Détail du CWE-708

CWE-708

Incorrect Ownership Assignment
Incomplete
2008-09-09
00h00 +00:00
2023-06-29
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Incorrect Ownership Assignment

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

Description du CWE

This may allow the resource to be manipulated by actors outside of the intended control sphere.

Informations générales

Modes d'introduction

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Conséquences courantes

Portée Impact Probabilité
Confidentiality
Integrity		Read Application Data, Modify Application Data

Note: An attacker could read and modify data for which they do not have permissions to access directly.

Exemples observés

Références Description

CVE-2007-5101

File system sets wrong ownership and group when creating a new file.

CVE-2007-4238

OS installs program with bin owner/group, allowing modification.

CVE-2007-1716

Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.

CVE-2005-3148

Backup software restores symbolic links with incorrect uid/gid.

CVE-2005-1064

Product changes the ownership of files that a symlink points to, instead of the symlink itself.

CVE-2011-1551

Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations.

Mesures d’atténuation potentielles

Phases : Policy
Periodically review the privileges and their owners.
Phases : Testing
Use automated tools to check for privilege settings.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

This overlaps verification errors, permissions, and privileges.

A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.


Soumission

Nom Organisation Date Date de publication Version
CWE Content Team MITRE 2008-09-09 +00:00 2008-09-09 +00:00 1.0

Modifications

Nom Organisation Date Commentaire
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
CWE Content Team MITRE 2009-03-10 +00:00 updated Relationships
CWE Content Team MITRE 2009-05-27 +00:00 updated Description
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Maintenance_Notes, Other_Notes
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Observed_Examples, Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Modes_of_Introduction, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes