Obscured Security-relevant Information by Alternate Name| ID: 224 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Base |
Description
The software records security-relevant information according to
an alternate name of the affected entity, instead of the canonical
name.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Non-RepudiationAccess_Control | Hide activitiesGain privileges / assume
identity | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| | | Avoid making decisions based on names of resources if those resources
can have alternate names. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-224 ChildOf CWE-906 | Category | CWE-888 | |
Demonstrative Examples (Details)
- This code prints the contents of a file if a user has permission.
Observed Examples
- CVE-2002-0725 : Attacker performs malicious actions on a hard link to a file, obscuring the real target file.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Obscured Security-relevant Information by Alternate
Name | |
References:
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Published on 2002.
