulated by actors outside of the intended control sphere.

General Informations

Modes Of Introduction

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Confidentiality Integrity	Read Application Data, Modify Application Data Note: An attacker could read and modify data for which they do not have permissions to access directly.

Observed Examples

References	Description
CVE-2007-5101	File system sets wrong ownership and group when creating a new file.
CVE-2007-4238	OS installs program with bin owner/group, allowing modification.
CVE-2007-1716	Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.
CVE-2005-3148	Backup software restores symbolic links with incorrect uid/gid.
CVE-2005-1064	Product changes the ownership of files that a symlink points to, instead of the symlink itself.
CVE-2011-1551	Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations.

Potential Mitigations

Phases : Policy
Periodically review the privileges and their owners.
Phases : Testing
Use automated tools to check for privilege settings.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

This overlaps verification errors, permissions, and privileges.

A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.

Submission

Name	Organization	Date	Date release	Version
CWE Content Team	MITRE	2008-09-09 +00:00	2008-09-09 +00:00	1.0

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Potential_Mitigations, Time_of_Introduction
CWE Content Team	MITRE	2009-03-10 +00:00	updated Relationships
CWE Content Team	MITRE	2009-05-27 +00:00	updated Description
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Maintenance_Notes, Other_Notes
CWE Content Team	MITRE	2012-05-11 +00:00	updated Common_Consequences, Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Observed_Examples, Potential_Mitigations
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Modes_of_Introduction, Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes