Description
The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
Potential Impact
Confidentiality
Read Application Data
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2003-0740 | Server leaks a privileged file descriptor, allowing the server to be hijacked. |
| CVE-2004-1033 | File descriptor leak allows read of restricted files. |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Resource leaks
Frequently Asked Questions
What is CWE-402?
CWE-402 (Transmission of Private Resources into a New Sphere ('Resource Leak')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
How can CWE-402 be exploited?
Attackers can exploit CWE-402 (Transmission of Private Resources into a New Sphere ('Resource Leak')) to read application data. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-402?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-402?
CWE-402 is classified as a Class-level weakness (High abstraction). It has been observed in 2 real-world CVEs.