CWE-638
Not Using Complete Mediation
AI Translation Available
The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.
Status
draft
Abstraction
class
Affected Platforms
Technical Details
AI Translation
Common Consequences
integrity
confidentiality
availability
access control
other
Impacts
gain privileges or assume identity
execute unauthorized code or commands
bypass protection mechanism
read application data
other
Potential Mitigations
Phases:
architecture and design
Descriptions:
•
Invalidate cached privileges, file handles or descriptors, or other access credentials whenever identities, processes, policies, roles, capabilities or permissions change. Perform complete authentication checks before accepting, caching and reusing data, dynamic content and code (scripts). Avoid caching access control decisions as much as possible.
•
Identify all possible code paths that might access sensitive resources. If possible, create and use a single interface that performs the access checks, and develop code standards that require use of this interface.