CWE-620
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Name: Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
CWE-Beschreibung
This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Allgemeine Informationen
Einführungsmodi
Architecture and DesignImplementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Anwendbare Plattformen
Sprache
Class: Not Language-Specific (Undetermined)Technologien
Class: Not Technology-Specific (Undetermined)Häufige Konsequenzen
| Bereich | Auswirkung | Wahrscheinlichkeit |
|---|---|---|
| Access Control | Bypass Protection Mechanism, Gain Privileges or Assume Identity |
Beobachtete Beispiele
| Referenzen | Beschreibung |
|---|---|
CVE-2007-0681 | Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions. |
CVE-2000-0944 | Web application password change utility doesn't check the original password. |
Mögliche Gegenmaßnahmen
Phases : Architecture and DesignWhen prompting for a password change, force the user to provide the original password in addition to the new password.
Phases : Architecture and Design
Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
Hinweise zur Schwachstellen-Zuordnung
Begründung : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Referenzen
REF-44
24 Deadly Sins of Software SecurityMichael Howard, David LeBlanc, John Viega.
Einreichung
| Name | Organisation | Datum | Veröffentlichungsdatum | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | Draft 6 |
Änderungen
| Name | Organisation | Datum | Kommentar |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| Veracode | Suggested OWASP Top Ten 2004 mapping | ||
| CWE Content Team | MITRE | updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Other_Notes, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples, References, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Modes_of_Introduction, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Type | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Relationships |
