CWE-708: Incorrect Ownership Assignment
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product assigns an owner to a resource, but the owner is outside of the intended control sphere.
扩展描述
This may allow the resource to be manipulated by actors outside of the intended control sphere.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Application Data Modify Application Data
说明: An attacker could read and modify data for which they do not have permissions to access directly.
潜在缓解措施
阶段: Policy
描述: Periodically review the privileges and their owners.
阶段: Testing
描述: Use automated tools to check for privilege settings.
观察示例
参考: CVE-2007-5101
File system sets wrong ownership and group when creating a new file.
参考: CVE-2007-4238
OS installs program with bin owner/group, allowing modification.
参考: CVE-2007-1716
Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.
参考: CVE-2005-3148
Backup software restores symbolic links with incorrect uid/gid.
参考: CVE-2005-1064
Product changes the ownership of files that a symlink points to, instead of the symlink itself.
参考: CVE-2011-1551
Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| Operation | - |