|
Status: Draft Compound Element ID: 689 (Compound Element Base: Composite)Description Summary The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place. Weakness Ordinalities Primary (where the weakness exists independent of other weaknesses) Observed Examples
Other Notes This is a general issue, although few subtypes are currently known. The most common examples occur in file archive extraction, in which the product begins the extraction with insecure default permissions, then only sets the final permissions (as specified in the archive) once the copy is complete. The larger the archive, the larger the timing window for the race condition. This weakness has also occurred in some operating system utilities that perform copies of deeply nested directories containing a large number of files. Research Gaps Under-studied. It seems likely that this weakness could occur in any situation in which a complex or large copy operation occurs, when the resource can be made available to other spheres as soon as it is created, but before its initialization is complete. Relationships
Applicable Platforms Languages C Perl Time of Introduction ImplementationContent History Modifications CWE Content Team. MITRE. 2008-09-08. (Internal) updated Applicable_Platforms, Relationships, Other_Notes, Weakness_Ordinalities |
|
|
|||