CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.1)  
Search by ID:

CWE-669: Incorrect Resource Transfer Between Spheres

Individual Definition in a New Window
Incorrect Resource Transfer Between Spheres
Status: Draft
Weakness ID: 669 (Weakness Class)
Description
Summary

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

Relevant Properties
* Accessibility
Other Notes

A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors.

Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness ClassWeakness Class664Insufficient Control of a Resource Through its Lifetime
Research Concepts (primary)1000
ChildOfCategoryCategory361Time and State
Development Concepts (primary)699
ParentOfWeakness VariantWeakness VariantWeakness Variant243Failure to Change Working Directory in chroot Jail
Research Concepts (primary)1000
CanFollowWeakness VariantWeakness VariantWeakness Variant244Failure to Clear Heap Memory Before Release (aka 'Heap Inspection')
Research Concepts1000
ParentOfWeakness VariantWeakness VariantWeakness Variant494Download of Untrusted Mobile Code Without Integrity Check
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness BaseWeakness Base602Design Principle Violation: Client-Side Enforcement of Server-Side Security
Research Concepts (primary)1000
ParentOfCompound Element: CompositeCompound Element: Composite434Unrestricted File Upload
Research Concepts (primary)1000
Time of Introduction
* Architecture and Design
* Implementation
* Operation
Content History
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Other_Notes
CWE Content Team. MITRE. 2008-10-14. (Internal)
updated Relationships
Page Last Updated: November 24, 2008