{"@ID": "708", "@Name": "Incorrect Ownership Assignment", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product assigns an owner to a resource, but the owner is outside of the intended control sphere.", "Extended_Description": "This may allow the resource to be manipulated by actors outside of the intended control sphere.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "282", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "CanAlsoBe", "@CWE_ID": "345", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}, {"Phase": "Operation"}]}, "Common_Consequences": {"Consequence": {"Scope": ["Confidentiality", "Integrity"], "Impact": ["Read Application Data", "Modify Application Data"], "Note": "An attacker could read and modify data for which they do not have permissions to access directly."}}, "Detection_Methods": {"Detection_Method": {"Method": "Automated Analysis", "Description": "Use automated tools to check for privilege settings."}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Policy", "Description": "Periodically review the privileges and their owners."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2024-43199", "Description": "product installs binaries with potentially insecure user/group ownership", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-43199"}, {"Reference": "CVE-2007-5101", "Description": "File system sets wrong ownership and group when creating a new file.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-5101"}, {"Reference": "CVE-2007-4238", "Description": "OS installs program with bin owner/group, allowing modification.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-4238"}, {"Reference": "CVE-2007-1716", "Description": "Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-1716"}, {"Reference": "CVE-2005-3148", "Description": "Backup software restores symbolic links with incorrect uid/gid.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-3148"}, {"Reference": "CVE-2005-1064", "Description": "Product changes the ownership of files that a symlink points to, instead of the symlink itself.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1064"}, {"Reference": "CVE-2011-1551", "Description": "Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations.", "Link": "https://www.cve.org/CVERecord?id=CVE-2011-1551"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Maintenance", "xhtml:p": ["This overlaps verification errors, permissions, and privileges.", "A closely related weakness is the incorrect assignment of groups to a resource. It is not clear whether it would fall under this entry or require a different entry."]}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2008-09-09", "Submission_Version": "1.0", "Submission_ReleaseDate": "2008-09-09", "Submission_Comment": "Note: this date reflects when the entry was first published. Draft versions of this entry were provided to members of the CWE community and modified between Draft 9 and 1.0."}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Maintenance_Notes, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Common_Consequences, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Observed_Examples, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Detection_Factors, Observed_Examples, Potential_Mitigations, Weakness_Ordinalities"}]}}
