Unverified Ownership
Weakness ID: 283 (Weakness Base)Status: Draft
+ Description

Description Summary

The software does not properly verify that a critical resource is owned by the proper entity.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2001-0178Program does not verify the owner of a UNIX socket that is used for sending a password.
CVE-2004-2012Owner of special device not checked, allowing root.
+ Potential Mitigations

Very carefully manage the setting, management and handling of privileges. Explicitly manage trust zones in the software.

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class282Improper Ownership Management
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class703Failure to Handle Exceptional Conditions
Research Concepts1000
ChildOfCategoryCategory723OWASP Top Ten 2004 Category A2 - Broken Access Control
Weaknesses in OWASP Top Ten (2004) (primary)711
CanAlsoBeCategoryCategory264Permissions, Privileges, and Access Controls
Research Concepts1000
CanAlsoBeWeakness ClassWeakness Class345Insufficient Verification of Data Authenticity
Research Concepts1000
+ Relationship Notes

This overlaps insufficient comparison, verification errors, permissions, and privileges.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUnverified Ownership
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Relationship Notes, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-12-28CWE Content TeamMITREInternal
updated Potential Mitigations