CWE-921 Detail

CWE-921

Name

Storage of Sensitive Data in a Mechanism without Access Control

Status

Incomplete

Published

2013-07-17
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Storage of Sensitive Data in a Mechanism without Access Control

The product stores sensitive information in a file system or device that does not have built-in access control.

CWE Description

While many modern file systems or devices utilize some form of access control in order to restrict access to data, not all storage mechanisms have this capability. For example, memory cards, floppy disks, CDs, and USB devices are typically made accessible to any user within the system. This can become a problem when sensitive data is stored in these mechanisms in a multi-user environment, because anybody on the system can read or write this data.

On Android devices, external storage is typically globally readable and writable by other applications on the device. External storage may also be easily accessible through the mobile device's USB connection or physically accessible through the device's memory card port.

General Informations

Modes Of Introduction

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Technologies

Class: Mobile (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Confidentiality	Read Application Data, Read Files or Directories Note: Attackers can read sensitive information by accessing the unrestricted storage mechanism.
Integrity	Modify Application Data, Modify Files or Directories Note: Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

References

REF-921

Security Tips
Android Open Source Project.
https://developer.android.com/training/articles/security-tips.html#StoringData

Submission

Name	Organization	Date	Date release	Version
CWE Content Team	MITRE	2013-06-22 +00:00	2013-07-17 +00:00	2.5

Modifications

Name	Organization	Date	Comment
CWE Content Team	MITRE	2017-11-08 +00:00	updated Modes_of_Introduction, References, Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Applicable_Platforms, Relationships
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes