CWE-668: Exposure of Resource to Wrong Sphere

Description

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Submission Date :

April 11, 2008, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files.

A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system.

In either case, the end result is that a resource has been exposed to the wrong party.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-8: J2EE Misconfiguration: Entity Bean Declared Remote
Go to
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Go to
CWE-134: Use of Externally-Controlled Format String
Go to
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Go to
CWE-374: Passing Mutable Objects to an Untrusted Method
Go to
CWE-375: Returning a Mutable Object to an Untrusted Caller
Go to
CWE-377: Insecure Temporary File
Go to
CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')
Go to
CWE-426: Untrusted Search Path
Go to
CWE-427: Uncontrolled Search Path Element
Go to
CWE-428: Unquoted Search Path or Element
Go to
CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
Go to
CWE-488: Exposure of Data Element to Wrong Session
Go to
CWE-491: Public cloneable() Method Without Final ('Object Hijack')
Go to
CWE-492: Use of Inner Class Containing Sensitive Data
Go to
CWE-493: Critical Public Variable Without Final Modifier
Go to
CWE-498: Cloneable Class Containing Sensitive Information
Go to
CWE-499: Serializable Class Containing Sensitive Data
Go to
CWE-522: Insufficiently Protected Credentials
Go to
CWE-524: Use of Cache Containing Sensitive Information
Go to
CWE-552: Files or Directories Accessible to External Parties
Go to
CWE-582: Array Declared Public, Final, and Static
Go to
CWE-583: finalize() Method Declared Public
Go to
CWE-608: Struts: Non-private Field in ActionForm Class
Go to
CWE-642: External Control of Critical State Data
Go to
CWE-664: Improper Control of a Resource Through its Lifetime
Go to
CWE-732: Incorrect Permission Assignment for Critical Resource
Go to
CWE-767: Access to Critical Private Variable via Public Method
Go to
CWE-927: Use of Implicit Intent for Sensitive Communication
Go to
CWE-942: Permissive Cross-domain Policy with Untrusted Domains
Go to
CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
Go to
CWE-1282: Assumed-Immutable Data is Stored in Writable Memory
Go to
CWE-1327: Binding to an Unrestricted IP Address
Go to
CWE-1331: Improper Isolation of Shared Resources in Network On Chip (NoC)
Go to

Visit http://cwe.mitre.org/ for more details.