Incorrect Ownership Assignment| ID: 708 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software assigns an owner to a resource, but the owner is
outside of the intended control sphere.
Extended DescriptionThis may allow the resource to be manipulated by actors outside of the
intended control sphere.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| ConfidentialityIntegrity | Read application
dataModify application
data | An attacker could read and modify data for which they do not have
permissions to access directly. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Policy | | Periodically review the privileges and their owners. | | |
| Testing | | Use automated tools to check for privilege settings. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-708 ChildOf CWE-899 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2007-5101 : File system sets wrong ownership and group when creating a new file.
- CVE-2007-4238 : OS installs program with bin owner/group, allowing modification.
- CVE-2007-1716 : Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.
- CVE-2005-3148 : Backup software restores symbolic links with incorrect uid/gid.
- CVE-2005-1064 : Product changes the ownership of files that a symlink points to, instead of the symlink itself.
- CVE-2011-1551 : Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:None
