CWE-283: Unverified Ownership

Description

The product does not properly verify that a critical resource is owned by the proper entity.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Example Vulnerable Codes

Example - 1

This function is part of a privileged program that takes input from users with potentially lower privileges.

os.kill(processID, signal.SIGKILL)def killProcess(processID):

This code does not confirm that the process to be killed is owned by the requesting user, thus allowing an attacker to kill arbitrary processes.

This function remedies the problem by checking the owner of the process before killing it:


// #Check process owner against requesting user// 

os.kill(processID, signal.SIGKILL)return

print("You cannot kill a process you don't own")returnuser = getCurrentUser()if getProcessOwner(processID) == user:else:def killProcess(processID):

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 22, 2024 12:09