CWE-638
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Naam: Not Using Complete Mediation
The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.
Algemene informatie
Introductiemodi
ImplementationOperation
Toepasselijke platforms
Taal
Class: Not Language-Specific (Undetermined)Veelvoorkomende gevolgen
| Bereik | Impact | Waarschijnlijkheid |
|---|---|---|
| Integrity Confidentiality Availability Access Control Other | Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Other Note: A user might retain access to a critical resource even after privileges have been revoked, possibly allowing access to privileged functionality or sensitive information, depending on the role of the resource. |
Waargenomen voorbeelden
| Referenties | Beschrijving |
|---|---|
CVE-2007-0408 | Server does not properly validate client certificates when reusing cached connections. |
Mogelijke risicobeperkingen
Phases : Architecture and DesignInvalidate cached privileges, file handles or descriptors, or other access credentials whenever identities, processes, policies, roles, capabilities or permissions change. Perform complete authentication checks before accepting, caching and reusing data, dynamic content and code (scripts). Avoid caching access control decisions as much as possible.
Phases : Architecture and Design
Identify all possible code paths that might access sensitive resources. If possible, create and use a single interface that performs the access checks, and develop code standards that require use of this interface.
Notities kwetsbaarheidsmapping
Rechtvaardiging : This CWE entry is a Class and might have Base-level children that would be more appropriateOpmerking : Examine children of this entry to see if there is a better fit
Gerelateerde aanvalspatronen
| CAPEC-ID | Naam aanvalspatroon |
|---|---|
| CAPEC-104 | Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. |
Referenties
REF-196
The Protection of Information in Computer SystemsJerome H. Saltzer, Michael D. Schroeder.
http://web.mit.edu/Saltzer/www/publications/protection/
REF-526
Complete MediationSean Barnum, Michael Gegick.
https://web.archive.org/web/20221006191503/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/complete-mediation
Indiening
| Naam | Organisatie | Datum | Releasedatum | Version |
|---|---|---|---|---|
| Pascal Meunier | Purdue University | Draft 8 |
Wijzigingen
| Naam | Organisatie | Datum | Opmerking |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships, Observed_Example, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Description, Name | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Name | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Causal_Nature | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Description, Relationships | |
| CWE Content Team | MITRE | updated References, Relationships, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples |
