CWE-638: Not Using Complete Mediation

ClassDraft

The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-638: Not Using Complete Mediation?+

CWE-638: Not Using Complete Mediation is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.

What are the security consequences of Not Using Complete Mediation?+

If exploited, CWE-638 (Not Using Complete Mediation) it can compromise Integrity, Confidentiality, Availability, Access Control and Other, leading to outcomes such as Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data and Other.

How do you prevent or mitigate Not Using Complete Mediation?+

Recommended mitigations for CWE-638 include: Invalidate cached privileges, file handles or descriptors, or other access credentials whenever identities, processes, policies, roles, capabilities or permissions change. Perform complete authentication checks before accepting, caching and reusing data, dynamic content and code (scripts). Avoid caching access control decisions as much as possible. Identify all possible code paths that might access sensitive resources. If possible, create and use a single interface that performs the access checks, and develop code standards that require use of this interface.

Which programming languages are affected by Not Using Complete Mediation?+

CWE-638 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Not Using Complete Mediation?+

MITRE documents real CVEs mapped to CWE-638, including CVE-2007-0408. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-638 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More