Description
The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.
Potential Impact
Confidentiality, Integrity
Read Application Data, Modify Application Data
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2002-0760 | Archive extractor decompresses files with world-readable permissions, then later sets permissions to what the archive specified. |
| CVE-2005-2174 | Product inserts a new object into database before setting the object's permissions, introducing a race condition. |
| CVE-2006-5214 | Error file has weak permissions before a chmod is performed. |
| CVE-2005-2475 | Archive permissions issue using hard link. |
| CVE-2003-0265 | Database product creates files world-writable before initializing the setuid bits, leading to modification of executables. |
Related Weaknesses
Frequently Asked Questions
What is CWE-689?
CWE-689 (Permission Race Condition During Resource Copy) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Compound-level weakness. The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is...
How can CWE-689 be exploited?
Attackers can exploit CWE-689 (Permission Race Condition During Resource Copy) to read application data, modify application data. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-689?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-689?
CWE-689 is classified as a Compound-level weakness (Complex abstraction). It has been observed in 5 real-world CVEs.