CWE-610 资源在另一范围的外部可控制索引

Externally Controlled Reference to a Resource in Another Sphere

结构: Simple

Abstraction: Class

状态: Draft

被利用可能性: unkown


The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.


  • cwe_Nature: ChildOf cwe_CWE_ID: 664 cwe_View_ID: 1000 cwe_Ordinal: Primary


范围 影响 注释
['Confidentiality', 'Integrity'] ['Read Application Data', 'Modify Application Data']


Relationship This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will "follow" a symbolic link and use the link's target instead. Maintenance The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer.


  • CAPEC-219