CWE-610
Externally Controlled Reference to a Resource in Another Sphere
Draft
2007-05-07
00h00 +00:00
00h00 +00:00
2024-02-29
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Informations générales
Modes d'introduction
Architecture and Design : COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Confidentiality Integrity | Read Application Data, Modify Application Data |
Exemples observés
| Références | Description |
|---|---|
CVE-2022-3032 | An email client does not block loading of remote objects in a nested document. |
CVE-2022-45918 | Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24) |
CVE-2018-1000613 | Cryptography API uses unsafe reflection when deserializing a private key |
CVE-2020-11053 | Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601) |
CVE-2022-42745 | Recruiter software allows reading arbitrary files using XXE |
CVE-2004-2331 | Database system allows attackers to bypass sandbox restrictions by using the Reflection API. |
Notes de cartographie des vulnérabilités
Justification : This CWE entry is a level-1 Class (i.e., a child of a Pillar). It might have lower-level children that would be more appropriateCommentaire : Examine children of this entry to see if there is a better fit
Modèles d'attaque associés
| CAPEC-ID | Nom du modèle d'attaque |
|---|---|
| CAPEC-219 | XML Routing Detour Attacks An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information. |
NotesNotes
This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will "follow" a symbolic link and use the link's target instead.The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| Anonymous Tool Vendor (under NDA) | Draft 6 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CWE Content Team | MITRE | updated Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Other_Notes, Relationship_Notes | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Maintenance_Notes | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Modes_of_Introduction, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Mapping_Notes |
2025©
tesweb SA
