CWE-708
Incorrect Ownership Assignment
Incomplete
2008-09-09
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notifiche per un CWE specifico
Rimani informato su qualsiasi modifica relativa a un CWE specifico.
Nome: Incorrect Ownership Assignment
The product assigns an owner to a resource, but the owner is outside of the intended control sphere.
CWE Description
This may allow the resource to be manipulated by actors outside of the intended control sphere.
General Informations
Modes Of Introduction
Architecture and DesignImplementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation
Piattaforme applicabili
Linguaggio
Class: Not Language-Specific (Undetermined)Conseguenze comuni
| Ambito | Impatto | Probabilità |
|---|---|---|
| Confidentiality Integrity | Read Application Data, Modify Application Data Note: An attacker could read and modify data for which they do not have permissions to access directly. |
Esempi osservati
| Riferimenti | Descrizione |
|---|---|
CVE-2024-43199 | product installs binaries with potentially insecure user/group ownership |
CVE-2007-5101 | File system sets wrong ownership and group when creating a new file. |
CVE-2007-4238 | OS installs program with bin owner/group, allowing modification. |
CVE-2007-1716 | Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation. |
CVE-2005-3148 | Backup software restores symbolic links with incorrect uid/gid. |
CVE-2005-1064 | Product changes the ownership of files that a symlink points to, instead of the symlink itself. |
CVE-2011-1551 | Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations. |
Potential Mitigations
Phases : PolicyPeriodically review the privileges and their owners.
Detection Methods
Automated Analysis
Use automated tools to check for privilege settings.Note sulla mappatura delle vulnerabilità
Giustificazione : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commento : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Note
Invio
| Nome | Organizzazione | Data | Data di rilascio | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 1.0 |
Modifiche
| Nome | Organizzazione | Data | Commento |
|---|---|---|---|
| Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Common_Consequences, Maintenance_Notes, Other_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Modes_of_Introduction, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Detection_Factors, Observed_Examples, Potential_Mitigations, Weakness_Ordinalities |
