CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-282: Improper Ownership Management

Weakness ID: 282
Abstraction: Class
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Gain privileges / assume identity

+ Observed Examples
ReferenceDescription
Program runs setuid root but relies on a configuration file owned by a non-root user.
+ Potential Mitigations

Phases: Architecture and Design; Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory264Permissions, Privileges, and Access Controls
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class284Improper Access Control
Research Concepts (primary)1000
ChildOfCategoryCategory632Weaknesses that Affect Files or Directories
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory840Business Logic Errors
Development Concepts699
ChildOfCategoryCategory944SFP Secondary Cluster: Access Management
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base283Unverified Ownership
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base708Incorrect Ownership Assignment
Development Concepts (primary)699
Research Concepts (primary)1000
+ Affected Resources
  • File/Directory
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVEROwnership errors
+ Maintenance Notes

The relationships between privileges, permissions, and actors (e.g. users and groups) need further refinement within the Research view. One complication is that these concepts apply to two different pillars, related to control of resources (CWE-664) and protection mechanism failures (CWE-396).

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Maintenance_Notes, Relationships, Taxonomy_Mappings
2009-12-28CWE Content TeamMITREInternal
updated Potential_Mitigations
2010-06-21CWE Content TeamMITREInternal
updated Potential_Mitigations
2011-03-29CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Ownership Issues

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017