Tag Archives: CVE-2007-5101

CWE-708 – Incorrect Ownership Assignment

Read Time:1 Minute, 2 Second

Description

The software assigns an owner to a resource, but the owner is outside of the intended control sphere.

This may allow the resource to be manipulated by actors outside of the intended control sphere.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-282
CWE-345

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

An attacker could read and modify data for which they do not have permissions to access directly.

 

Potential Mitigations

Phase: Policy

Effectiveness:

Description: 

Periodically review the privileges and their owners.

Phase: Testing

Effectiveness:

Description: 

Use automated tools to check for privilege settings.

CVE References

 

  • CVE-2007-5101
    • File system sets wrong ownership and group when creating a new file.
  • CVE-2007-4238
    • OS installs program with bin owner/group, allowing modification.
  • CVE-2007-1716
    • Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.
  • CVE-2005-3148
    • Backup software restores symbolic links with incorrect uid/gid.
  • CVE-2005-1064
    • Product changes the ownership of files that a symlink points to, instead of the symlink itself.
  • CVE-2011-1551
    • Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations.