Incorrect Resource Transfer Between Spheres |
Weakness ID: 669 (Weakness Class) | Status: Draft |
Description Summary
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
A "control sphere" is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product's security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for "administrators" who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be "users who are authenticated to the operating system on which the product is installed." Each sphere has different sets of actors and allowable behaviors. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 361 | Time and State | Development Concepts (primary)699 |
ChildOf | Weakness Class | 664 | Improper Control of a Resource Through its Lifetime | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 212 | Improper Cross-boundary Removal of Sensitive Data | Research Concepts1000 |
ParentOf | Weakness Variant | 243 | Failure to Change Working Directory in chroot Jail | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 434 | Unrestricted Upload of File with Dangerous Type | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 494 | Download of Code Without Integrity Check | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 602 | Client-Side Enforcement of Server-Side Security | Research Concepts (primary)1000 |
CanFollow | Weakness Variant | 244 | Failure to Clear Heap Memory Before Release ('Heap Inspection') | Research Concepts1000 |
Modifications | ||||
---|---|---|---|---|
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Other Notes | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Background Details, Other Notes |