Incorrect Resource Transfer Between Spheres
Weakness ID: 669 (Weakness Class)Status: Draft
+ Description

Description Summary

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Background Details

A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory361Time and State
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class664Improper Control of a Resource Through its Lifetime
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base212Improper Cross-boundary Removal of Sensitive Data
Research Concepts1000
ParentOfWeakness VariantWeakness Variant243Failure to Change Working Directory in chroot Jail
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base434Unrestricted Upload of File with Dangerous Type
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base494Download of Code Without Integrity Check
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base602Client-Side Enforcement of Server-Side Security
Research Concepts (primary)1000
CanFollowWeakness VariantWeakness Variant244Failure to Clear Heap Memory Before Release ('Heap Inspection')
Research Concepts1000
+ Relevant Properties
  • Accessibility
+ Content History
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes
2008-10-14CWE Content TeamMITREInternal
updated Relationships
2009-10-29CWE Content TeamMITREInternal
updated Background Details, Other Notes