CWE-708

Base Abstraction Level
Pillar — Highest-level weakness category
Class — Abstract, language-independent
Base — Specific enough to detect
Variant — Tied to specific technology
Compound — Requires multiple weaknesses
Incomplete MITRE CWE Status
Stable — Fully reviewed and complete
Draft — Under development, may change
Incomplete — Partially defined by MITRE
Deprecated — No longer recommended
Obsolete — Replaced by another CWE
Incorrect Ownership Assignment

Description

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

This may allow the resource to be manipulated by actors outside of the intended control sphere.

Consequences

Confidentiality, Integrity — Read Application Data, Modify Application Data

An attacker could read and modify data for which they do not have permissions to access directly.

Mitigations

Phase: Policy

Periodically review the privileges and their owners.

Detection

Automated Analysis

Use automated tools to check for privilege settings.