Incorrect Ownership Assignment |
Weakness ID: 708 (Weakness Base) | Status: Incomplete |
Description Summary
The software assigns an owner to a resource, but the owner is outside of the intended control sphere.
Extended Description
This may allow the resource to be manipulated by actors outside of the intended control sphere.
Reference | Description |
---|---|
CVE-2007-5101 | File system sets wrong ownership and group when creating a new file. |
CVE-2007-4238 | OS installs program with bin owner/group, allowing modification. |
CVE-2007-1716 | Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation. |
CVE-2005-3148 | Backup software restores symbolic links with incorrect uid/gid. |
CVE-2005-1064 | Product changes the ownership of files that a symlink points to, instead of the symlink itself. |
Periodically review the privileges and their owners. |
Use automated tools to check for privilege settings. |
This overlaps verification errors, permissions, and privileges. A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 282 | Improper Ownership Management | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 723 | OWASP Top Ten 2004 Category A2 - Broken Access Control | Weaknesses in OWASP Top Ten (2004) (primary)711 |
CanAlsoBe | Weakness Class | 345 | Insufficient Verification of Data Authenticity | Research Concepts1000 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
2008-09-09 | MITRE | Internal CWE Team | ||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Description |