CWE-708 不正确的属主授予

Incorrect Ownership Assignment

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The software assigns an owner to a resource, but the owner is outside of the intended control sphere.

扩展描述

This may allow the resource to be manipulated by actors outside of the intended control sphere.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 282 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 282 cwe_View_ID: 699 cwe_Ordinal: Primary

• cwe_Nature: CanAlsoBe cwe_CWE_ID: 345 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
['Confidentiality', 'Integrity']	['Read Application Data', 'Modify Application Data']	An attacker could read and modify data for which they do not have permissions to access directly.

可能的缓解方案

Policy

策略:

Periodically review the privileges and their owners.

Testing

策略:

Use automated tools to check for privilege settings.

分析过的案例

标识	说明	链接
CVE-2007-5101	File system sets wrong ownership and group when creating a new file.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5101
CVE-2007-4238	OS installs program with bin owner/group, allowing modification.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4238
CVE-2007-1716	Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1716
CVE-2005-3148	Backup software restores symbolic links with incorrect uid/gid.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3148
CVE-2005-1064	Product changes the ownership of files that a symlink points to, instead of the symlink itself.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1064
CVE-2011-1551	Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1551

Notes