The product assigns an owner to a resource, but the owner is outside of the intended control sphere.
This may allow the resource to be manipulated by actors outside of the intended control sphere.
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| CanAlsoBe | Discouraged | C | 345 | Insufficient Verification of Data Authenticity |
| ChildOf | Allowed-with-Review | C | 282 | Improper Ownership Management |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 723 | OWASP Top Ten 2004 Category A2 - Broken Access Control |
| MemberOf | Prohibited | C | 840 | Business Logic Errors |
| MemberOf | Prohibited | V | 884 | CWE Cross-section |
| MemberOf | Prohibited | C | 944 | SFP Secondary Cluster: Access Management |
| MemberOf | Prohibited | C | 1011 | Authorize Actors |
| MemberOf | Prohibited | C | 1396 | Comprehensive Categorization: Access Control |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | BS | BOSS-294 | Not Language-Specific Weaknesses |
| MemberOf | Prohibited | BS | BOSS-318 | Modify Application Data (impact) |
| MemberOf | Prohibited | BS | BOSS-328 | Read Application Data (impact) |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1011 | Authorize Actors |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 840 | Business Logic Errors |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 944 | SFP Secondary Cluster: Access Management |
| Scope | Likelihood | Impact | Note |
|---|---|---|---|
| ConfidentialityIntegrity | N/A | Read Application DataModify Application Data | An attacker could read and modify data for which they do not have permissions to access directly. |
An attacker could read and modify data for which they do not have permissions to access directly.
Periodically review the privileges and their owners.
Use automated tools to check for privilege settings.
N/A
REALIZATION: This weakness is caused during implementation of an architectural security tactic.
N/A
| Reference | Description |
|---|---|
| CVE-2007-5101 | File system sets wrong ownership and group when creating a new file. |
| CVE-2007-4238 | OS installs program with bin owner/group, allowing modification. |
| CVE-2007-1716 | Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation. |
| CVE-2005-3148 | Backup software restores symbolic links with incorrect uid/gid. |
| CVE-2005-1064 | Product changes the ownership of files that a symlink points to, instead of the symlink itself. |
| CVE-2011-1551 | Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations. |
| Ordinality | Description |
|---|
This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
This overlaps verification errors, permissions, and privileges.
A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry.
N/A
| Taxonomy Name | Entry ID | Fit | Entry Name |
|---|
| ID | Name |
|---|