CWE-708

BaseIncomplete

Incorrect Ownership Assignment

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

2 related weaknesses

Extended Description

This may allow the resource to be manipulated by actors outside of the intended control sphere.

Policy

Periodically review the privileges and their owners.

Confidentiality

Integrity

Read Application Data

Modify Application Data

An attacker could read and modify data for which they do not have permissions to access directly.

Automated Analysis

Use automated tools to check for privilege settings.

Modes of Introduction

Architecture and Design

Implementation

Operation

Related Weaknesses

Example CVEs (7)

product installs binaries with potentially insecure user/group ownership

File system sets wrong ownership and group when creating a new file.

OS installs program with bin owner/group, allowing modification.

Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.

Backup software restores symbolic links with incorrect uid/gid.

External Links

CWE-708: Incorrect Ownership Assignment | Mondoo Vulnerability Intelligence