CWE-638 Détail de la faiblesse

CWE-638

Nom

Not Using Complete Mediation

Statut

Draft

Publié

2008-01-30
00h00 +00:00

Modifié

2023-10-26
00h00 +00:00

Liens officiels

CWE Mitre.org

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CWE ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Nom: Not Using Complete Mediation

The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.

Informations générales

Modes d'introduction

Implementation
Operation

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Conséquences courantes

Portée	Impact	Probabilité
Integrity Confidentiality Availability Access Control Other	Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Other Note: A user might retain access to a critical resource even after privileges have been revoked, possibly allowing access to privileged functionality or sensitive information, depending on the role of the resource.

Exemples observés

Références	Description
CVE-2007-0408	Server does not properly validate client certificates when reusing cached connections.

Mesures d’atténuation potentielles

Phases : Architecture and Design
Invalidate cached privileges, file handles or descriptors, or other access credentials whenever identities, processes, policies, roles, capabilities or permissions change. Perform complete authentication checks before accepting, caching and reusing data, dynamic content and code (scripts). Avoid caching access control decisions as much as possible.
Phases : Architecture and Design
Identify all possible code paths that might access sensitive resources. If possible, create and use a single interface that performs the access checks, and develop code standards that require use of this interface.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Commentaire : Examine children of this entry to see if there is a better fit

Modèles d'attaque associés

CAPEC-ID	Nom du modèle d'attaque
CAPEC-104	Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

Références

REF-196

The Protection of Information in Computer Systems
Jerome H. Saltzer, Michael D. Schroeder.
http://web.mit.edu/Saltzer/www/publications/protection/

REF-526

Complete Mediation
Sean Barnum, Michael Gegick.
https://web.archive.org/web/20221006191503/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/complete-mediation

Soumission

Nom	Organisation	Date	Date de publication	Version
Pascal Meunier	Purdue University	2008-01-18 +00:00	2008-01-30 +00:00	Draft 8

Modifications

Nom	Organisation	Date	Commentaire
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Common_Consequences, Relationships, Observed_Example, Weakness_Ordinalities
CWE Content Team	MITRE	2009-01-12 +00:00	updated Description, Name
CWE Content Team	MITRE	2009-05-27 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2010-12-13 +00:00	updated Name
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Relationships
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Causal_Nature
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2022-10-13 +00:00	updated References
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description, Relationships
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships, Time_of_Introduction
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2023-10-26 +00:00	updated Demonstrative_Examples

Détail du CWE-638