Détail du CWE-668

CWE-668

Exposure of Resource to Wrong Sphere
Draft
2008-04-11
00h00 +00:00
2026-04-30
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Informations générales

Modes d'introduction

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Conséquences courantes

Portée Impact Probabilité
ConfidentialityRead Application Data

Note: An adversary that gains access to a resource exposed to a wrong sphere could potentially retrieve private data from that resource, thus breaking the intended confidentiality of that data.		High
IntegrityModify Application Data

Note: An adversary that gains access to a resource exposed to a wrong sphere could potentially modify data held within that resource, thus breaking the intended integrity of that data and causing the system relying on that resource to make unintended decisions.		Medium
OtherVaries by Context

Note: The consequences may vary widely depending on how the product uses the affected resource.

Notes de cartographie des vulnérabilités

Justification : CWE-668 is high-level and is often misused as a catch-all when lower-level children might be applicable. It is sometimes used for low-information vulnerability reports [REF-1287]. It is a level-1 Class (i.e., a child of a Pillar). It is not useful for trend analysis.
Commentaire : Frequent misuse appears to be related to access control issues (poor authorization (CWE-285) or authentication (CWE-287)); insertion of sensitive information (CWE-201) or improper removal of sensitive information (CWE-212); or others. Closely analyze the specific mistake that is allowing the resource to be exposed, and perform a CWE mapping for that mistake. It is highly likely that CWE-668's children or descendants could apply.

Notes

A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors.

Références

REF-1287

Supplemental Details - 2022 CWE Top 25
MITRE.
https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25_supplemental.html#problematicMappingDetails

Soumission

Nom Organisation Date Date de publication Version
CWE Content Team MITRE 2008-04-11 +00:00 2008-04-11 +00:00 Draft 9

Modifications

Nom Organisation Date Commentaire
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Other_Notes
CWE Content Team MITRE 2008-11-24 +00:00 updated Relationships
CWE Content Team MITRE 2009-05-27 +00:00 updated Relationships
CWE Content Team MITRE 2009-07-22 +00:00 Clarified description to include permissions.
CWE Content Team MITRE 2009-07-27 +00:00 updated Description, Relationships
CWE Content Team MITRE 2009-10-29 +00:00 updated Other_Notes, Theoretical_Notes
CWE Content Team MITRE 2009-12-28 +00:00 updated Relationships
CWE Content Team MITRE 2010-09-27 +00:00 updated Relationships
CWE Content Team MITRE 2011-03-29 +00:00 updated Relationships
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2013-02-21 +00:00 updated Relationships
CWE Content Team MITRE 2013-07-17 +00:00 updated Relationships
CWE Content Team MITRE 2014-06-23 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2015-12-07 +00:00 updated Relationships
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, Relationships, Relevant_Properties
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-04-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated References
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
CWE Content Team MITRE 2026-04-30 +00:00 updated Mapping_Notes
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.