CWE-708 不正确的属主授予

  • A+
所属分类:CWE(弱点枚举)

CWE-708 不正确的属主授予

Incorrect Ownership Assignment

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The software assigns an owner to a resource, but the owner is outside of the intended control sphere.

扩展描述

This may allow the resource to be manipulated by actors outside of the intended control sphere.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 282 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 282 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: CanAlsoBe cwe_CWE_ID: 345 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
['Confidentiality', 'Integrity'] ['Read Application Data', 'Modify Application Data'] An attacker could read and modify data for which they do not have permissions to access directly.

可能的缓解方案

Policy

策略:

Periodically review the privileges and their owners.

Testing

策略:

Use automated tools to check for privilege settings.

分析过的案例

标识 说明 链接
CVE-2007-5101 File system sets wrong ownership and group when creating a new file. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5101
CVE-2007-4238 OS installs program with bin owner/group, allowing modification. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4238
CVE-2007-1716 Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1716
CVE-2005-3148 Backup software restores symbolic links with incorrect uid/gid. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3148
CVE-2005-1064 Product changes the ownership of files that a symlink points to, instead of the symlink itself. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1064
CVE-2011-1551 Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1551

Notes

文章来源于互联网:scap中文网

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: