CWE-708
Incorrect Ownership Assignment
Incomplete
2008-09-09
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Nazwa: Incorrect Ownership Assignment
The product assigns an owner to a resource, but the owner is outside of the intended control sphere.
Opis CWE
This may allow the resource to be manipulated by actors outside of the intended control sphere.
Informacje ogólne
Sposoby wprowadzenia
Architecture and DesignImplementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Operation
Odpowiednie platformy
Język
Class: Not Language-Specific (Undetermined)Typowe konsekwencje
| Zakres | Wpływ | Prawdopodobieństwo |
|---|---|---|
| Confidentiality Integrity | Read Application Data, Modify Application Data Note: An attacker could read and modify data for which they do not have permissions to access directly. |
Zaobserwowane przykłady
| Odniesienia | Opis |
|---|---|
CVE-2024-43199 | product installs binaries with potentially insecure user/group ownership |
CVE-2007-5101 | File system sets wrong ownership and group when creating a new file. |
CVE-2007-4238 | OS installs program with bin owner/group, allowing modification. |
CVE-2007-1716 | Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation. |
CVE-2005-3148 | Backup software restores symbolic links with incorrect uid/gid. |
CVE-2005-1064 | Product changes the ownership of files that a symlink points to, instead of the symlink itself. |
CVE-2011-1551 | Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations. |
Potencjalne środki zaradcze
Phases : PolicyPeriodically review the privileges and their owners.
Metody wykrywania
Automated Analysis
Use automated tools to check for privilege settings.Uwagi dotyczące mapowania podatności
Uzasadnienie : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Notatki
Zgłoszenie
| Nazwa | Organizacja | Data | Data wydania | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 1.0 |
Modyfikacje
| Nazwa | Organizacja | Data | Komentarz |
|---|---|---|---|
| Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Common_Consequences, Maintenance_Notes, Other_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships | |
| CWE Content Team | MITRE | updated Observed_Examples, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Modes_of_Introduction, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Detection_Factors, Observed_Examples, Potential_Mitigations, Weakness_Ordinalities |
