Unverified Ownership| ID: 283 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software does not properly verify that a critical resource
is owned by the proper entity.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Gain privileges / assume
identity | An attacker could gain unauthorized access to system resources |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and DesignOperation | | Very carefully manage the setting, management, and handling of
privileges. Explicitly manage trust zones in the software. | | |
| Architecture and Design | Separation of Privilege | Consider following the principle of separation of privilege. Require
multiple conditions to be met before permitting access to a system
resource. | | |
RelationshipsThis overlaps insufficient comparison, verification errors, permissions,
and privileges.
| Related CWE | Type | View | Chain |
|---|
| CWE-283 ChildOf CWE-899 | Category | CWE-888 | |
Demonstrative Examples (Details)
- This function is part of a privileged program that takes input from
users with potentially lower privileges.
Observed Examples
- CVE-2001-0178 : Program does not verify the owner of a UNIX socket that is used for sending a password.
- CVE-2004-2012 : Owner of special device not checked, allowing root.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Unverified Ownership | |
References:None
