1. Home
  2. CWE Database
  3. CWE-708
Base · Medium

CWE-708: Incorrect Ownership Assignment

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

CWE-708 · Base Level ·7 CVEs ·1 Mitigations

Description

The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

This may allow the resource to be manipulated by actors outside of the intended control sphere.

Potential Impact

Confidentiality, Integrity

Read Application Data, Modify Application Data

Mitigations & Prevention

Policy

Periodically review the privileges and their owners.

Detection Methods

  • Automated Analysis — Use automated tools to check for privilege settings.

Real-World CVE Examples

CVE IDDescription
CVE-2024-43199product installs binaries with potentially insecure user/group ownership
CVE-2007-5101File system sets wrong ownership and group when creating a new file.
CVE-2007-4238OS installs program with bin owner/group, allowing modification.
CVE-2007-1716Manager does not properly restore ownership of a reusable resource when a user logs out, allowing privilege escalation.
CVE-2005-3148Backup software restores symbolic links with incorrect uid/gid.
CVE-2005-1064Product changes the ownership of files that a symlink points to, instead of the symlink itself.
CVE-2011-1551Component assigns ownership of sensitive directory tree to a user account, which can be leveraged to perform privileged operations.

CWE-282: Improper Ownership Management

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

CWE-345: Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid d...

Frequently Asked Questions

What is CWE-708?

CWE-708 (Incorrect Ownership Assignment) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product assigns an owner to a resource, but the owner is outside of the intended control sphere.

How can CWE-708 be exploited?

Attackers can exploit CWE-708 (Incorrect Ownership Assignment) to read application data, modify application data. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-708?

Key mitigations include: Periodically review the privileges and their owners.

What is the severity of CWE-708?

CWE-708 is classified as a Base-level weakness (Medium abstraction). It has been observed in 7 real-world CVEs.