[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Incomplete Cleanup

ID: 459Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The software does not properly "clean up" and remove temporary or supporting resources after they have been used.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Other
Confidentiality
Integrity
 
Other
Read application data
Modify application data
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
Implementation
 
 Temporary files and other supporting resources should be deleted/released immediately after they are no longer needed.
 
  

Relationships
CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for "proper" cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.

Related CWETypeViewChain
CWE-459 ChildOf CWE-892 Category CWE-888  

Demonstrative Examples   (Details)

  1. Stream resources in a Java application should be released in a finally block, otherwise an exception thrown before the call to close() would result in an unreleased I/O resource. In the example below, the close() method is called in the try block (incorrect).

Observed Examples

  1. CVE-2000-0552 : World-readable temporary file not deleted after use.
  2. CVE-2005-2293 : Temporary file not deleted after use, leaking database usernames and passwords.
  3. CVE-2002-0788 : Interaction error creates a temporary file that can not be deleted due to strong permissions.
  4. CVE-2002-2066 : Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
  5. CVE-2002-2067 : Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
  6. CVE-2002-2068 : Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
  7. CVE-2002-2069 : Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
  8. CVE-2002-2070 : Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
  9. CVE-2005-1744 : Users not logged out when application is restarted after security-relevant changes were made.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Incomplete Cleanup
 
 
OWASP Top Ten 2004 A10
 
Insecure Configuration Management
 
CWE_More_Specific
 
CERT Java Secure Coding FIO04-J
 
Release resources when they are no longer needed
 
 
CERT Java Secure Coding FIO00-J
 
Do not operate on files in shared directories
 
 

References:
None

CVE    26
CVE-2021-22450
CVE-2021-32928
CVE-2017-0303
CVE-2017-17090
...

© SecPod Technologies