Weakness ID: 708 Abstraction: Base
The software assigns an owner to a resource, but the owner is outside of the intended control sphere.
This may allow the resource to be manipulated by actors outside of the intended control sphere.
Time of Introduction
- Architecture and Design
Technical Impact: Read application
data; Modify application
An attacker could read and modify data for which they do not have
permissions to access directly.
|File system sets wrong ownership and group when
creating a new file.|
|OS installs program with bin owner/group, allowing
|Manager does not properly restore ownership of a
reusable resource when a user logs out, allowing privilege
|Backup software restores symbolic links with
|Product changes the ownership of files that a
symlink points to, instead of the symlink
|Component assigns ownership of sensitive directory
tree to a user account, which can be leveraged to perform privileged
Periodically review the privileges and their owners.
Use automated tools to check for privilege settings.
This overlaps verification errors, permissions, and privileges.
A closely related weakness is the incorrect assignment of groups to a
resource. It is not clear whether it would fall under this entry or require
a different entry.
|2008-09-09||MITRE||Internal CWE Team|
|2009-03-10||CWE Content Team||MITRE||Internal|
|2009-05-27||CWE Content Team||MITRE||Internal|
|2011-06-01||CWE Content Team||MITRE||Internal|
|updated Common_Consequences, Maintenance_Notes,
|2012-05-11||CWE Content Team||MITRE||Internal|
|2012-10-30||CWE Content Team||MITRE||Internal|
|2014-07-30||CWE Content Team||MITRE||Internal|
More information is available — Please select a different filter.