CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-669: Incorrect Resource Transfer Between Spheres

Weakness ID: 669
Abstraction: Class
Status: Draft
Presentation Filter:
+ Description

Description Summary

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Common Consequences
ScopeEffect
Confidentiality
Integrity

Technical Impact: Read application data; Modify application data; Unexpected state

+ Background Details

A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory361Time and State
Development Concepts (primary)699
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ChildOfWeakness ClassWeakness Class664Improper Control of a Resource Through its Lifetime
Research Concepts (primary)1000
ChildOfCategoryCategory963SFP Secondary Cluster: Exposed Data
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base212Improper Cross-boundary Removal of Sensitive Data
Research Concepts1000
ParentOfWeakness VariantWeakness Variant243Creation of chroot Jail Without Changing Working Directory
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base434Unrestricted Upload of File with Dangerous Type
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ParentOfWeakness BaseWeakness Base494Download of Code Without Integrity Check
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base602Client-Side Enforcement of Server-Side Security
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class829Inclusion of Functionality from Untrusted Control Sphere
Development Concepts (primary)699
Research Concepts (primary)1000
CanFollowWeakness VariantWeakness Variant244Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Research Concepts1000
+ Relevant Properties
  • Accessibility
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes
2008-10-14CWE Content TeamMITREInternal
updated Relationships
2009-10-29CWE Content TeamMITREInternal
updated Background_Details, Other_Notes
2010-02-16CWE Content TeamMITREInternal
updated Relationships
2010-12-13CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships
2015-12-07CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017