Detalle CWE-638

CWE-638

Not Using Complete Mediation
Draft
2008-01-30
00h00 +00:00
2023-10-26
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: Not Using Complete Mediation

The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.

Informaciones generales

Modos de introducción

Implementation
Operation

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
Integrity
Confidentiality
Availability
Access Control
Other		Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Other

Note: A user might retain access to a critical resource even after privileges have been revoked, possibly allowing access to privileged functionality or sensitive information, depending on the role of the resource.

Ejemplos observados

Referencias Descripción

CVE-2007-0408

Server does not properly validate client certificates when reusing cached connections.

Mitigaciones potenciales

Phases : Architecture and Design
Invalidate cached privileges, file handles or descriptors, or other access credentials whenever identities, processes, policies, roles, capabilities or permissions change. Perform complete authentication checks before accepting, caching and reusing data, dynamic content and code (scripts). Avoid caching access control decisions as much as possible.
Phases : Architecture and Design
Identify all possible code paths that might access sensitive resources. If possible, create and use a single interface that performs the access checks, and develop code standards that require use of this interface.

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comentario : Examine children of this entry to see if there is a better fit

Patrones de ataque relacionados

CAPEC-ID Nombre del patrón de ataque
CAPEC-104 Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

Referencias

REF-196

The Protection of Information in Computer Systems
Jerome H. Saltzer, Michael D. Schroeder.
http://web.mit.edu/Saltzer/www/publications/protection/

REF-526

Complete Mediation
Sean Barnum, Michael Gegick.
https://web.archive.org/web/20221006191503/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/complete-mediation

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
Pascal Meunier Purdue University 2008-01-18 +00:00 2008-01-30 +00:00 Draft 8

Modificaciones

Nombre Organización Fecha Comentario
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Common_Consequences, Relationships, Observed_Example, Weakness_Ordinalities
CWE Content Team MITRE 2009-01-12 +00:00 updated Description, Name
CWE Content Team MITRE 2009-05-27 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2010-12-13 +00:00 updated Name
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Causal_Nature
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated References
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Demonstrative_Examples
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.