CWE-99 Detalhe

CWE-99

Improper Control of Resource Identifiers ('Resource Injection')
Alta
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificações para um CWE
Fique informado sobre quaisquer alterações para um CWE específico.
Gerenciar notificações

Nome: Improper Control of Resource Identifiers ('Resource Injection')

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

Informações Gerais

Modos de Introdução

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Plataformas Aplicáveis

Linguagem

Class: Not Language-Specific (Undetermined)

Consequências Comuns

Escopo Impacto Probabilidade
Confidentiality
Integrity		Read Application Data, Modify Application Data, Read Files or Directories, Modify Files or Directories

Note: An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information.

Exemplos Observados

Referências Descrição

CVE-2013-4787

chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive.

Mitigações Potenciais

Phases : Implementation

Métodos de Detecção

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Eficácia : High

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comentário : Examine children of this entry to see if there is a better fit

Padrões de Ataque Relacionados

CAPEC-ID Nome do Padrão de Ataque
CAPEC-10 Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
CAPEC-240 Resource Injection
An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.
CAPEC-75 Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

Notas

Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73).
The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.

Referências

REF-6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

REF-962

Automated Source Code Security Measure (ASCSM)
Object Management Group (OMG).
http://www.omg.org/spec/ASCSM/1.0/

Submissão

Nome Organização Data Data de lançamento Version
7 Pernicious Kingdoms 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modificações

Nome Organização Data Comentário
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
KDM Analytics 2008-08-01 +00:00 added/updated white box definitions
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team MITRE 2009-05-27 +00:00 updated Description, Name
KDM Analytics 2009-07-17 +00:00 Improved the White_Box_Definition
CWE Content Team MITRE 2009-07-27 +00:00 updated White_Box_Definitions
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Other_Notes
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-02-21 +00:00 updated Alternate_Terms, Maintenance_Notes, Other_Notes, Relationships
CWE Content Team MITRE 2013-07-17 +00:00 updated Relationships
CWE Content Team MITRE 2014-06-23 +00:00 updated Alternate_Terms, Description, Relationship_Notes, Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2015-12-07 +00:00 updated Relationships
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2017-05-03 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, White_Box_Definitions
CWE Content Team MITRE 2019-01-03 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Other_Notes, Potential_Mitigations, References, Relationships, Type
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.