CWE - CWE-668: Exposure of Resource to Wrong Sphere (Draft 9)

Home > CWE List > CWE-668 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-668 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Draft

668 (Weakness Class)

Description

Summary

The product exposes a resource to the wrong sphere, in ways that are not related to incorrectly specified permissions.

Context Notes

A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors.

Relationships

Nature	Type	ID	Name
ChildOf	Category	361	Time and State
ParentOf	Weakness Base	281	Permission Preservation Failure
ParentOf	Weakness Class	359	Privacy Violation
ParentOf	Weakness Base	374	Mutable Objects Passed by Reference
ParentOf	Weakness Base	375	Passing Mutable Objects to an Untrusted Method
ParentOf	Weakness Base	379	Creation of Temporary File in Directory with Insecure Permissions
ParentOf	Weakness Class	402	Transmission of Private Resources into a New Sphere (aka 'Resource Leak')
ParentOf	Weakness Base	419	Unprotected Primary Channel
ParentOf	Weakness Base	420	Unprotected Alternate Channel
ParentOf	Weakness Variant	492	Use of Inner Class Containing Sensitive Data
ParentOf	Weakness Variant	493	Critical Public Variable Without Final Modifier
ParentOf	Weakness Base	522	Insufficiently Protected Credentials
ParentOf	Weakness Variant	549	Missing Password Field Masking
ParentOf	Weakness Base	552	Files or Directories Accessible to External Parties
ParentOf	Weakness Base	565	Use of Cookies in Security Decision
ParentOf	Weakness Variant	583	finalize() Method Declared Public
ParentOf	Weakness Variant	612	Information Leak Through Indexing of Private Data
ParentOf	Weakness Base	642	External Control of User State Data
ParentOf	Weakness Variant	8	J2EE Misconfiguration: Entity Bean Declared Remote
IsRequiredBy	Compound Element: Composite	689	Permission Race Condition During Resource Copy

Page Last Updated: April 22, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us