Détail du CWE-921

CWE-921

Storage of Sensitive Data in a Mechanism without Access Control
Incomplete
2013-07-17
00h00 +00:00
2023-06-29
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Storage of Sensitive Data in a Mechanism without Access Control

The product stores sensitive information in a file system or device that does not have built-in access control.

Description du CWE

While many modern file systems or devices utilize some form of access control in order to restrict access to data, not all storage mechanisms have this capability. For example, memory cards, floppy disks, CDs, and USB devices are typically made accessible to any user within the system. This can become a problem when sensitive data is stored in these mechanisms in a multi-user environment, because anybody on the system can read or write this data.

On Android devices, external storage is typically globally readable and writable by other applications on the device. External storage may also be easily accessible through the mobile device's USB connection or physically accessible through the device's memory card port.

Informations générales

Modes d'introduction

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Technologies

Class: Mobile (Undetermined)

Conséquences courantes

Portée Impact Probabilité
ConfidentialityRead Application Data, Read Files or Directories

Note: Attackers can read sensitive information by accessing the unrestricted storage mechanism.
IntegrityModify Application Data, Modify Files or Directories

Note: Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Références

REF-921

Security Tips
Android Open Source Project.
https://developer.android.com/training/articles/security-tips.html#StoringData

Soumission

Nom Organisation Date Date de publication Version
CWE Content Team MITRE 2013-06-22 +00:00 2013-07-17 +00:00 2.5

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.