Transmission of Private Resources into a New Sphere ('Resource Leak')
Draft Class
Structure: Simple
Description
The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
Common Consequences 1
Scope: Confidentiality
Impact: Read Application Data
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Observed Examples 2
CVE-2003-0740Server leaks a privileged file descriptor, allowing the server to be hijacked.
CVE-2004-1033File descriptor leak allows read of restricted files.
Modes of Introduction
Architecture and Design
Implementation
Alternate Terms
Resource Leak
Related Weaknesses
Taxonomy Mapping
- PLOVER