Skip to content

CWE-610: Externally Controlled Reference to a Resource in Another Sphere

AbstractionStructureStatus
NoneSimpleDraft

Description

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

NatureIDView IDName
ChildOfCWE-6641000Improper Control of a Resource Through its Lifetime

Modes of Introduction

PhaseNote
Architecture and DesignCOMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

Common Consequences

ScopeImpactNote
Confidentiality, IntegrityRead Application Data, Modify Application Data

Observed Examples

  • CVE-2022-3032: An email client does not block loading of remote objects in a nested document.
  • CVE-2022-45918: Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using “../” sequences (CWE-24)
  • CVE-2018-1000613: Cryptography API uses unsafe reflection when deserializing a private key
  • CVE-2020-11053: Chain: Go-based Oauth2 reverse proxy can send the authenticated user to another site at the end of the authentication flow. A redirect URL with HTML-encoded whitespace characters can bypass the validation (CWE-1289) to redirect to a malicious site (CWE-601)
  • CVE-2022-42745: Recruiter software allows reading arbitrary files using XXE
  • CVE-2004-2331: Database system allows attackers to bypass sandbox restrictions by using the Reflection API.