SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF)

Download | Alert*

CWE

Externally Controlled Reference to a Resource in Another Sphere

ID: 610		Date: (C)2012-05-14 (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Class

Description

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Extended Description

Applicable Platforms
None

Time Of Introduction

Architecture and Design

Related Attack Patterns

CAPEC-219

Common Consequences

Scope	Technical Impact	Notes
Confidentiality Integrity	Read application data Modify application data

Detection Methods
None

Potential Mitigations
None

Relationships
This is a general class of weakness, but most research is focused on more specialized cases, such as path traversal (CWE-22) and symlink following (CWE-61). A symbolic link has a name; in general, it appears like any other file in the file system. However, the link includes a reference to another file, often in another directory - perhaps in another sphere of control. Many common library functions that accept filenames will "follow" a symbolic link and use the link's target instead.

Related CWE	Type	View	Chain
CWE-610 ChildOf CWE-893	Category	CWE-888

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
Anonymous Tool Vendor (under NDA)

References:
None


30479



423868



248149



909



194803



282