CWE-708
Incorrect Ownership Assignment
Incomplete
2008-09-09
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Naam: Incorrect Ownership Assignment
The product assigns an owner to a resource, but the owner is outside of the intended control sphere.
CWE-beschrijving
This may allow the resource to be manipulated by actors outside of the intended control sphere.
Algemene informatie
Introductiemodi
Architecture and DesignImplementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation
Toepasselijke platforms
Taal
Class: Not Language-Specific (Undetermined)Veelvoorkomende gevolgen
| Bereik | Impact | Waarschijnlijkheid |
|---|---|---|
| Confidentiality Integrity | Read Application Data, Modify Application Data Note: An attacker could read and modify data for which they do not have permissions to access directly. |
Waargenomen voorbeelden
| Referenties | Beschrijving |
|---|---|
CVE-2024-43199 | product installs binaries with potentially insecure user/group ownership |
CVE-2007-5101 | File system sets wrong ownership and group when creating a new file. |
CVE-2007-4238 | OS installs program with bin owner/group, allowing modification. |
CVE-2007-1716 | Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation. |
CVE-2005-3148 | Backup software restores symbolic links with incorrect uid/gid. |
CVE-2005-1064 | Product changes the ownership of files that a symlink points to, instead of the symlink itself. |
CVE-2011-1551 | Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations. |
Mogelijke risicobeperkingen
Phases : PolicyPeriodically review the privileges and their owners.
Detectiemethoden
Automated Analysis
Use automated tools to check for privilege settings.Notities kwetsbaarheidsmapping
Rechtvaardiging : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Notities
Indiening
| Naam | Organisatie | Datum | Releasedatum | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 1.0 |
Wijzigingen
| Naam | Organisatie | Datum | Opmerking |
|---|---|---|---|
| Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Common_Consequences, Maintenance_Notes, Other_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Modes_of_Introduction, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Detection_Factors, Observed_Examples, Potential_Mitigations, Weakness_Ordinalities |
