CWE-620
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Naam: Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
CWE-beschrijving
This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Algemene informatie
Introductiemodi
Architecture and DesignImplementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Toepasselijke platforms
Taal
Class: Not Language-Specific (Undetermined)Technologieën
Class: Not Technology-Specific (Undetermined)Veelvoorkomende gevolgen
| Bereik | Impact | Waarschijnlijkheid |
|---|---|---|
| Access Control | Bypass Protection Mechanism, Gain Privileges or Assume Identity |
Waargenomen voorbeelden
| Referenties | Beschrijving |
|---|---|
CVE-2007-0681 | Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions. |
CVE-2000-0944 | Web application password change utility doesn't check the original password. |
Mogelijke risicobeperkingen
Phases : Architecture and DesignWhen prompting for a password change, force the user to provide the original password in addition to the new password.
Phases : Architecture and Design
Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
Notities kwetsbaarheidsmapping
Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Referenties
REF-44
24 Deadly Sins of Software SecurityMichael Howard, David LeBlanc, John Viega.
Indiening
| Naam | Organisatie | Datum | Releasedatum | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | Draft 6 |
Wijzigingen
| Naam | Organisatie | Datum | Opmerking |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| Veracode | Suggested OWASP Top Ten 2004 mapping | ||
| CWE Content Team | MITRE | updated Description, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Other_Notes, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples, References, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Modes_of_Introduction, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Type | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Relationships |
