Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-708 (不正确的属主授予) — Vulnerability Class 18

18 vulnerabilities classified as CWE-708 (不正确的属主授予). AI Chinese analysis included.

CWE-708, Incorrect Ownership Assignment, is a critical vulnerability where a software system improperly designates a resource owner, granting control to an entity outside the intended security boundary. This flaw typically arises when applications fail to validate or enforce ownership constraints during resource creation or modification, allowing attackers to manipulate files, database records, or configuration settings. Exploitation often involves privilege escalation or unauthorized data alteration, as malicious actors leverage the misassigned ownership to bypass access controls and execute actions reserved for legitimate administrators. To mitigate this risk, developers must implement strict validation checks that verify the current user’s authority before assigning ownership. Utilizing principle of least privilege, enforcing immutable ownership policies, and conducting regular code reviews to identify trust boundary violations are essential strategies. By ensuring that only authorized entities can assume control over sensitive resources, organizations can effectively prevent unauthorized manipulation and maintain system integrity against internal and external threats.

MITRE CWE Description
The product assigns an owner to a resource, but the owner is outside of the intended control sphere. This may allow the resource to be manipulated by actors outside of the intended control sphere.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data
An attacker could read and modify data for which they do not have permissions to access directly.
Mitigations (1)
PolicyPeriodically review the privileges and their owners.
CVE IDTitleCVSSSeverityPublished
CVE-2026-40196 HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation — homebox 8.1 High2026-04-17
CVE-2026-32691 Timing ownership claim attack on new external back-end secrets — Juju 5.3 Medium2026-03-18
CVE-2025-5467 Ubuntu Apport Insecure File Permissions Vulnerability — apport 3.3AILowAI2025-12-10
CVE-2025-14262 Jobs can be saved as workflows with wrong permissions on KNIME Business Hub — KNIME Business Hub 6.5AIMediumAI2025-12-08
CVE-2025-5069 Incorrect Ownership Assignment in GitLab — GitLab 3.5 Low2025-09-26
CVE-2024-52561 Parallels Desktop 安全漏洞 — Parallels Desktop for Mac 7.8 High2025-06-03
CVE-2024-45417 Zoom Apps for macOS - Uncontrolled Resource Consumption — Zoom Apps for macOS 6.0 Medium2025-02-25
CVE-2024-45426 Zoom Workplace Apps - Incorrect Ownership Assignment — Zoom Workplace Apps 4.9 Medium2025-02-25
CVE-2024-9633 Incorrect Ownership Assignment in GitLab — GitLab 3.1 Low2024-11-14
CVE-2023-29122 Incorrect file ownership of privileged service's libraries in Enel X JuiceBox — JuiceBox Pro 3.0 22kW Cellular 6.7 Medium2024-11-05
CVE-2024-41773 IBM Global Configuration Management incorrect ownership assignment — Global Configuration Management 6.5 Medium2024-08-20
CVE-2023-4008 Incorrect Ownership Assignment in GitLab — GitLab 5.3 Medium2023-08-03
CVE-2023-20044 Cisco CX Cloud Agent 安全漏洞 — Cisco CX Cloud Agent 6.7 Medium2023-01-19
CVE-2023-20043 Cisco CX Cloud Agent 安全漏洞 — Cisco CX Cloud Agent 6.7 Medium2023-01-19
CVE-2022-33737 OpenVPN 日志信息泄露漏洞 — OpenVPN Access Server 9.1 -2022-07-06
CVE-2021-26248 Philips MRI 1.5T and 3T Incorrect Ownership Assignment — MRI 1.5T 5.5 -2021-11-19
CVE-2021-32726 Webauthn tokens not removed after user has been deleted — security-advisories 7.1 High2021-07-12
CVE-2021-32689 Nextcloud Talk not properly disassociating users from chats after account deletion — security-advisories 8.1 High2021-07-12

Vulnerabilities classified as CWE-708 (不正确的属主授予) represent 18 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.