CWE-610: Externally Controlled Reference to a Resource in Another Sphere
| Abstraction | Structure | Status |
|---|
| None | Simple | Draft |
Description
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
| Nature | ID | View ID | Name |
|---|
| ChildOf | CWE-664 | 1000 | Improper Control of a Resource Through its Lifetime |
Modes of Introduction
| Phase | Note |
|---|
| Architecture and Design | COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. |
Languages
Class: Not Language-Specific
Technologies
Common Consequences
| Scope | Impact | Note |
|---|
| Confidentiality, Integrity | Read Application Data, Modify Application Data | An adversary could read or modify data, depending on how the resource is intended to be used. |
| Access Control | Gain Privileges or Assume Identity | An adversary that can supply a reference to an unintended resource can potentially access a resource that they do not have privileges for, thus bypassing existing access control mechanisms. |
Observed Examples
- CVE-2022-3032: An email client does not block loading of remote objects in a nested document.
- CVE-2022-45918: Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using “../” sequences (CWE-24)
- CVE-2018-1000613: Cryptography API uses unsafe reflection when deserializing a private key
- CVE-2020-11053: Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601)
- CVE-2022-42745: Recruiter software allows reading arbitrary files using XXE
- CVE-2004-2331: Database system allows attackers to bypass sandbox restrictions by using the Reflection API.