CWE-402
Transmission of Private Resources into a New Sphere ('Resource Leak')
Draft
2006-07-19
00h00 +00:00
00h00 +00:00
2023-10-26
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Transmission of Private Resources into a New Sphere ('Resource Leak')
The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
Informations générales
Modes d'introduction
Architecture and DesignImplementation
Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Confidentiality | Read Application Data |
Exemples observés
| Références | Description |
|---|---|
CVE-2003-0740 | Server leaks a privileged file descriptor, allowing the server to be hijacked. |
CVE-2004-1033 | File descriptor leak allows read of restricted files. |
Méthodes de détection
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Efficacité : High
Notes de cartographie des vulnérabilités
Justification : This CWE entry is a Class and might have Base-level children that would be more appropriateCommentaire : Examine children of this entry to see if there is a better fit
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| PLOVER | Draft 3 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Name | |
| CWE Content Team | MITRE | updated Alternate_Terms | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Observed_Examples |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.