Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-921:Storage of Sensitive Data in a Mechanism without Access Control
Weakness ID:921
Version:v4.17
Weakness Name:Storage of Sensitive Data in a Mechanism without Access Control
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product stores sensitive information in a file system or device that does not have built-in access control.

▼Extended Description

While many modern file systems or devices utilize some form of access control in order to restrict access to data, not all storage mechanisms have this capability. For example, memory cards, floppy disks, CDs, and USB devices are typically made accessible to any user within the system. This can become a problem when sensitive data is stored in these mechanisms in a multi-user environment, because anybody on the system can read or write this data.

On Android devices, external storage is typically globally readable and writable by other applications on the device. External storage may also be easily accessible through the mobile device's USB connection or physically accessible through the device's memory card port.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowed-with-ReviewC922Insecure Storage of Sensitive Information
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 922
Name: Insecure Storage of Sensitive Information
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC199Information Management Errors
MemberOfProhibitedC1011Authorize Actors
MemberOfProhibitedC1396Comprehensive Categorization: Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 199
Name: Information Management Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1011
Name: Authorize Actors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1396
Name: Comprehensive Categorization: Access Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-306Mobile (technology class) Weaknesses
MemberOfProhibitedBSBOSS-318Modify Application Data (impact)
MemberOfProhibitedBSBOSS-319Read Files or Directories (impact)
MemberOfProhibitedBSBOSS-320Modify Files or Directories (impact)
MemberOfProhibitedBSBOSS-328Read Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-306
Name: Mobile (technology class) Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-318
Name: Modify Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-319
Name: Read Files or Directories (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-320
Name: Modify Files or Directories (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-328
Name: Read Application Data (impact)
▼Relevant To View
Relevant to the view"Architectural Concepts - (1008)"
NatureMappingTypeIDName
MemberOfProhibitedC1011Authorize Actors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1011
Name: Authorize Actors
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC199Information Management Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 199
Name: Information Management Errors
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
ConfidentialityN/ARead Application DataRead Files or Directories

Attackers can read sensitive information by accessing the unrestricted storage mechanism.

IntegrityN/AModify Application DataModify Files or Directories

Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism.

Scope: Confidentiality
Likelihood: N/A
Impact: Read Application Data, Read Files or Directories
Note:

Attackers can read sensitive information by accessing the unrestricted storage mechanism.

Scope: Integrity
Likelihood: N/A
Impact: Modify Application Data, Modify Files or Directories
Note:

Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism.

▼Potential Mitigations
▼Modes Of Introduction
Phase: Architecture and Design
Note:

OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
Technology
Class: Mobile(Undetermined Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-921
      Title: Security Tips
      Author: Android Open Source Project
      Section:
      Publication:
      Publisher:
      Edition:
      URL:https://developer.android.com/training/articles/security-tips.html#StoringData
      URL Date:2023-04-07
      Day:16
      Month:07
      Year:2013
      Details not found