CWE-708
Incorrect Ownership Assignment
Incomplete
2008-09-09
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Name: Incorrect Ownership Assignment
The product assigns an owner to a resource, but the owner is outside of the intended control sphere.
CWE-Beschreibung
This may allow the resource to be manipulated by actors outside of the intended control sphere.
Allgemeine Informationen
Einführungsmodi
Architecture and DesignImplementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation
Anwendbare Plattformen
Sprache
Class: Not Language-Specific (Undetermined)Häufige Konsequenzen
| Bereich | Auswirkung | Wahrscheinlichkeit |
|---|---|---|
| Confidentiality Integrity | Read Application Data, Modify Application Data Note: An attacker could read and modify data for which they do not have permissions to access directly. |
Beobachtete Beispiele
| Referenzen | Beschreibung |
|---|---|
CVE-2024-43199 | product installs binaries with potentially insecure user/group ownership |
CVE-2007-5101 | File system sets wrong ownership and group when creating a new file. |
CVE-2007-4238 | OS installs program with bin owner/group, allowing modification. |
CVE-2007-1716 | Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation. |
CVE-2005-3148 | Backup software restores symbolic links with incorrect uid/gid. |
CVE-2005-1064 | Product changes the ownership of files that a symlink points to, instead of the symlink itself. |
CVE-2011-1551 | Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations. |
Mögliche Gegenmaßnahmen
Phases : PolicyPeriodically review the privileges and their owners.
Erkennungsmethoden
Automated Analysis
Use automated tools to check for privilege settings.Hinweise zur Schwachstellen-Zuordnung
Begründung : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Hinweise
Einreichung
| Name | Organisation | Datum | Veröffentlichungsdatum | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 1.0 |
Änderungen
| Name | Organisation | Datum | Kommentar |
|---|---|---|---|
| Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Common_Consequences, Maintenance_Notes, Other_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Modes_of_Introduction, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Detection_Factors, Observed_Examples, Potential_Mitigations, Weakness_Ordinalities |
