Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-283 (未经验证的属主) — Vulnerability Class 17

17 vulnerabilities classified as CWE-283 (未经验证的属主). AI Chinese analysis included.

CWE-283, Unverified Ownership, is a critical security weakness where software fails to confirm that a resource belongs to the authorized entity before performing sensitive operations. Attackers typically exploit this flaw by manipulating resource identifiers or bypassing access controls to gain unauthorized privileges, leading to data breaches, privilege escalation, or system compromise. For instance, an attacker might alter a file path or database key to access another user’s private information. To mitigate this risk, developers must implement rigorous ownership verification mechanisms at every interaction point. This involves validating user permissions against the resource’s actual owner using secure, immutable identifiers rather than trusting user-supplied input. By enforcing strict access control checks and ensuring that only the rightful owner can modify or delete specific assets, organizations can effectively prevent unauthorized manipulation and maintain the integrity of their systems.

MITRE CWE Description
The product does not properly verify that a critical resource is owned by the proper entity.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain unauthorized access to system resources.
Mitigations (2)
Architecture and Design, OperationVery carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
Architecture and DesignConsider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.
Examples (1)
This function is part of a privileged program that takes input from users with potentially lower privileges.
def killProcess(processID): os.kill(processID, signal.SIGKILL)
Bad · Python
def killProcess(processID): user = getCurrentUser() #Check process owner against requesting user if getProcessOwner(processID) == user: os.kill(processID, signal.SIGKILL) return else: print("You cannot kill a process you don't own") return
Good · Python
CVE IDTitleCVSSSeverityPublished
CVE-2026-40337 Sentry kernel has incomplete ownership check for IRQ line manipulation — sentry-kernel 5.1 Medium2026-04-17
CVE-2026-29788 TSPortal: Anyone can forge self-deletion requests of any user — TSPortal 6.5 -2026-03-06
CVE-2026-27486 OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup — openclaw 6.5AIMediumAI2026-02-21
CVE-2026-0598 Ansible-lightspeed: broken object level authorization leading to cross-user ai conversation context injection in ansible lightspeed api — Red Hat Ansible Automation Platform 2.6 4.2 Medium2026-02-06
CVE-2025-12815 Amazon Web Services Research and Engineering Studio 安全漏洞 — Research and Engineering Studio (RES) 4.3 Medium2025-11-06
CVE-2025-36091 IBM Business Automation Insights unverified ownership — Cloud Pak For Business Automation 4.3 Medium2025-11-03
CVE-2025-9822 Secret data extraction via elfinder — Mautic 5.5 Medium2025-09-03
CVE-2025-43882 Dell ThinOS 10 安全漏洞 — ThinOS 10 7.8 High2025-08-27
CVE-2025-47940 TYPO3 CMS Vulnerable to Privilege Escalation to System Maintainer — typo3 7.2 High2025-05-20
CVE-2024-27903 OpenVPN 安全漏洞 — OpenVPN 2 8.8AIHighAI2024-07-08
CVE-2024-1853 Zemana AntiLogger v2.74.204.664 - Arbitrary Process Termination — AntiLogger 5.5 Medium2024-03-14
CVE-2023-6068 On affected 7130 Series FPGA platforms running MOS and recent versions of the MultiAccess FPGA, application of ACL’s may result in incorrect operation of the configured ACL for a port resulting in some packets that should be denied being permitted and some — MOS 3.1 Low2024-03-04
CVE-2023-30544 Kiwi TCMS may allow user to update email address to unverified one — Kiwi 3.9 Low2023-04-24
CVE-2022-29220 No verification of commits origin in github-action-merge-dependabot — github-action-merge-dependabot 6.5 Medium2022-05-31
CVE-2021-24501 Workreap theme < 2.2.2 - Missing Authorization Checks in Ajax Actions — Workreap 6.5 -2021-08-09
CVE-2021-24500 Workreap theme < 2.2.2 - Multiple CSRF + IDOR Vulnerabilities — Workreap 8.1 -2021-08-09
CVE-2020-8554 Kubernetes man in the middle using LoadBalancer or ExternalIPs — Kubernetes 6.3 Medium2021-01-21

Vulnerabilities classified as CWE-283 (未经验证的属主) represent 17 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.