Resources such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. For example, a program may intend that private files can only be provided to a specific user. This effectively defines a control sphere that is intended to prevent attackers from accessing these private files. If the file permissions are insecure, then parties other than the user will be able to access those files.
A separate control sphere might effectively require that the user can only access the private files, but not any other files on the system. If the program does not ensure that the user is only requesting private files, then the user might be able to access other files on the system.
In either case, the end result is that a resource has been exposed to the wrong party.
| Impact | Details |
|---|---|
|
Read Application Data |
Scope: Confidentiality
Likelihood: High
An adversary that gains access to a resource exposed to a wrong sphere could potentially retrieve private data from that resource, thus breaking the intended confidentiality of that data.
|
|
Modify Application Data |
Scope: Integrity
Likelihood: Medium
An adversary that gains access to a resource exposed to a wrong sphere could potentially modify data held within that resource, thus breaking the intended integrity of that data and causing the system relying on that resource to make unintended decisions.
|
|
Varies by Context |
Scope: Other
The consequences may vary widely depending on how the product uses the affected resource.
|
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf | Pillar Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. | 664 | Improper Control of a Resource Through its Lifetime |
| ParentOf | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 8 | J2EE Misconfiguration: Entity Bean Declared Remote |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 134 | Use of Externally-Controlled Format String |
| ParentOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 200 | Exposure of Sensitive Information to an Unauthorized Actor |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 374 | Passing Mutable Objects to an Untrusted Method |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 375 | Returning a Mutable Object to an Untrusted Caller |
| ParentOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 377 | Insecure Temporary File |
| ParentOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 402 | Transmission of Private Resources into a New Sphere ('Resource Leak') |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 427 | Uncontrolled Search Path Element |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 428 | Unquoted Search Path or Element |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 488 | Exposure of Data Element to Wrong Session |
| ParentOf | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 491 | Public cloneable() Method Without Final ('Object Hijack') |
| ParentOf | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 492 | Use of Inner Class Containing Sensitive Data |
| ParentOf | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 493 | Critical Public Variable Without Final Modifier |
| ParentOf | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 498 | Cloneable Class Containing Sensitive Information |
| ParentOf | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 499 | Serializable Class Containing Sensitive Data |
| ParentOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 522 | Insufficiently Protected Credentials |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 524 | Use of Cache Containing Sensitive Information |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 552 | Files or Directories Accessible to External Parties |
| ParentOf | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 582 | Array Declared Public, Final, and Static |
| ParentOf | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 583 | finalize() Method Declared Public |
| ParentOf | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 608 | Struts: Non-private Field in ActionForm Class |
| ParentOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 642 | External Control of Critical State Data |
| ParentOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 732 | Incorrect Permission Assignment for Critical Resource |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 767 | Access to Critical Private Variable via Public Method |
| ParentOf | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 927 | Use of Implicit Intent for Sensitive Communication |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1189 | Improper Isolation of Shared Resources on System-on-a-Chip (SoC) |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1282 | Assumed-Immutable Data is Stored in Writable Memory |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1327 | Binding to an Unrestricted IP Address |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1331 | Improper Isolation of Shared Resources in Network On Chip (NoC) |
| CanFollow | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CanFollow | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 441 | Unintended Proxy or Intermediary ('Confused Deputy') |
| CanFollow | Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. | 942 | Permissive Cross-domain Security Policy with Untrusted Domains |
| Nature | Type | ID | Name |
|---|---|---|---|
| MemberOf | View View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 1003 | Weaknesses for Simplified Mapping of Published Vulnerabilities |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 134 | Use of Externally-Controlled Format String |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 426 | Untrusted Search Path |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 427 | Uncontrolled Search Path Element |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 428 | Unquoted Search Path or Element |
| ParentOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 552 | Files or Directories Accessible to External Parties |
| Nature | Type | ID | Name |
|---|---|---|---|
| MemberOf | Category Category - a CWE entry that contains a set of other entries that share a common characteristic. | 1011 | Authorize Actors |
| Phase | Note |
|---|---|
| Architecture and Design | |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| Operation |
| Nature | Type | ID | Name |
|---|---|---|---|
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 963 | SFP Secondary Cluster: Exposed Data |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1345 | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1364 | ICS Communications: Zone Boundary Failures |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1403 | Comprehensive Categorization: Exposed Resource |
Rationale
CWE-668 is high-level and is often misused as a catch-all when lower-level CWE IDs might be applicable. It is sometimes used for low-information vulnerability reports [REF-1287]. It is a level-1 Class (i.e., a child of a Pillar). It is not useful for trend analysis.Comments
Closely analyze the specific mistake that is allowing the resource to be exposed, and perform a CWE mapping for that mistake.Theoretical
| Submissions | ||
|---|---|---|
| Submission Date | Submitter | Organization |
|
2008年04月11日
(CWE Draft 9, 2008年04月11日) |
CWE Content Team | MITRE |
| Modifications | ||
| Modification Date | Modifier | Organization |
|
2025年04月03日
(CWE 4.17, 2025年04月03日) |
CWE Content Team | MITRE |
| updated Common_Consequences, Relationships | ||
| 2023年06月29日 | CWE Content Team | MITRE |
| updated Mapping_Notes | ||
| 2023年04月27日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2022年10月13日 | CWE Content Team | MITRE |
| updated References | ||
| 2022年04月28日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2021年10月28日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2021年03月15日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2020年06月25日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2020年02月24日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2019年06月20日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2019年01月03日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2017年11月08日 | CWE Content Team | MITRE |
| updated Modes_of_Introduction, Relationships, Relevant_Properties | ||
| 2017年01月19日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2015年12月07日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2014年07月30日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2014年06月23日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2013年07月17日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2013年02月21日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2012年05月11日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2011年06月01日 | CWE Content Team | MITRE |
| updated Common_Consequences | ||
| 2011年03月29日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2010年09月27日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2009年12月28日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2009年10月29日 | CWE Content Team | MITRE |
| updated Other_Notes, Theoretical_Notes | ||
| 2009年07月27日 | CWE Content Team | MITRE |
| updated Description, Relationships | ||
| 2009年07月22日 | CWE Content Team | MITRE |
| Clarified description to include permissions. | ||
| 2009年05月27日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2008年11月24日 | CWE Content Team | MITRE |
| updated Relationships | ||
| 2008年09月08日 | CWE Content Team | MITRE |
| updated Relationships, Other_Notes | ||
| 2008年07月01日 | Eric Dalci | Cigital |
| updated Time_of_Introduction | ||
Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.