CWE-282: Improper Ownership Management

Description

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Example Vulnerable Codes

Example - 1

This function is part of a privileged program that takes input from users with potentially lower privileges.

os.kill(processID, signal.SIGKILL)def killProcess(processID):

This code does not confirm that the process to be killed is owned by the requesting user, thus allowing an attacker to kill arbitrary processes.

This function remedies the problem by checking the owner of the process before killing it:


// #Check process owner against requesting user// 

os.kill(processID, signal.SIGKILL)return

print("You cannot kill a process you don't own")returnuser = getCurrentUser()if getProcessOwner(processID) == user:else:def killProcess(processID):

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-283: Unverified Ownership
Go to
CWE-284: Improper Access Control
Go to
CWE-708: Incorrect Ownership Assignment
Go to

Visit http://cwe.mitre.org/ for more details.